A warm welcome to the fifth and final post in the series 10 Steps to GDPR Compliance. In each post, we’ve covered two Steps to help you to become GDPR compliant. By following along and completing these 10 Steps, you’ve been building out the Privacy Framework that will power your ongoing Privacy Governance.

This series is brought to you by Keepabl, named to the RegTech100 for 2021 as one of the world’s most innovative RegTech companies that every financial institution needs to know about in 2021.

Congratulations! We’re into the last two Steps to put in place your Privacy Framework and then you’re into BAU (business as usual). Last week, in Steps seven and eight, we looked at key areas of Data Subject Rights and Processors.

This week, the two Steps we’re covering today continue building out your Privacy Framework:

• Step 9: Privacy Notices, and
• Step 10: Training & Awareness

And we have a surprise bonus Step 11 for you – Reaping the Rewards!

By the end of this post you will understand what Privacy Notices are, when you need them, the importance of training & awareness to building that culture of Privacy by Design and by Default, and how to quantify and capture the rewards from good compliance.

(We’ll use ‘GDPR’ for both the UK and EU GDPRs as the obligations here are almost identical.)

Step 9: Privacy Notices

Let’s get some terminology out of the way.

Privacy Policy

The document you’ve had on your website for years that tells people everything about what personal data you process. You’ll also have a separate Cookie Policy (or Cookie Notice) – not all countries demand they’re separate, but it’s the right thing to do anyway: it’s clearer and it’s easier to update.

Both do the heavy lifting in providing the bulk of the required information to data subjects and you typically link to them in a layered manner, from your Data Collection Notice …

Data Collection Notice

The Data Collection Notice, or DCN, is the short, initial, just-in-time notice people see when you collect their personal data, for example when they sign up to your newsletter: ‘We’ll use your email to send you our newsletter in accordance with our Privacy Policy. You can withdraw consent at any time.’

It’s the first part of the layered approach we mentioned above, starting with a short DCN at the point of collection, linking to the more detailed Privacy Policy.

Privacy Notice

What GDPR calls the information you give people with everything about how you process their personal data. Some have tried to call Privacy Policies ‘Privacy Notices’ instead, but it’s not stuck. Privacy Policy is what’s on your website, alongside your Cooke Policy. Privacy Notice is the combined information you give data subjects, typically in a layered approach as above.

Transparency

Privacy Notices were there before GDPR, but it’s one of those areas that received a lot of focus since GDPR, particularly as they’re the primary way you ensure transparency in your processing by giving full information in a clear, intelligible way to individuals.

Privacy Notices are also the first thing people see, and easy to check for your prospects, investors etc. So, along with cookie notices, they were the focus of a frenzy of activity when GDPR came into force in May 2018.

And of course there’s the increased fines, which have been dished out for lack of transparency regularly – starting with the famous €50m fine on Google in January 2019.

As ever, your Data Map helps you draft your Privacy Notices, because it tells you the processing you do, about whom, who you share with, and more.

The Clarity Conundrum

The challenge with your Privacy Notices is to meet GDPR’s requirements of providing all relevant information across a range of topics while making the notice short, easily readable and understandable.

Keeping it Separate

First of all, you can’t bury important information deep in your Privacy Policy, you have to bring it forward to the Data Collection Notice. For example, if you’re relying on consent, you have to say they can withdraw their consent at any time, in the top layer. You also need to bring any unexpected or particularly key information up to that DCN.

Second, you can’t put your Privacy Notice in your Terms & Conditions, they have to be separate so people will easily see them.

And third, if you’re relying on consent, you need to separate out the consent for different purposes as appropriate. Which is why cookie policies post-GDPR have separated out cookies into categories such as Necessary, Functional, Performance and Marketing.

Specific Notices

It’s not just about the Privacy Policy on your website. You’ll need an HR Privacy Notice for your employees, and we recommend separate ones for job-seekers, option holders and others.

