So you’ve got your records of processing in order, your training set up, and vendors are all under control. That’s great, but only applies to whatever day you last did a review of data processing practices in every department.
The truth is, new projects come from all directions all the time – and if you don’t discover them early enough, all the progress in your privacy program risks becoming outdated and irrelevant.
When you’re working in a big, diverse organisation, getting into the workflow of people at an early stage of projects can be difficult – all teams have different processes and different rhythms. On the other hand, if you don’t and instead come into a project late, you’re coming in at a stage where you’re a blocker. People see you coming and think, “here comes privacy again, they found out about it”.
Which isn’t fun, because it makes you look like the bad guy. And it means that when you’re chasing for information, the people on that team want to move on, because they see their work as done.
Breaking the problem down: remove barriers
But we can’t let non-privacy team members take all of the blame. Truth is, many privacy teams today have a pretty un-intuitive process, that puts a lot of responsibility on the recipient before they have any idea of what to do.
Let’s take a fictional example. Imagine you’re working on a privacy team and notice that Tim in marketing is starting a new project with an email marketing tool, like Mailchimp or Surveymonkey. If you then send a full risk assessment questionnaire with dozens of deep, meaningful privacy questions, you’ll either get no response or shallow top-level knowledge – the burden of answering is put on him too early.
The solution: Set processes early
To ease the burden on poor Tim, you need to make the step toward the giant, full-on DPIA a gradual process. By sending out a shorter assessment with just a couple of questions, you can assess whether the risk is high enough to ask for further info (if you use DPOrganizer, the tool will do a preliminary risk analysis for you).
If the risk is about a certain threshold, you can then take appropriate next steps – either by sending out a full assessment, or possibly sending out some educating material first – both of which are completely customizable, so you can add text, images and videos that are contextual to your organisation.
Best of all: thanks to automatic reminders, the above-mentioned risk scoring and more, once you’ve gotten into the habit of using a system (like DPOrganizer), the processes become very clear and set. Suddenly, enforcing your internal privacy policies becomes much easier – because DPOrganizer clearly tells which parts of your organisation is up to date on their compliance, which ones are lagging behind and where your gaps are.
If you want to learn more about DPOrganizer, you can book a demo with one of our solution specialists by clicking here.