Hayley Jaffrey has a proven track record in adding value to support organisations in understanding the data protection legislation – GDPR, DPA 2018 and PECR/e-Privacy. She has experience in developing pragmatic, logical and cost effective solutions that ensure responsible and ethical processing of personal data to comply with the law.
The rise of GDPR laws has raised many questions for organisations all over the world as they build compliance with the regulations set out. Hayley Jaffrey will be one of the key speakers at the Data Protection European Summit,we caught up with Hayley to find out a bit more about the topics she’ll be discussing at the event in London this June.
1) What are the main challenges large organisations face when implementing GDPR-compliant principles?
Hayley Jaffrey: There are a number of factors that influence an organisations readiness or willingness to comply with any kind of legislative or regulatory change, but a big one is cost. Most big organisations suffer from budgetary challenges and quite often it’s an inhouse bun fight, ie. one department or function competing or trading off with another for a piece of the financial pie.
Another challenge which contributes is the attitude of leadership – if they believe in compliance, integrity and, generally, doing the right thing, the fight for budget and resource can be an easier one, but if the Leadership Team are unwilling or unmotivated to invest in proper ways of working, it can be a really difficult sell.
When I am working with any organisation – large or small – I generally pitch the requirement in a quantifiable way, looking at evidence-based risks for their business/industry and the costs associated with noncompliance (which are always way higher) and also sweeten it with other benefits, such as cost efficiency gains through process or system transformation or improvement.
2) Why is a project management approach suitable for the adoption of GDPR principles?
HJ: Implementing change in a multifunctional, multilocational organisation requires structure, discipline and rigour otherwise it’s like herding cats and you end up catching none.
Using project management principles ensures that everyone involved is working in concert and their actions or activities (workstreams) add up to achieve global improvements and greater overall control.
Principle tools include having a Project Charter to clearly define the scope of work, the objectives and deliverables and who will do what and when. A Project Action Tracker keeps work on track – on time and on budget delivery is the goal – and it’s virtually impossible to control a complex initiative without one.
3) What steps need to be taken to educate stakeholders in data protection?
HJ: Different parts of a business process different types of personal data for different purposes. As such not everyone will get the same cookie cutter training.
All staff should have basics training as an absolute minimum and this should be refreshed regularly to keep knowledge and awareness up. Managers or staff in functions where processing personal data is their key/core task, such as HR, IT, Finance, etc., should have more specific and in-depth training, so that they fully understand their responsibilities in that regard.
A business-wide Training Needs Assessment should be undertaken to identify who needs training and to what level.
4) What are the immediate areas to be addressed when operationalising data protection within an organisation?
HJ: There a many contributory elements to operationalising data protection, so as to ensure the business has the right technical and organisational measures in place.
A quick answer is to look at people, process, and system. Train/educate the people, embed the working practices into policy and procedures and adapt the systems and technologies to ensure efficiency and control. This underpins Privacy By Design.
5) Does successful GDPR implementation rely more on operational or cultural change?
As Peter Drucker once said “Culture eats strategy for breakfast” – if you can’t get the people on board, the new ways of working won’t stick!
European Data Protection Summit 2019
To hear more of Hayley’s views on the business of GDPR make sure you attend the European Data Protection Summit on June 3rd 2019.
Hayley will also be joined by fellow data protection industry leaders including: Max Schrems, Ivana Bartoletti, and Sheila M. Fitzpatrick.
The European Data Protection Summit 2019 by Data Protection World Forum will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions.
The event will play host to professionals from the realms of Data Protection, Privacy, Information Security, Technology, Marketing and Sales, Supply Chain Management, Finance, and Human Resources.
To register for the event in London, and for more information just click here.