Sometimes it’s the simplest things that can get an organisation into compliance trouble. Take the Australian government, which sold off old office equipment to a secondhand shop, not realising that some filing cabinets held ten years of top secret cabinet discussions between five governments. Needless to say this shouldn’t have happened, and was an easily avoidable mistake. Contributor Kim Lessley, Director of Solution Management at SAP SuccessFactors.
Digital data can be just as, if not more prone to compliance issues. Employees across organisations touch personal data – including data entry clerks, call center employees, marketing professionals and HR and people managers to name a few. You can have the best technology in place, but that doesn’t guarantee your organisation is in compliance with data protection and privacy laws. You also need to establish processes and train employees on those processes.
Imagine this scenario – you’ve spent between £1 million-£10 million getting ready for the General Data Protection Regulation (GDPR). You’ve done a technology audit, catalogued the different systems in use in your company and mapped where you store and process all personal data. You have gone through an exhaustive search and hired the perfect person to fill your Data Protection Officer role. IT and HR are working hand in glove to ensure employee data is secure in all systems and permissions are locked down so that only those people who need to see personal data can access it. You are ready, right? Think again.
Then you hire an intern to help manage your next big marketing campaign. She is eager to prove herself and takes the initiative of building her own global mailing list. She bases this on email addresses she’s collected from the sales team, which were extracted from lists of conference attendees stored on the team’s SharePoint site, etc. Chances are, not all of those people gave your company explicit consent to send them marketing material. And suddenly you are out of compliance with the GDPR for direct marketing without consent.
Or let’s say one of your top salespeople brings home her laptop to get some work done in the evening and forgets it on the train. The laptop contains information about customers and prospects, including personal information and notes. Not only is this a potential breach of the individuals’ information, but it could also be a goldmine for the competition.
Culture of compliance
One of the trickiest aspects of compliance is the unpredictable human factor. People make mistakes; sometimes because they are careless, sometimes because they are acting maliciously and sometimes because they simply don’t realise what they are doing is wrong. So what can you do to mitigate the risk to your organisation?
Establishing a culture of compliance in an organisation is critical to ensuring all of the process and technology work you put in to ensure compliance does not go to waste. A true culture of compliance is an integral part of an organisation’s ethics and is not simply a box that needs to be ticked confirming employees have completed an annual online compliance course. Instead, compliance needs to be embedded into everyday activities.
Most people want to do the right thing. Compliance expectations should be clearly communicated and reinforced and employees should be incentivised to behave accordingly. A culture of compliance sets the foundation and expectations for individual behaviour across an organisation – and it should start at the top. If a company’s leaders are not taking compliance seriously, how can you expect the rest of the employee population to do so?
Back to the story of the filing cabinets in Australia. If that happened to a company housing data on European residents, that mistake could cost up to €20 million or 4 percent of annual global revenue in fines under the GDPR. People will make mistakes, but you can limit the frequency and severity of those mistakes by instilling a culture of compliance where employees understand and embrace compliance as standard operating procedure, including always making sure filing cabinets are empty before selling them off.