– Three criteria for successful implementation of regulations in larger organizations
To implement a new regulation, be it GDPR, an AML-directive or PSD2, often imposes great challenges for every larger organization. The answer to “what?” is often considerably easier to give than the answer to “how?” As a legal counsellor, that during the last months constantly has been working with GDPR, I often receive a lot of intriguing questions on my desk. Many questions relate to how you should interpret the many generally held articles of the GDPR. What is recurringly apparent however – regardless of what legislation – is that the greatest challenge of being compliant is often related to the actual implementation of the advice you as a legal counsellor give, which in turn relates to the actual state of readiness of an organization prior to implementation of new legislation.
From a large number of criteria that it in this way can contribute to a successful implementation, there is three that I would like to emphasize as more critical than others:
1. Modern IT-architecture. “We have an old big data system from the 80’s that we have to take into consideration”, “This system is originally from a company that we bought in 2001 and we have never really got it working with the rest of our IT-environment”, and so on. Today’s regulations demands that an organization has control over exactly what kind of data you hold, where you have it and who has access to it. If your organization uses “quick fixes” and “workarounds” for old IT-solutions in order to comply with regulations then there is probably a qualified need for you to make investments in the IT-environment; the technical demands of tomorrow will not be less than the ones of today. Identify issues when they occur and try to be active in your IT-strategy.
2. Role and responsibility. An absolutely crucial part of the implementation, but also for on-going compliance, is that roles and responsibilities are clear in an organization. This does not mean that you have to create a machine bureaucracy á la Henry Ford, but you probably have a need to ensure that someone is responsible for every appropriate action and there is an overview of the roles that may have an overlap in responsibility. This will prevent two individuals from doing the same thing (maybe in two different ways…), but also lessens the probability of two individuals depending on the other one to take necessary action!
3. Relevant knowledge. The perhaps most important factor in the equation is that you have access to individuals with good knowledge about the regulation and individuals with good knowledge about your organization. An optimal implementation occurs when the specialists receives all relevant input about how the organization operates, and the organization receives correct advice to follow in the implementation.
With this said, a lot is also about transparency and direct communication. The attitude towards change that executive management communicates will affect the organizations mindset and ability to comply with applicable laws and regulations, in the end this could be the deciding factor between hefty fines and ‘getting it right’!