How to comply with data privacy law when working agile
Transitioning to an agile operating model is an ambition of many companies in all sectors. That’s understandable: simplifying procedure and infrastructure; lowering formality and reducing the need for physical presence can save costs and increase productivity.
A key obligation under data privacy law is “accountability”. In a nutshell, this means you are required not just to comply with data privacy law, but to be able to prove compliance on regulatory demand. It’s not easy to remain accountable to the standards expected by regulators while working in a truly agile way.
True agility means a working model based on smaller, self-organising teams, made up of cross-functional staff. Those teams are given significant autonomy, including crucially the ability to make meaningful decisions. They tend to achieve incremental results in short “sprint” projects, with their product central in their minds.
Data privacy compliance does not always flourish in these environments:
— the more frequent and broken-down the tasks, the more often documentary processes and procedures have to be carried out and recorded;
— people working towards tight time deadlines do not appreciate being delayed by compliance permission control or documentary exercises; and
— people naturally gravitate to what they see as the more creative or intellectually rewarding substance of the project.
In our view, the best solution is to make your organisational data privacy law compliance a bite size, collective responsibility. We recommend the following steps:
— Working with your head of data privacy, design a data privacy law compliance “playbook”, which explains in a user-friendly way how data privacy law applies to what the organisation does and sets out the different compliance points to consider.
— Those compliance points should be categorised as key data privacy law obligations and should provide easy access to the relevant compliance documents, explaining how and when they should be used. Examples would include:
— A person in each department / at the head of each small team structure should be in charge of, and trained in, either quickly carrying out the compliance requirements, or providing the information required to the data privacy lead/team.
It is important to get this right. If you have compliance measures in place – even if flawed – regulators are much less likely to fine you if something goes wrong.
This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. This update relates to the prevailing circumstances at the date of its original publication and may not have been updated to reflect subsequent developments. If you have general queries about our updates, please email: firstname.lastname@example.org