It is not easy to explain the General Data Protection Regulation (GDPR) in just a few words. And if you need to explain GDPR to one of the potential stakeholders in the company without a similar background, like the IT department, things can get complicated.
By now, you’ve come to realize that this collaboration will be crucial for fulfilling GDPR requirements, and you will need support from your IT department.
If you have already tried to establish a communication channel with IT, you’ve might encounter IT experts who are interested in the privacy program and are happy to help.
However, more often than not, IT departments are busy with other projects, and in that case, you may encounter a bit of a push back from the IT department considering compliance projects less important and exciting.
Whatever the case is, the collaboration between DPO and IT is essential.
The fact that you are still reading this means you want to learn how to better collaborate and communicate with your IT colleagues.
You might be wondering, “OK, but how?” I know that you are eager to find out, so we will waste no more time.
Let’s go directly to the six steps of explaining GDPR records of processing activities to your IT colleagues.
1. Understand the IT point of view
We all know that nowadays there is a lot of pressure on IT professionals. Companies are dependent on IT systems, which their employees use in almost every business process. From e-mail clients to various CRMs, ERPs, Websites, Mobile Apps, Analytical tools, Backup Systems, and many more.
The IT department is responsible for the flawless operation of all this segments.
There are big expectations for constant innovations, introducing new systems, and updating the existing ones. At the same time, there is a significant lack of IT experts. Over 1,500 chief information officers agree there’s a deficit, which means massive demand for those with the right skills.
Therefore, there is a big chance that the IT department in your company is understaffed, which is something you can relate to as a Data Protection Officer. Explore what challenges the DPO can expect in 2020.
2. Make sure you are speaking the same language
You are an expert in Data Privacy and a master of the GDPR terminology.
On the other hand, your IT colleagues may find terms like Data Subject, Data Processor, Processing Activity, Data Retention intimidating. Even the term GDPR, which was mentioned many times in mainstream media, is not something that the general public has comprehensive knowledge of.
Use your GDPR knowledge to educate your team.
Make a bridge by preparing a glossary with the most important terms and call a meeting where you can explain the goal of your project and ask probing questions to make sure everybody understands the terminology and the importance of the compliance program.
3. Create urgency
As said earlier, the IT department is flooded with everyday tasks for maintenance, and there is a neverending list of requests for new development.
The real question is, where are those requests coming from? Who makes the priorities? By now, you probably know the answer – the business!
It is your job to create urgency about the GDPR project!
It is essential to get the sponsorship and clear message „Engage!“ from the top management and the Board. If the GDPR project gets a higher priority and allocation of resources, you can be sure the IT department will do their best to support you.
In order to learn how to create support and urgency for your privacy program, download our:
4. Set the lines of responsibility
Go over the Records of Processing Activities, with your IT team. In the process, clearly define what you will need from them and what they need to deliver. The usual start is to create Data Inventory, and discover personal data across IT systems.
If they know the background, it will be easier to reach the desired outcome.
Together with other Activity Owners, define the Data Retention period for each Processing Activity.
Create realistic goals, and make sure everybody understands what is the expected level of cooperation and what is their place in this journey. IT needs to adjust systems to be able to receive this information and act accordingly. You can find more information about Data Removal in an e-book.
5. Don’t just toss a hot potato to your IT
Once you speak the same language, you have the sponsorship from the Board and clear lines of responsibility, it is time to get the work done.
You need to be present in the project.
The details of software integration are not your domain, the Data Privacy is.
Organize constant follow-ups and standup meetings with your IT. Ask your IT if they have all the inputs and make sure everything is clear. Make sure that vendors of the GDPR management software are delivering what they promised.
Be involved in testing – the best way to get a look and feel of the future solution. It will keep you informed about the critical part of the project, and you can give some final inputs.
At the same time, you will show your IT colleagues that you care, and want to help them deliver the best possible outcome.
6. Be persistent – it pays off
Keep asking what you need and keep demonstrating the value of your project.
Don’t let GDPR be perceived as a financial burden, drive more focus on compliance, ROI, and related risks and benefit.
It is important to note that most organizations are seeing positive returns on their privacy investments, and more than 40% are seeing benefits at least twice that of their privacy spend.
Find out why companies are investing in GDPR compliance to make solid arguments on the importance of compliance and accountability.