Are you an in-house lawyer? Receive our magazine and e-newsletter by signing up to My Law Society. (Please complete the interest and careers section).
Sophie Gould, head of PSL In-house at Lexis Nexis, looks at how some organisations are encouraging wider corporate engagement with GDPR compliance.
With the General Data Protection Regulation (GDPR) coming into force on 25 May 2017, the legal industry is already mobilising. A robust compliance programme is now vital – especially given the scale of fines involved.
However, although the parameters of the GDPR are known, one key issue still concerns industry leaders – namely, how to encourage wider corporate engagement with compliance. Typically, data protection is seen as the sole concern of the legal team, with little to no buy-in from C-suite executives or the wider business.
We spoke with senior counsel around the country to provide you with the insights and guidance you need to navigate the run-up to next May’s regime change.
The first step is understanding the identity of your company and its culture. As a lawyer, aligning your advice and initiating a strategy that fits with your company’s values and vision is a must – there is no one size fits all approach.
For Andrew Magowan, general counsel of ASOS, setting up a compliance department was a non-starter; he knew no one would utilise it. Instead, he subtly worked compliance into corporate sensibility under the umbrella of social responsibility.
GE, meanwhile, created a Manga-style compliance comic book for its offices in Japan, which was popular with its employees. By taking cultural differences into account, GE was able to choose an effective method for delivering the compliance message.
Developing an awareness of the particular threats and challenges that your company may face following the implementation of the GDPR is also vital; forewarned is forearmed.
Getting executives on board with compliance is crucial; the barriers and obstacles put in place by the C-suite can make even the best, well-reasoned compliance programme difficult to deliver.
Board members need to be convinced of the consequences of disregarding, or not supporting, a compliance programme. ‘Don’t go to them with a problem’, as one senior counsel stressed. ‘Go armed with solutions and options.’ This advice was echoed by a GC who observed: ‘The board get fed up of being told about fines and sanctions. Use your sales and communication skills to draw out the positives and incentivise them.’
But preparation comes before persuasion. Providing board members with relevant information to look at in advance can help reduce the time it takes to communicate your message. Furthermore, tailor your message to suit your audience. Do your homework beforehand and adapt your style of communication to the individuals in question.
However, if direct communication does not prove effective, consider bringing in an external, objective adviser; executives often have a great deal of respect for the word of an ‘expert’.
GCs and in-house lawyers also must find a way to bring the compliance message to the company as a whole. While setting the tone from top down is essential, some of the most successful programmes start from the bottom up.
Compliance is, understandably, perceived to be a dry topic, but there are workarounds. Apps, for example, can be effective learning tools, as the information can be absorbed in manageable, bite-sized chunks. RB general counsel for group legal affairs, Claire Debney, pointed out that RB uses an app that employs a ‘Can I, can’t I?’ style, which is an easily adaptable model.
Entertainment and games are another option. Vodafone, for example, has created a ‘snakes and ladders’ compliance game and T-Systems (a subsidiary of Deutsche Telekom) uses YouTube videos to train and engage its employees in compliance.
Ultimately, tailoring the compliance message to your company’s identity, as well as to the individuals within it, is the best advice for helping to move your company towards a genuinely compliant culture in the run-up to the GDPR. But you will need to roll your sleeves up – it is not enough to simply deliver the message from on high. You need to get involved, give advice and, importantly, pick your battles carefully.
But there is still time. The changes don’t come into effect until May 2018 and, as Claire Debney points out, you need to ‘be patient – it’s a marathon, not a sprint. Work with and capitalise on the strengths in the business. Find your champions’.
We’re here to help provide you with the support you need in the coming months. Our GDPR Planner expands on the suggested set of actions for each of the 12 areas issued by the Information Commissioner’s Office (ICO). Rather than presenting them by subject matter, it does so chronologically, breaking down the necessary actions over four periods of time: (1) groundwork; (2) planning; (3) implementation; and (4) embed / test / review – saving you time by providing a comprehensive project plan to work from.
This is one of many practical tools to help you manage your compliance obligations faster and more effectively within our LexisPSL Risk & Compliance module, which has been created specifically to support in-house lawyers identify and manage risk in their organisations.