GDPR: Clock ticking for implementing new data protection rules
By Mark McClelland
Many European companies face a race against time to comply with stricter rules on dealing with customer data that will come into force next Spring. Failure to comply with the new rules – set out in the European Union’s General Data Protection Regulation (GDPR) – would far outstrip the cost of investment in providing staff with the learning they need, yet many organisations have not yet put the necessary training in place.
From May 2018, firms who breach the new data laws face a maximum fine of 4% of the previous year’s annual global turnover or €20 million, whichever is the higher. The implementation of updated data rules is happening at a time when serious data breaches have caught out well-known companies across different sectors. But recent research by data management consultancy Consult Hyperion suggests that financial institutions are particularly at risk. The consultancy is estimating that the fines levied by the new regime could reach €5 billion in the first three years.
With many organisations so unprepared for the introduction and with time running out, L&D professionals should be looking to see how they can ensure employees have the knowledge they need. However, since GDPR is all about making a change in attitudes and behaviours – how can they make sure the training they introduce is not just a box-ticking exercise that fails to have any effect on what people actually do?
Gamification boosts engagement with compliance learning
At Lumesse we have helped many firms successfully comply with the increasing amount of complex regulation organisations find coming at them in sectors like financial services. And we have found gamification approaches to be highly successful in getting learners to engage with what can often be a fairly dry subject matter such as GDPR.
Gamification helps practice real-life situations and challenges in a safe environment and can provide:
- A better learning experience where learners can have a good time yet still learn because the engagement is high
- Behavioural change, especially when combined with scientific principles of spaced repetition
These aspects that touch and impact learners can create a significant performance gain for the organisations, helping to ensure they can comply with the new data protection regulations. And a gamified approach does not necessarily have to mean longer lead times – which is crucial, given the urgency GDPR will have for many right now, and the May 2018 deadline.
GDPR and financial services
Our recent conversations with financial services companies suggest that working on GDPR is becoming an urgent task that they know they have to tackle.
And those conversations are backed up by a recent survey from Computer Weekly which suggests that more than half of financial service companies are prioritising data protection regulation as they realise that the clock is ticking down on the 28 May 2018 deadline.
But while 52% of organisations may be starting to gear up, it means that a significant majority risk being caught by surprise and so poorly prepared.
So what is GDPR all about?
The objective of GDPR is to strengthen data privacy and protection for all EU citizens. It looks to do that by placing new obligations on organisations.
- Having to build privacy into systems by design – and switched on by default
- Conducting regular privacy impact assessments
- Implementing stronger consent mechanism – particularly when processing data that relates to or pertain to minors
- Following stricter procedures for reporting data breaches and
- Documenting use of personal data in far more detail than before
Just one of these would be a big enough IT, compliance and learning challenge. Taken together it represents a significant risk which needs to be urgently addressed to avoid GDPR becoming overwhelming.
Alongside adapting processes and systems in line with the new regulation, organisations need to ensure that those responsible for data and data processing understand the overall objectives of GDPR and understand the system and process changes their business has made in response.
With the rise of modern IT management practices – notably the use of the Cloud – companies must be aware that it is not just their own processes and system that must be compliant.
They also have to monitor the progress of GDPR compliance by IT suppliers.
This is an especially key factor in the financial services sector, where over the last few years firms have become increasingly reliant on IT service providers, including cloud suppliers.
While GDPR does represent an enormous change, it should provide opportunities as well for organisations in the long run; currently Europe has a mish-mash of different European regimes. But from May 2018 the plethora of individual country data protection regimes will be replaced by a harmonised approach.
However, companies also need to be aware that the new regime applies to organisations across the world. Any company that processes personal data on EU citizens whether they reside in the EU or elsewhere in the world will need to comply by the GDPR.
With exchange of data across the globe increasing as part of international trade, companies from elsewhere in the world doing business with the EU need to be aware of these regulations.
Trade partners will want to ensure that the GDPR regulations do not hinder their ability to market and sell their products and services in the EU.
The new international aspect of GDPR adds another dimension of GDPR compliance. Companies which may never had heard of the EU’s data protection laws may need to be compliant.
With so many aspects to consider and with the GDPR deadline fast approaching, companies may be tempted to look for an off the shelf (OTS) learning solution. And while OTS can be effective in many situations this may not work for GDPR because of the many differing ways of storing, handling, manipulating and using personal data.
Whatever strategy is best for GDPR compliance learning, companies need to be setting the direction now. Whether in the end firms decide to buy or to build, Lumesse can offer support and advice for either path. We already work with some of the leading global financial services organisations including Barclays, Lloyds Banking Group and Metro Bank and therefore have a strong understanding of the sector.
This is the biggest overhaul of data protection law in 25 years; it is vital to get it right!
For further information and help with GDPR please contact Mark McClelland – Key Account Manager Financial Services. email@example.com / 07774 758717