For those who work in data, GDPR compliance is nothing new. But in case you’re out of the loop, GDPR stands for General Data Protection Regulation, and it codifies EU consumers’ rights to digital privacy. It goes into effect May 25th, and carries severe penalties for non-compliance. However, the means of compliance is left up to the companies.
This ambiguity may at first seem daunting and confusing. But GDPR’s method of “outsourcing” decisions about compliance processes — that is, of effectively forcing companies to self-educate — is consistent with cutting-edge methodology from the education sector. Considering then that GDPR applies to EU citizens, no matter where they are in the world, the regulations must make sense across many cultural and linguistic barriers. So it’s only fitting that GDPR would make use of one of the most important ideas in modern language-education theory: the information gap.
Linguists consider the information gap to be a tool used to develop communicative competence; it teaches people to communicate in ways that may have previously not occurred to them. By using information gaps, GDPR launches companies on a journey that educators call guided discovery, helping data companies to help themselves.
In an information-gap activity, the educator presents learners with a situation in which something is incomplete. The learners are then left to figure out the missing information. To do this, they will have to use the target language: a set of tools useful for collaboratively identifying what’s been left out.
Let’s look at some of the most basic information-gap activities, and how they apply to GDPR.
Spot the difference
In this activity, two students are each given copies of what appears to be the same image, however the copies differ from each other in subtle ways. The students must then describe their materials to each other, and determine (in a language not native to either) what the differences are.
With GDPR, ‘spot the difference’ occurs between controllers and processors that share user data with each other. Consider this checklist for any two-partner companies:
- How do their methodologies for gathering data, and obtaining user consent, differ?
- What is the significance of those differences in light of the GDPR?
- What must be considered in their partnership, in order to make them both compliant, while also preserving their autonomy and business goals?
Initially, the answers to all these questions are unknown. The process of answering them is the process of learning to communicate in a new way, and to learn to use the target language of GDPR compliance.
Share your family tree
One learner describes her extended family to another student, who maps the relationships as a diagram.
With GDPR, this activity is about tracing relationships between organizations, and how those relationships affect shared data. Each enterprise must map out the path that its customers’ data takes throughout its lifecycle. Then it’s time to send questionnaires to each partner, checking the TOMs (technical and organizational measures) that are being taken. Are you buying data from someone who should be GDPR compliant? Are you selling data to someone who expects you to be doing so? No one organization can ever see the entire landscape of interconnections. But working together, they can go leaps and bounds beyond where they started, getting as close as possible to telling complete stories about each piece of data.
Describe the picture
In this activity, one student is given a picture to look at. The other student is given a blank piece of paper and a pencil. The first describes the image, and the second tries to recreate the drawing based on the description.
With GDPR, ‘describe the picture’ happens when two companies look at the contract they signed together. Each tries to determine how the other is interpreting its own compliance obligations and exposure risks. Will the second-hand “drawing” be completely accurate? No — but it doesn’t have to be, initially, either. Through negotiation, the contracting companies work through their shared responsibilities to create a picture of collaborative GDPR compliance.
Are you ready for GDPR? With partners Mailjet and mParticle, Braze presents GDPR: Beyond Borders, featuring panels of lawmakers, lawyers, and technology and marketing experts from Europe and the U.S. to help you decide. Together, they explain GDPR, what it means for your business, what steps your teams need to take, and more. Watch now.