GDPR Implementation across 120+ national offices
In May 2018, the EU’s General Data Protection Regulation came into effect.
GDPR: The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas.
When I started my current role I got appointed as Data Protection Officer (DPO). With this came two main responsibilities:
- Ensure our Global Information System (GIS, the sum of our (web-) applications and the API powering them) was following the GDPR.
- Ensure our 120+ national offices are following the GDPR.
Most of the work to make our systems GDPR proof had already been completed. Our solutions were designed in a way that any of our 120+ national offices by default were also compliant to the GDPR. From there on we would just need to ensure that every single one of our employees understands the GDPR and acts accordingly. This would be done through our national offices. Our solution to track this was to set up a checklist and ask each of our country managers to submit proof that the respective structures were in place. However, progress on this was slow. There was no incentive for the national offices prioritizing this and as AIESEC is structured in a way that every national office is its own entity, there was not much leverage we had to make them do it.
As it was my responsibility, I was adamant that this job would get done. Not knowing what to do, I turned to one of our partners and advisors at PwC who is responsible for their own global GDPR implementation.
“It is very simple for PwC”, he told me. In essence, they have the same kind of checklists and employee training material in place. The main difference is PwC’s structure that ensures the effectiveness of their GDPR implementation. As each office acts as a partner, PwC’s head office can simply strip them of their partner title. This is their main incentive.
I realized that after all for AIESEC it is not that different. As a non-profit organization with a compendium and each national office being part of the membership body with voting rights, we could tie GDPR as a criterion for the membership status.
This, however, seemed like a drastic step. All members would have to agree to this and I did not feel I would have the authority to even suggest this change. Trying to get more people on board with my idea, I devised a simple, yet effective plan:
I casually invited a manager of our Finance & Legal department as well as the VP Organizational Development for a chat to my home. These were two people whom I trusted. We were having a conversation about our jobs and how it was going. At one point, I introduced my challenges and asked them about their opinions on how to solve it.
They followed up with a similar thought process as I have had previously, but also no conclusion. When I presented my solution, I was actually surprised by their reaction: “This could actually work”, and that I should try it.
As I am reflecting today on this conversation I realize that something simple yet powerful had happened that evening: I was given permission to lead and this simple act allowed me to move forward with confidence.
We knew that we would not be able to drop this bomb on our members just like that. It would come as a surprise and would lead to resentment and probably the rejection of the proposal.
1. Identify and onboard key opinion leaders
The first step was to open the topic to a small group of country managers who represent the majority of offices. Thus, we got their buy-in and built champions for our idea.
2. Provide different options
Even then we did give three different options of implementation, varying in the degree of control each would exercise. This would steer the conversation away from “deciding between yes and no” to a matter of deciding which of the three options is the most favorable.
3. Raise awareness and ask for permission
At the next best opportunity, a legislative meeting, we opened the conversation to the entire membership body. However, the topic was not opened by us, but by one of the champions, we had built earlier. We did not present a ready solution, but we consciously bought time by asking for a mandate to figure out a solution. We consciously got permission to work on this, greatly contributing to the commitment to this change of everyone involved.
At the next legislative meeting, we presented our solution. This time we had bought was actually not needed to flesh out the proposals. We already had them in place and they did not change at all. Yet, this delay was a change management tactic. It gave enough time for the national offices to go from Clarity to Capability for the change.
The change ended up being voted for unanimously and at that time we grew enormously in our national offices submitting proof for the GDPR implementation.