Data is becoming increasingly important for competitiveness and will be the lifeblood of many business models. Inevitably effective Data Protection must actively shape how organizations work with data in the future.
Instead, most data protection teams only focus on monitoring compliance through cumbersome and difficult to understand processes and procedures. As a result, they are perceived as a necessary evil in the best case or, even worse, as a road blocker for innovation. Why is that?
10 reasons why Data Protection is often seen only as a necessary evil:
- Processes to ensure data protection are cumbersome and overly complicated
- High workloads for internal data protection experts due to these processes, leave little time for proactive thinking and acting.
- Lack of clarity on where the biggest risks lie and missing focus of scarce resources on those risks.
- Data Protection lawyers use legal language that is difficult to understand.
- The internal Data Protection team did not articulate and communicate the purpose of Data Protection to the Business well enough.
- The Business lacks transparency about the risks and consequences of noncompliance (not only serious fines but also a business shut down by regulators).
- Responsibility for data protection is too often linked to systems instead of processes.
- The Data Protection team is not aligned with other data related teams and functions like Data Governance, Master Data Management and Supplier Management. This often creates confusion about their roles and responsibilities for Data. At the same time the business gets different requests from different people on the same topic (e.g. DPIA and a Cloud Risk Assessment with very similar questions for an outsourced data processing).
- The Data Protection team gets involved too late, when new data processing activities are planned, so that they are often seen as a barrier (“you can’t do it like this”) rather than an enabler.
- Data Protection teams understand too little about data driven business models or data strategy to develop effective data protection strategies to support them.
Companies can be both competitive with new data driven business models AND take the protection of personal data seriously. In order to do this, Data Protection teams must change their approach and strive to change their role from reactive to proactive, from policeman to business partner and advisor, from evaluating the status quo to shaping the future, from pure legal compliance to an advocate of the data subjects’ interests and needs.
Here are 6 key steps that can change the role of Data Protection
- Streamline and simplify processes, make them easy to use and compliance easy to own. Benefit from freeing up internal resources.
- Clearly communicate the purpose and value of data protection. Everybody should understand that data protection is here to serve the customers, employees, and other data subjects, not just the regulator.
- Focus effort and limited resources on the biggest risks. Create a clear picture of where the most important data protection risks are in terms of severance as well as frequency.
- Align with Data Governance and other teams on roles and responsibilities. Create a one-face-to-the-(internal)-customer approach for all data related topics. As more data is used from different sources, e.g. for AI projects, complexity will increase exponentially. Since such solutions will be essential for the business, Data Protection Teams and Master Data Management should work together closely to enable effective, efficient and compliant use of data with a clear legal basis.
- Team up and get innovative! Find creative and constructive ways to enable data driven innovation throughout the Business. Trends like the drive to open data (data pooling, data lakes and data trusts) require active involvement of data protection early in the process rather than a painful search for a legal basis at the end.
- Understand your organization’s data strategy and trigger data driven innovation with different areas of the business as well as support functions. Most functions have not understood the importance of data for the future. Asking what data they will want to use in 3, 5, 10 years’ time will position you well to actively shape the way they will handle data.
We all know that compliance requires a certain level of engagement and attention in the business to be effective.
Engaging with the stakeholders that drive innovation in your organization will lead to solutions that serve data driven innovation AND data protection interests of customers and employees (as well as legal compliance).
How to begin: As a starting point we support organizations with an analysis of the improvement potential to find out how to make data protection compliance easier to own. In addition, we help facilitate the translation of your company’s data strategy into the challenges for data protection. In the past we have proven that you can make more (compliant) impact with less effort, and that compliance can often play an important role in fostering innovation.
About the Authors
Friedemann Lutz is a Director at OXYGY. He has supported numerous Management Teams in running demanding change initiatives, translating ambitious strategic goals into reality and reaching and sustaining better business results. Many times, he has facilitated the discovery of simple, innovative, and customer-centric solutions while eliminating the burden of complexity.
Lennart Schüßler is a Partner in Bird & Bird’s data protection practice group. Over the years he advised many clients from both the public and private sectors, particularly in the healthcare, automotive, financial services, retail and telecommunications sectors. He advises clients on data protection, IT, online and copyright law.