Making the GDPR a Compliance Lullaby: How Tedium Creates Nightmares
The notion of GDPR compliance just took a whimsical new turn. The new rules already dictate compliance about personal data collection, use, and sharing. Now, they may help insomniacs comply with the need to catch up on their sleep.
The developers of a leading app designed for meditation and sleep, Calm, took one look at the written regulation and decided it deserved a place in their catalogue of Sleep Stories. That’s a collection of gently-lulling audio tales intended to help adults drift off to dreamland, and the team at Calm thought E.U. data privacy law absolutely deserved a place:
New laws aren’t meant to be exciting – but this one could sedate a buffalo.
As their article points out…
At 57,509 words, including the 107-page introduction, the new GDPR regulation, is:
- Over 43 times longer than the American Declaration of Independence,
- 214 times longer than the Gettysburg Address by Abraham Lincoln.
- Nearly 420 times longer than the UK Parliament’s Bill for triggering Article 50, leading to withdrawal from the EU.
The Calm audio version of the GDPR only covers the first 40 minutes’ worth, and they know that’s probably enough.
The right voice for the job
Calm even hired the best man imaginable for reading the rules out. You can listen to an entire episode of the popular podcast 99% Invisible that tells the story of the voice in question: Peter Jefferson, a former BBC announcer who was known as “the voice of the Shipping Forecast.”
For over four decades, he was the announcer for that uniquely British radio institution, treasured even by people with no interest whatever in marine weather conditions. They’d tune in at bedtime so they could nod off to his mannered tones reciting cryptic nautical weather data only a sailor could make sense of. It was so potent a sleep aid, Calm naturally turned it into a Sleep Story too.
It oddly reminds me of how, as a kid, I discovered my multiband radio could pick up UHF TV broadcasts. No video, just audio, but late-might reruns of Perry Mason sent me off to sleep more times than I could count.
GDPR compliance? Unsexy but essential
Things I personally never saw Perry Mason do? File a petition, take a deposition, or do anything but crack a few law books, wrinkle his brow, and browbeat a witness into admitting they’d really pulled the trigger.
It wasn’t a realistic depiction of the law, because the grown-up reality of criminal, civil, commercial or corporate law is about observing processes and precedent, about compliance and proper governance in the first place, and avoiding litigation if it can be helped. The less drama, the better.
To an outsider, the business of GDPR compliance might look complicated, and the tasks involved…well, undramatic. Tedious, even.
Process tedium and enterprise transformation
They’re half-right: Most lawyers are fully engaged with their profession and its challenges. But whenever an industry or enterprise has to contend with regulation and standards, especially when they’re copious enough to fill out 57,509 words, a sizable amount of unexciting work but necessary work has to be done.
No matter the type of work, though, if humans are involved the occasional error is inevitable. But the more mundane and seemingly simple the task, the more likely they are to produce mistakes.
Why? Because the more boring and repetitive the work, the more people dislike it, and the harder it is to get their full engagement and attention. And when attention lapses, errors happen.
“He is always right who suspects that he makes mistakes.”
Spanish Proverb
78% of respondents to a 2018 survey by HR/payroll software provider DATIS said they’d experienced “numerous” compliance problems in the previous year. Even when companies are actively trying to enforce compliance, they’re at risk. One CEB study found that over 90% of employees violate policies expressly designed to prevent data breaches like those GDPR compliance should prevent:
- 45% of internal privacy failures were caused by intentional “but non-malicious” employee actions.
- Two-thirds of employees use personal technologies for work, like dropping sensitive files to their at-home computers, violating compliance rules.
- The average Fortune 1000 company now spends over more $400,000 a year notifying customers and employees of privacy failures – at least, those that get reported.
- Employees “rationalize noncompliance” and work around rules and processes they find too difficult to observe.
One recommendation of the report? To build privacy compliance into workflows to make it more convenient for employees to comply. The right technology can accomplish this, as compliance is embedded in processes or delivered via intuitive UIs, making it much easier for everyone to follow the rules.
Proof of that? A PWC study found that companies whose compliance programs were effectiveness leaders were more likely to:
- Make enterprise investments in technology infrastructure to support data-driven compliance.
- Use technology and analytics to improve compliance monitoring effectiveness.
- Leverage data and technology to provide targeted, engaging, timely compliance training.
- Streamline Policy Management to increase employee response and boost effectiveness.
Banishing boredom has to be a mission
Beyond fines for noncompliance or other expenditures, there’s another cost when a project or process becomes mind-numbingly boring, or compliance is too difficult and time-consuming: The mind-numbing aspect of it not only means there’s a greater chance of errors, but it also means the talents of attorneys and other staffers aren’t being fully utilized.
Proponents of transformational technologies like workflow automation and A.I. are right in saying that these platforms can free human beings to exercise their capacity for innovation. That capacity is blunted when legal departments are overwhelmed with mundane tasks.
But every good attorney has a reservoir of creativity that is, as one attorney put it, “buried under boilerplate work in contracts, discovery, and other often mind-numbing tasks that consume much of the daily grind.”
That creativity is vital to being a lawyer. So while it’s amusing to consider how the GDPR may be better than Ambien for lulling us to sleep, there’s a serious challenge at the heart of this: Legal departments have to make it their mission to eliminate tedium, if they’re going to optimize compliance and maximize their use of legal talent. The risks and challenges they face make it mandatory.
They owe it to themselves and their clients to overcome those aspects of GDPR compliance, or contract law, or policy management, or other tasks, that are squandering human potential and getting in the way of innovation and intelligence.
Other resources you might interesting?