#PrivSecDub: The GDPR compliance journey

Dr Katherine O’Keefe, Director of Training and Research at Castlebridge addresses audiences in the Data Privacy theatre with a keynote that highlights how GDPR compliance is a marathon, not a sprint.

Katherine emphasises how an organisation’s purpose must first be considered before formulating an appropriate and effective data management policy.

Within this, Katherine explains how quantifiable costs such as fines, consultants, technology fixing, the cost of business slowing down, alongside other penalties, are all helping companies to appreciate the price of privacy. This knowledge is the key to becoming sustainably compliant – thinking about how we measure these factors against the bottom line.

“A company that only makes decisions on the easy numbers will soon have no numbers and no business. Millennials are killing unethical business – there exists a very strong increasing demand for socially responsible business,” Katherine says, underlining the importance of guiding compliance through the ethical lens.

“In order to comply with GDPR you have to have an ethical focus on what you’re doing with your data.

We have to be aware of the gap between our principles that we talk about and what we’re actually doing. There will be a gap between our codes of ethics, academic teaching and professional training and the reality of the situation,” she says, before quoting Michael D Higgins, President of Ireland:

“The proliferation of ethical manuals and codes of conduct in the various professional sectors will be of only limited consequence if we do not also ensure that their purpose is embraced and understood by, and not just enforced upon, those for whom they are designed.”

Bearing the message in mind, Katherine explains how ethical principles should be expressed in company policy through the following guidelines:

  1. Establish a clear “tone from the top” for privacy and data ethics in general
  2. Implement data governance to create situational modifiers for individual behaviour – checks and balances, not tick boxes.
  3. Implement training to ensure “Ethic of Individual” is aligned with “Ethic of Organisation”.
  4. Ensure appropriate metrics and KPIs are in place to support cascade of accountability from top down.
  5. Ensure ALIGNMENT of metrics and messages from Principles to Processes.
  6. Take a “Balanced Scorecard” view of the investment in data protection and look for opportunities to improve efficiencies in the organisation.
  7. Ensure a transition from “Project” to “Operational” modes so that key controls are updated because people want to, not because they are told they have to.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/