Struggling to keep up with the fast-paced innovation in your tech company? These tips can help you navigate all the different opinions and needs that co-exist within a business.
Start with the teams that use the most data; your growth hackers and marketeers. Really listen to what they need, and ask what they would do if they had free rein. Refrain from pointing out GDPR articles in this meeting, focus on understanding their workflow and wishes.
2. Your company's do's and don'ts
Once you understand the most important team-needs, you can distill do's and don'ts that tie into the business goals. For example, for WeTransfer it's a no brainer that we don't sell or share personal user data externally. We analyse the data internally, with the purpose of growing our own business efficiently, and in line with user needs. So one of our do's is: Use personal user data to understand our user needs, and grow the business. And the accompanying don't is: Share or sell personal user data.
When it comes to setting these commandments, a risk-based approach could work in your favour. What practices bring in most revenue for the company, and how do they relate to the data of your clients?
3. Getting that seal of approval
When you've established your most important do's and don'ts, it's time to get your CEO involved. You need them to sign off on your privacy plan. That's the only way to give yourself credibility when you execute on your plan. In my experience it's best to propose a finished first version, since their time is limited and they may not be as familiar with the ins and outs of the GDPR. It can also make sense to include the managers of the teams that work with data the most in this sign off. This way, everyone has the same understanding from the get-go, and you can be certain the plan strikes the right balance between compliancy and business goals. Pro tip: include consequences for (repetitive) mis-use of personal data.
4. Three levels of advising
When you are working on features or plans with other teams, it can work to offer layered advice. What that means is giving a team three options to move forward. The first one is low risk + full compliance, the second medium risk + partial compliance and the third is high risk + no compliance. By defining what each option means in terms of risk and probable outcome, you create more context for the team, and ultimately make them an owner of the option they pick. It's important to steer clear of jargon or legal speak, your advice needs to be clear and concise. Translate it to the company's shared language, so everyone in the business understands what you mean.
5. Spotting discrepancies
If you ever notice someone is slipping up, confront them privately. They may not be aware of the internal policy, and they don't deserve a public shakedown. Once you've talked with them, make sure you send them a short recap via email, so there's clarity on what the boundaries are, and where they were crossed. Make sure you train teams from time to time, to raise awareness of your internal policy, and to identify your privacy champions. They are ultimately the ones that will help keep the company in the best shape possible.