Typically, you keep your website Privacy Policy for members of the public, and keep less public information in these separate notices for particular populations.

Step 10: Training & Awareness

Congratulations -you’ve arrived at Step 10! Over the last few weeks, you’ve:

1. Identified your Key People
2. Identified and used your Benchmark
3. Created your personal data inventory, your Data Map
4. Carried out projects all based on Remediation and Risk Management
5. Chosen and implemented your Privacy Framework, including the following steps…
6. Reviewed your Security and prepared for a Breach
7. Enabled and prepared to respond to Data Subject Rights (DSRs)
8. Reviewed and done due diligence on your Processors
9. Used all this great work to draft your Privacy Notices so everyone knows what you’re doing with their personal data.

Now it’s the final step to make all this come alive: Training and Awareness – making sure this whole Privacy Framework gets put into into practice in the right way by the right people.

Training

We should all have had that ‘all hands’ training on Data Protection and Security. There’s a very good reason: every single person in your organisation has an impact on your compliance.

Most personal data breaches are not CyberSecurity Incidents (or CSIs), they’re non-CSIs such as sending emails and mail to the wrong people.
And the UK ICO’s ‘Report a Breach’ form does ask: ‘did the people involved have data protection training in the last two years?’.

So you need to do those ‘all-hands’ training programs, on Privacy and on Security. We recommend the basic training is an annual event, with awareness and training refreshers along the way.

As to ‘who gets what training’, we suggest categorising everyone into 3 levels so you can train them appropriately:

Level 1 – everyone

Everyone gets the basics, so they know GDPR’s principles as they apply in practice, they can recognise a breach or DSR and they know who to go to for more information. Of course, this is the largest group to train.

Level 2 – those needing specialist training

The particular groups and extra training will vary depending on your organisation. However, for example:

• you’ll want to train Marketing, Investor Relations, and similar teams on cookies, on cold calling, cold emailing etc.
• IT and Security will need training on the specifics of personal data breach response.
• Customer Support needs training on recognising data subject rights.

Level 3 – those running the Privacy Framework

Those running the Framework will need a broad, and deep, understanding and so will need the most training. This will be the smallest group of people.

Awareness

Awareness isn’t just about training, so you’ll use various methods to increase adoption and cultural change and do this throughout the year. You’ll likely have people with great experience on this, and you’ll consider using humour and gamification, in all your training and awareness activities.

Humorous posters, messaging or even interactive events to bring it home in a playful manner. ‘War-gaming’ or ‘table-top exercises’ (where you run through a DSR or breach with relevant teams, throwing in different challenges as you go) are usually well received and very effective.

Step 11: Reap the Rewards!

The benefits of GDPR compliance are now clear for all to see. For example, Capgemini’s study revealed that a whopping 81% of respondents who declared themselves compliant reported positive impacts on reputation and image.

While much of the activity may at first feel defensive in nature, GDPR compliance has been shown to deliver many positive benefits. As well as an average 1.9X ROI on privacy spend, Cisco’s study confirmed that two-thirds of respondents reported significant benefit in each of these 6 areas, all areas Finance are discussing at present in fields such as digitisation, challenger banks, and digital identity:

1. reducing sales delays,
2. mitigating losses from data breaches,
3. enabling innovation,
4. achieving operational efficiency,
5. building trust with customers, and
6. making their company more attractive.

We’re here to help!

Do refresh your knowledge on all things Privacy by subscribing to our Privacy Kitchen YouTube channel! For example, you can see our 10 steps to GDPR compliance video, summarising the 10 Steps in less than 10 minutes.

And don’t forget our award-winning SaaS solution helps make GDPR simple and intuitive for Financial Services organisations from Canaccord Genuity to MML Capital. Our Privacy Policy Pack has all the policies, procedures, templates and checklists you need for GDPR compliance.

Contact us to see how we can turn GDPR into a revenue engine for you and, as always, good luck with your Privacy Framework!