Small and Medium Enterprises (SMEs) are encountering workflow-related challenges when it comes to complying with the General Data Protection Regulation (GDPR) and preparing for the enforcement of the California Consumer Privacy Act (CCPA). The COVID-19 global outbreak has presented additional challenges that are impacting efficiency and productivity, taxing resources, and hindering the ability of SMEs to respond to GDPR requests and conduct scheduled GDPR compliance audits.
Adapting to Remote Work
Many employees find working from home unproductive and distracting. Here are some best practices for adapting to new work environments:
- Set up your workspace in a quiet, comfortable area that has natural light. Having a good workspace is key to working productively.
- Set a schedule to maintain a sense of normalcy. This can be done by setting work, break, and lunchtimes. If you had a significant commute into your office, consider implementing a fake commute each morning and afternoon to build space between your home and work environment. This could include meditation, a bike ride, or a walk. This is a great opportunity to add stress-relieving exercises to your routine.
- To maintain productivity, employees should reduce multitasking and set expectations. They should also put extra planning into communications to get the most out of meetings. If you have children in the home, you should schedule breaks with them and manage expectations during calls (e.g. let coworkers know they may hear little voices in the background).
Streamlining Compliance Workflows
When adapting GDPR workflows to a work-from-home environment, many people are finding that they need to add extra steps (like connecting to a VPN) to obtain the same results they were getting in the office. This is a good time to assess workflows and their purpose in an effort to identify opportunities for optimization. In other words, employees and business leaders should ask themselves, “Is this extra step absolutely necessary, or is there a better way?”
To eliminate redundancies and streamline workflows, look to common project management tools like Trello, Slack, MS Project, Asana, and Monday.com. These tools are incredibly helpful when it comes to cross-departmental communication – something that’s vital to reduce any backlog of GDPR requests, and for conducting GDPR audits.
These tools are easy to use and easy to customize for your organization. Most have file-sharing capabilities built-in and targeted notification settings that keep only the right people in the loop without need to rely on email and its many limitations. Many of these tools offer training and can help you fit their platforms to your organization’s needs.
Managing Additional Work
The initial move to remote work has created a huge increase in workload for IT and cybersecurity departments. And the surging number of cyber threats designed to exploit the chaos surrounding COVID-19 isn’t making that workload any smaller. Remember, compliance with GDPR and CCPA isn’t just about cataloging data and responding to deletion requests. It’s about preserving the security of consumers’ data. A breach or hack at this time would be devastating for most organizations.
Be sure that employees don’t let their guard down just because they’re working in their pajamas. This is something IT teams can delegate for the time being. Schedule recurring emails that remind employees to be on the lookout for phishing and scam emails saves time and ensures consistency. For organizations that have access to a cybersecurity training platform, now would be a good time to implement training on these new cyber threats.
Preparing for CCPA
As it stands, the CCPA enforcement date will not be pushed back, so all organizations should be thinking about the actions they need to take to comply with the regulation. Companies already compliant with GDPR have a head start on CCPA compliance.
Many GDPR processes and workflows can be leveraged for CCPA, allowing for some quick wins. Data mapping done for GDPR can easily be utilized and expanded to include the data that qualify as personal information under CCPA. Updates to compliance policies that were made to address GDPR requirements can be further updated to include the details mandated by CCPA. The deletion request process created for GDPR can be adapted to CCPA requests. Finally, training that was necessary to inform employees of GDPR requirements can be easily updated to include CCPA. This will be especially simple for organizations that use a Learning Management System with built-in training modules, as the course can be added to employees’ required training.
Focusing on these specific items while resources are more limited will enable organizations to continue moving forward in the compliance process.