Without a doubt, the most successful data protection initiatives that we have seen in the education sector are those that have had buy-in from team members across the school. This doesn’t just mean approving the necessary funds to bolster compliance efforts, but understanding the need for long-term cultural and process changes to the organisation in the years to follow.Whether your school is looking to fine tune its existing data protection compliance initiative, or starting from scratch, gaining trust and cooperation from stakeholders is imperative for success.
Data-protection regulation is set to advance globally in 2020-21. Even though the COVID-19 pandemic has changed the landscape and some regions have delayed the introduction of new regulations, it’s wise to continue to prepare. Schools should avoid delaying the progress of compliance strategy and ensure that they are well prepared and appropriately resourced. Looking back at the introduction of the GDPR in 2018, according to Forrester, with less than a month to go until the deadline, only a quarter (26 per cent) of European firms were fully compliant.
Nations that are either expected or certain to have new data protection rules in place during the next 12 months include the world's two most populous countries, China and India, as well the jurisdiction with many of the world's most widely used tech companies — the US state of California, where the first comprehensive US data-protection law, California Consumer Privacy Act (CCPA) came into effect earlier this year. Other regions, including Brazil, Canada, Japan and South Korea, have also passed, revised or made effective national privacy laws in 2020.
You know that as a data protection leader, your program could be adding greater value to your organisation rather than being perceived as a legally-driven, tick-box exercise. So how can you drive greater awareness at senior levels of your organisation? It’s important that you are able to present the facts, along with the consequences of a data breach to ensure that your school is adequately preparing for data protection compliance. Ultimately, the reputational damage of a data breach or incident can far outweigh any financial investment required to implement a robust compliance framework in your school.
Understand your stakeholders (not just budget holders!)
Sometimes termed stakeholder management, it includes understanding the political dynamics of your organisation. It also involves recognising exactly how personal data supports your school or organisation. Changes to company culture and any new program to help you build your data protection roadmap will inevitably come with a series of questions from each stakeholder. The budget holder will have different questions to the end user so you need to be prepared to address the needs and concerns of everyone involved in the process from end user to the buyer. Who do you need the support of to help build your culture of data protection, who is most likely to support your proposal and potentially put financial resources behind it? Who are the resistors, what strategies and tactics do you need to get them on board, if that's at all possible?
The earlier you prepare the better your chance of getting the stakeholder buy-in you need.
This also lets you iron out any objections, concerns or queries they may have with the introduction of data protection regulations. This will let you find the best governance, risk and compliance (GRC) solution to manage data protection for your school or organisation. By engaging people early, you are also negating the possibility of making decisions only to find stakeholders have concerns about something when they enter the process later down the line.
Make it clear how GRC ties in with your school’s vision, mission and values?
Can a school pride itself on prioritising student safeguarding if a lack of investment in data protection is leaving students vulnerable? Similarly, schools that have a specialisation in education technology should also be prioritising the management of risk. It’s important to emphasise how a robust compliance programme can in fact accelerate innovation by understanding risk appetite, avoiding overspending and maintaining best practice in IT security and systems. As mentioned above, GRC is not just a tick box exercise to meet compliance and accreditation standards and you’ll gain traction by clearly demonstrating how it fits your school’s overall business objectives, mission and values.
Focus on the benefits
If you map out your data protection goals early, then you should be able to offer a clear understanding to stakeholders of what is needed to achieve the desired outcome. It needs to include background information about data protection in your region, this could include the main drivers behind new rules and the pitfalls associated with not implementing a data protection GRC strategy. (i.e. 20 million euro fines or 4% of global turnover.) For whatever data protection strategy you adopt it’s important that you can clearly identify all the benefits and that the success of the project can easily be tracked. Due to the fines and reputational damage associated with a data breach, it’s important that one of the main benefits can clearly show how the safety of personal data has been achieved throughout your entire school or organisation – so you will need to address the benefits of having oversight of different departments' relationship to data, for example, admissions, academics or IT, and the benefits for each of these groups.
ABOUT THE AUTHOR: