Data Privacy: How Do You Solve a Problem Like a Mindset?
Article by Mary Ann Wright, Senior Learning Consultant at NIIT

Data Privacy: How Do You Solve a Problem Like a Mindset?

NIIT NIIT

NIIT

Transform Learning with NIIT Managed Training Services

发布日期: 2022年8月9日
+ 关注

Data Privacy: How Do You Solve a Problem Like A Mindset??

Rafael is taking his last call of the day. “Good evening. Thank you for contacting FST4WRD Internet Services. My name is Rafael, how may I help you?” Rafael listens carefully as Mr. Whitman explains this is his third time calling, because his internet keeps going down. Fortunately, upon investigating Rafael realizes he has seen this issue before and quickly adjusts a setting to fix the issue. Mr. Whitman thanks him and asks if he can look up his sister’s account to apply the same fix. He explains she has been having the same problem and is also frustrated. Mr. Whitman wants to save her the hassle of making the call, since she has been dealing with some health problems lately. Rafael explains he is not authorized to access her account without her on the call. Mr. Whitman becomes angry and threatens to cancel his service and to tell his sister to do the same. Rafael sees that Mr. Whitman is a long-time customer, has one of the largest packages they offer, and understands Mr. Whitman’s frustration. His job is to take care of the customer; he wants to do the right thing. “I’d be happy to help her. Let me look up her account now.”

Rafael works in customer service. By addressing Mr. Whitman’s sister’s issue, he likely turned two valuable, frustrated customers into happy, loyal ones. Typically, this would call for an accolade for Rafael, instead he is fired for breaching a customer’s data privacy. This is one of the many tensions inherent in work that involves customer data. How do we help people balance meeting the needs of the customer, or even delighting them by going above and beyond, while ensuring data privacy policies and regulations are followed??

Regulatory oversight of user data is a swiftly changing landscape, requiring constant revision of policies to stay in compliance. Technology is evolving rapidly capturing, sometimes inadvertently, more and more data that needs to be protected. Providing timely and effective service to customers is essential to success. ?

Those who are stewards of data must balance these pressures in their day-to-day work. How can we, in learning, help them do that??

Currently, despite decades of knowledge about psychology and learning, we often continue to structure data privacy training as knowledge transfer. If only we tell them what to do, they will do it. Human beings are rationally irrational—adept at reasoning in ways that support factors most salient to them at the moment, especially when the volume and complexity of factors become overwhelming—as it often does when navigating data privacy. Therefore, we need to address not only awareness and application of policies, we also need to encourage a shift in common mindsets that lead to the mishandling of data. ?

It’s better to ask for forgiveness than permission.

This axiom highlights how many of the behaviors that are otherwise encouraged in competitive, rapidly changing industry are actually detrimental when dealing with something as sensitive as data privacy. The expediency promoted in day-to-day business can be devastating in the context of a regulatory landscape, yet often the need to accomplish a task quickly feels weightier to the employee than taking the time to follow the prescribed procedure. ?

It’s no big deal.

Activities that violate data protection are often hurried, low effort, and somewhat spontaneous. We know from the learning sciences that *immediate* reward and punishment, or the lack thereof, is most likely to strengthen behavior. The consequences of these risky activities feel distant, fuzzy…inconsequential, especially within the tsunami of other daily decisions and tasks.?

It doesn’t hurt anyone.

At its core, data is a complex combination of 0’s and 1’s. It’s faceless, without feeling or expression. It doesn’t get stressed. It won’t get mad at you. It can’t express fear or disappointment. It’s easy to forget the impact of this data on the end-user, often far removed from the employee. ?It’s easy to forget this is a human being who may spend hours rectifying identify theft or be left scrambling to keep leaked information from an abuser.???

No one will know.

It’s easy to believe as you sit in front of the computer, perhaps in your own home office, that activities related to data handling are known only by you and are unlikely to be discovered. We are used to pushing the limits, gambling that we won’t be caught. How often do you speed, betting there are no cops out today, that traffic is heavy enough that you’ll slip by, or if you go just a little bit over the speed limit, it won't justify a ticket. Again, the murkiness of the monitoring and consequences of our actions makes it easy to break the rules, just this once.??

