Data protection leaders: compliance without carrots or sticks

Frustration all round

During a recent meeting with a potential client, the phrase "our employees are tired of hearing about GDPR" was mentioned a few times. The client went on, policies and procedures implemented in the past couple of years were now largely ignored.

The lawyer who was responsible for data protection felt her department was in control but was frustrated with the rest of the company. So much effort and resources consumed over the previous years, yet the data protection framework they had implemented appeared to be ineffective.

Many parts of the company were back working in the "old way."

A manager from IT was also in the meeting, and he spoke of about the lack of "enforcement" and words to the effect that "if my boss isn't interested, why should I be"?

Enforcement? Times are changing

For many years, some organizations used a carrot v stick strategy to enforce their internal policies and procedures, in other words, reward (for following the rules) v negative consequence (for not following the rules). Times are changing, and organizations must motivate their employees to live up to data protection policies using different approaches and ensure the motivation and needed control is baked-in within organizational systems and frameworks - Data Protection by Design.

Get it right first time

I'm certain similar discussions to the one I had recently are taking place in other organizations across parts of Europe although, in some sectors, especially those already under a GxP regime, the challenges are far fewer. 

While technical controls/automation, e.g. retention/deletion, DLP, etc., can help achieve compliance with some policies the ineffectiveness of the "manual" framework elements is often rooted in a poor or missing Data Protection Strategy, an inadequate data protection lifecycle & framework often followed by a botched implementation.

In the following rough and slightly messy soft systems diagram recently sketched for a client (and later enhanced), I attempt to outline some key elements, touch-points and interactions. Much depends on the social interaction of people in your organization from top-to-bottom:

Note: the above rich picture is mostly applicable for B2Cs where personal data often fuels the business.

For some, the initial desire and decision to be "minimally compliant" and generally do things on the cheap is starting to expose the organizations with weak frameworks with no robust foundation or embedment, let alone alignment with existing business strategy, mission, values and behaviours.

It's all well and good to write about what should have been done, and that organizations should have "got it right first time," but that does not help those organizations already in a mess. They need to identify the weaknesses and gaps and then prioritize the repair and improvement work, typically using a robust program capability maturity model as a reference point (more about that in a future article).

Factors to consider

Organizations do not need to start from scratch - there are plenty of existing frameworks and standards globally available that can be used for inspiration, adapted and scaled to suit requirements. The keyword here is "adapted" - this is often hard work. However, some current organizational factors can help or hinder. Here are a few.

- Alignment with existing business strategy

All organisations need a Data Protection Strategy. Start by understanding the importance of personal data in your organisation. Is it fuelling your business? Do you have a large workforce? Do you need to attract top talent? What other laws and regulations may be applicable to your organisation?

Align your Data Protection Strategy with the relevant elements of your business strategy, your organisation's mission and vision as well as values and behaviours.

Consider whether an ethical approach could be relevant to your organisation. Not only could this be a good business opportunity but employees are often motivated if they see their employer "doing the right thing" and understand that they are part of that equation. See my earlier article "GDPR: what is your Data Protection Strategy?" from May 2017 for more detail.

- Clear and realistic policies

Have policies written in a clear, unambiguous manner consistent with your "company voice." They must focus on what’s important and not trivial matters. They must be action-oriented, realistic (not aspirational or fairy tales), measurable and testable. Your employees must be able to understand the context and see what's in it for them. Your policies must motivate your employees and not frighten or confuse them. Your policies must engage their hearts and minds.

No legalese please. The legal department should not normally be writing the policies - unless they have been on a creative writing course, or your organisation is a law firm!

- Start-ups, creatives and innovators

Existing organizational culture can sometimes challenge or create resistance towards policies. Widespread in creative and innovation workplaces where the notion of “we don’t need rules” is often lived and breathed by the executive team themselves. In these environments, a solid understanding of existing work practices is needed to be able to identify risk scenarios, which can be part of the storytelling to the teams as to why policies are needed and the the ultimate business benefits to be gained. Involve the teams and colleagues to define policies and “the rules” that they’ll be eventually owning.

- Empower your teams to document procedures

Procedures (the how-to) underpin policies. Avoid writing them yourself. Educate and/or train the individuals who'll be using them, or will be responsible for the them and then ensure they are involved in defining and writing them. They will feel empowered, trusted and ownership will be at a local/team level.

