Work with GDPR
Working with GDPR through an agile approach
Working with GDPR through an agile approach is a good way of working because it provides the opportunity to constantly adapt the work and gain knowledge. It is a common way of working in, for example, the IT industry and strategic work.
What does an agile approach mean?
In short, agile working means performing the work in cycles and constantly gaining knowledge, in order to adapt the work and make changes during the work process.
In other words, one should not be too determined by a strict plan, but always be able to make changes if necessary. Companies that want to start working with GDPR through an agile approach should consider the following:
Vision/Objective
Communicate an overall vision that everyone in the company should work towards achieving.
Overall understanding
Create a good overall understanding of what affects data protection work, both internally and externally. It can be easy to think only about your own organization and forget that it is part of a larger system. It is important to understand the outside world. In other words, have a system view as it is also called.
Stages
It is advantageous to work in short stages. In other words, take one step, then learn from it, and then take the next step. This provides an easier opportunity to make changes in the business and adjust the way of working before each stage.
Learning
There are usually several people in a company who work with different issues regarding GDPR. The larger the company, the more it usually is as a starting point. Everything from management, managers at different levels, customer service employees and other staff who have communication with customers, suppliers or similar. It is positive for employees to share their knowledge with each other, and therefore it is good to build in learning as a central part of the process.
What is the difference between working with traditional goal management and agile working methods?
The simple difference between traditional goal management and an agile way of working is that management determines the goal and the path is expected to be straight in a traditional goal management. Unlike an agile approach, which instead involves painting a vision and setting milestones that are easy to adapt during the work based on the actual circumstances and lessons learned. There are advantages and disadvantages to both approaches, but the recommendation is working with GDPR through an agile approach instead of through traditional goal management.
When can it be good to work with the GDPR through an agile way of working?
Unclear requirements
Certain situations and circumstances covered by the GDPR may be in grey areas. There may be a lack of clarity regarding the correct approach, which means that it needs to be clarified through case-law (guiding court decisions). When it comes to such unclear situations, it is good to work agile to easily implement changes if, for example, there is a clarification through practice, guidance from a data protection authority or the EU, or similar.
Changing situations
Companies should regularly review their implemented technical and organizational security measures, as the idea behind the built-in data protection work requires. It is important to align these measures with practice and other rules. However, this does not necessarily mean that everything should be technically possible to implement in one day.
Complex objectives
It is not always the case that the goals are clear, as new technology combined with the GDPR can be complicated to relate to. For example, having to relate to AI that has become very popular lately, the AI Act, the GDPR and other regulations and laws that companies need to comply with.
Communicate the vision to all employees
It is good to convey the vision from the agile way of working to all employees within the company. In this way, they can carry the vision with them in their daily work and analyze for themselves how the GDPR work can be improved within their tasks. It is ultimately the employees who work with the GDPR in practice when carrying out their tasks.
For example
A vision that a company may have is to strive to fully respect customer privacy, by regularly trying to improve built-in data protection. This is something that all employees should be aware of, so that they can always strive to achieve the overall vision in their daily work.
Try to involve everyone in the business
Since many people at a company work with activities covered by GDPR in their daily work, it is both a great asset and a great responsibility. All employees who work with any form of processing of personal data, whether it is management or customer service employees, must know how to perform their tasks in accordance with the GDPR. It is not they who have to pay penalties if GDPR is not followed, but it is the company that does it. Therefore, it is important that employees are familiar with the rules of the GDPR that cover their tasks.
Although it is good that management appoints different roles (such as data protection ambassadors) and creates different functions (such as a data protection committee), it is good if the entire business also gets involved in working with the GDPR through an agile way of working. A mistake that many companies make is to simply let a lawyer, IT function or other special function try to handle all the GDPR work. It may be good to have one or more of these. However, it is difficult for them to cope with all the work and especially if it is a large company with many employees.
Learn from experience and mistakes
It is good that the employees together reflect on the GDPR work and discuss it together. It is a way for employees to learn from each other’s experiences and mistakes. In addition, it engages employees in GDPR work even more, which can also lead to better results. In other words, the starting point is to try to be a learning organization. To be able to do that, employees must be able to dare to realize when they have made mistakes and correct the mistakes. It could mean changing the basic assumptions they had fundamentally.
Data protection by design through an agile approach
Companies shall have data protection by design and by default as required by Article 25 of the GDPR.
Data protection by design
Data protection by design is about the controller taking into account the privacy rules when designing their IT systems and procedures. In other words, companies must take appropriate technical and organizational measures to protect the personal data being processed and comply with the other rules of the GDPR.
Data protection by default
Companies that are subject to the GDPR also need to adapt their product/service/system so that they are data protection friendly. For example, by not having a pre-ticked consent box or making it difficult to withdraw a consent. In addition, this means that the company may not process more personal data than necessary for the purpose. Furthermore, settings with the highest privacy protection should be enabled by default.
One advantage of working with GDPR through an agile way of working is that it facilitates the work with built-in data protection. The reason is that employees get the opportunity to constantly analyze the work and try to find opportunities for improvement. Since the General Data Protection Regulation is formulated in such a way that the company is not quite finished with the privacy work, but that it constantly improves the work and takes into account new environmental factors such as new technology or new practices, it helps with an agile way of working.
Learn more
The 5S model
A good starting point when working with the GDPR is to use the so-called 5S model. In short, the model is about sorting GDPR-related documents and agreements, systematizing work, cleaning away unnecessary personal data, standardizing processes and creating good habits within the company. The 5S model is good to use at the workgroup level instead of the individual level, so that employees can learn from each other’s mistakes and experiences. In addition, it engages employees more, which is a good factor in achieving good results with data protection work.