It won’t happen to me.

We tend to believe we are unique, special, smarter than average, and more moral than most. This is a cognitive bias known as the illusory superiority bias or the Lake Wobegon Effect, derived from Garrison Keillor's Stories of Lake Wobegon, “a place where all the women are strong, all the men are good-looking, and all the children are above average." This bias may manifest as a belief that because our intentions are good, when we violate data privacy policies it is qualitatively different from when others' do, so we will be forgiven. We won't face the consequences of those violations because we are different. ?

If I weren't supposed to access it, someone would prevent me from getting to it.

One understandable misconception is that data that shouldn’t be accessed or used in unapproved ways will be blocked from access. However, due to rapidly evolving processes and situations where workers need to access data for specific tasks, it’s impossible for an organization to fully silo sensitive data from those who should not be using it in unintended ways. Think about HIPAA laws. Healthcare providers must access healthcare data as part of their work, but that does not mean they have unlimited permission to access that data at any time or share it outside of approved scenarios. ?

领英推荐

Other people are doing it.

Peer pressure doesn’t end in high school, and it doesn’t have to be explicit. Watching those around us take part in risky activities sends a powerful message that those activities are tacitly acceptable. It's a critical part of how we come to understand how we should really behave and which rules we can break. In addition, we may be primed to look for ways to justify the things we want to do, and watching peers violate data privacy policies is a powerful influence that encourages more casual data handling behavior.?

How do you solve a problem like a mindset??

One thing is clear, knowledge transfer alone will not solve the problems created by these mindsets. Mindsets, attitudes, and beliefs tend to be ingrained in us and are often implicit, i.e., unconscious. Changing these mindsets, and the resulting behaviors, requires sustained messaging and training using multiple modes.??

1)???Educate learners about these mindsets.

Many people do their work without reflecting on how or why they do it the way they do. Often these mindsets are automatic and unconscious, so we need to explicitly call them out in training. Explain what they are, that they are normal (i.e., not intrinsically bad), and how they may lead to risky behavior.??

2)???Make the consequences of the risky behavior personal, immediate, and crystal clear.

Leverage the WIIFM. Yes, explaining the impact on the company or customer is important, but also focus on how this behavior will affect the employee personally. Be explicit. People often do not realize that violating compliance policies can lead to serious consequences for them up to, and including, termination. Also, connect the dots for them between how a risky behavior leads to a violation and then results in negative outcomes. Make these explanations as simple and direct as possible and use real life examples when describing scenarios.??

3)???Teach behaviors that demonstrate mindfulness, ownership, caution, and integrity.

With regulations changing constantly, it is challenging to ensure every employee is constantly in compliance with them. Teaching employees behaviors that demonstrate mindfulness, ownership, caution, and integrity can help to mitigate unknown risks.

These behaviors include

·??????Pause. Take a moment to break the blur that is the daily routine. Stop and consider what you are doing and the potential consequences of that action.

·??????Question. When something is ambiguous, ask others for the correct path instead of just charging ahead and figuring it out later.

·??????Protect. Be a protector of the data you handle. Oversee it with the cautiousness and care with which you would want someone to oversee your personal data.

·??????Own. Don’t outsource responsibility. Ensure data is handled properly within your full span of control.

·??????Lead. Don’t allow peers to set the standard for data protection; make a choice to follow the required standards. Demonstrate that standard for others and speak up when you see someone else doing otherwise. ?

You might have realized these mindsets, and the interventions described to address them, apply to many compliance risks beyond data privacy. Compliance, regardless of risk area, is often more about a holistic and mindful approach to managing the risk than the specific dos and don’ts of the policies. Framing compliance training with that approach can add value to the training and facilitate not only mindset shift, but behavior change as well. ?

要查看或添加评论,请登录

更多精彩文章

社区洞察

其他会员也浏览了