Simplify the GDPR? Upgrade your competences instead

Whilst getting my plans in place for the rest of the year taking into account all the ongoing geopolitical impacts a few good articles and interactions stood out for me during the past few weeks especially all the discussions and articles about the need to simplify GDPR. And in recent weeks there have been some great posts from people like Mark Thomas who highlight the frequent misuse of the word “governance.” And then there's some memorable chats I've had with various professionals I highly respect, people like David Longford and Nora Reháková.

I think the current debates about simplifying GDPR highlight a different truth. Effective implementation is not just about identifying applicable laws and regulations, understanding them, interpreting legal texts, cases, etc., and then passing it over to the rest of the company to figure it all out.

It’s about so many other things like mobilising the right people, securing budgets, building cross-functional buy-in, managing projects to name a few examples. If a GDPR roll-out fails, you can’t blame the law itself or the tools. There's also one word that's missing from many implementation projects and that is quality, which needs to be at the heart of any implementation alongside project management and risk management.

And how about all the data protection education out there? Most of it tells you WHAT to do, but very little tells, or shows you HOW to do it. Much of the data protection work I've seen, or hear about is driven by compliance checklists and no end of templates and fancy tools, and very little embedment of meaningful and sustainable change in the fabric of the companies' inner workings.

Perhaps some data protection leaders need to look at themselves in the mirror because I believe it's often a matter of missing competences rather than legal complexity. This manifests in, for example, lack of organisational support, inability to secure funding, defaulting to clunky legal solutions, poor planning, failing to understand the complexity of data and technology, to name a few.

Many companies succeed with far more complex implementations, transformations and organisational change than something like GDPR. That’s why I think there may be little need to simplify laws like the GDPR. The real challenge is getting together the right people and having competent leaders in place to head up the team, office or function.

Twenty years ago I managed GRC projects related to SOX compliance, financial EU directives, ISO security standards, employment legislation, and among the key success factors was forming multi-disciplinary teams with appropriate subject matter experts, so in these projects these was typically colleagues from finance, HR, Infosec, etc., yet these days we have an almost opposite situation with data protection. To me, the clue is in the word "data" yet despite this, a legal background is seen as pre-req to lead the project.

Legal knowledge is only one piece of the jigsaw. To address these issues, I’m launching a series of blog posts that will highlight the essential knowledge and competences for success in data protection and AI governance, explaining why you don’t need a legal background to lead in this space.

Legal colleagues remain vital, but they are just one part of a much broader team, and for the clients of mine where I see the leaders succeeding, they tend to acknowledge that data protection is a team sport and a multitude of competences is required.

Is your data protection work troubled, or needs to improve? Get in touch to discuss your challenges and establish dialogue to bring about meaningful change.