Where feasible, implement the procedures on an ongoing basis and get people working with them as soon as possible. This is important because people can typically only absorb so many changes at any one time. Implementing "piecemeal" introduces changes in small chunks and enables a "rhythm of change". This provokes continual awareness and the chance to get regular feedback from the teams - valuable from a quality and effectiveness perspective. Implementing everything at once with a "big bang" has become an outdated concept and is inherently risky.

When implementing procedures, make use of RACI matrices that clearly articulate expectations, roles and responsibilities:

- Build on existing compliance culture

Depending upon your industry sector and jurisdiction, pockets of “compliance culture” may already exist. You may have colleagues who have already embedded practices around Corporate Social Responsibility (CSR), Anti-Bribery, Anti-Money Laundering (AML), Business Ethics to name a few areas. Reach out to them for potential alignment tips and advice.

Health and Safety (H&S) regulations have been around for a long time, and many organizations continually work hard to live up to their obligations. 

Admittedly, H&S does vary from one country to another. For example, in Denmark, the focus on H&S is generally not as strong as in the UK. 

A few years ago I facilitated some workshops at the UK office of a Danish multi-national and was quite taken aback by the strong culture around H&S. 

As a guest, my day started with a fire precautions briefing. I was reminded to use the railing while climbing the stairs, and an employee chased after me when I walked away from the coffee machine without a lid on my coffee cup - lots of signs around the building and a motivated workforce. 

- Cross-cultural (mis)understanding

Establishing a policy framework in a multi-national organization adds further complexity. Discussions around Group v local markets involve many factors such as local management autonomy, local culture, threat levels, market knowledge to name a few.

Local workforce culture often differs from the Group. For example, if employees are accustomed to giving their credit cards to a colleague at lunchtime to buy their lunch or withdraw money from the cash dispenser, you’ll be challenged when trying to implement some “safe behaviours.” I experienced this very scenario in an east European country late last year.

Local culture also plays a significant part when communication an organization's “risk appetite”. A highly relevant topic considering so many organizations follow risk-based approaches to address data protection legislation. Agreeing, documenting and communicating risk appetite and risk tolerances starts at executive level. Alignment between the Group and local markets must be consistent and address variations such as local culture, local threats, local operational setup, etc.

- A meaningful workday

Organizations must also provide those employees involved in handling personal data with meaningful or motivating tasks. If the work is tedious and boring an employee may find their day can be made more interesting by doing things they shouldn’t be doing. In the UK recently, a receptionist at a doctor’s surgery was discovered accessing health records of friends and family. Policies were in place and adequate training had been given. At the trial, the receptionist claimed her daily tasks were monotonous. All it takes is "motivation" (I'm bored) and "opportunity" (I have system access).

- Other important factors to consider

• As a Data Protection leader, get out of your office and walk about in your organization. Ask employees questions, seek feedback, be on hand to help, clarify or address issues. Discuss the relevance of their work in the bigger picture of how personal data fuels the business
• Establish feedback loops to the organizations to deal with improvement suggestions or issues such as resistance or errors – keep your door open if employees need clarification. Show gratitude for any contributions, thank your employees for making them
• Make it easy for your employees – where appropriate, provide the tools they need to live up to the policies
• Provide regular and refreshed role-based data protection education and training for employees and contractors using innovative methods such as gamification
• Run frequent data protection awareness campaigns across your organization targeted to specific departments when policies and procedures change, or new ones are introduced
• Executives and senior management must be seen to be living and breathing the policies. I’ve written about Tone from the Top in my earlier article "Leaders: set the right 'tone from the top' to help your data protection program succeed" from February 2018.
• Ensure regular policy reviews take place to address change factors such as business strategy changes, new threats, technology evolution, societal change, implemented improvements
• Embrace assurance reviews and audits. Ensure risks are addressed appropriately and followed up
• Lastly, if following an ethics-based approach you'll typically be aiming to go beyond compliance. Read about the mindset your employees need to attain in my earlier article from February 2019 "Leaders: win by respecting your customers".

Does this article resonate?

I help data protection leaders assess and improve their data protection program capability.

Interested? Message me and let's get on a call and I'll outline the approach in more detail.

Book a time now.