Leaders: win by respecting your customers, and their personal data...and don't forget your employees
Tim Clements
Helping global data protection leaders turn digital complexity into clear, actionable strategies
Privacy focused culture
Does your organisation have a culture that respects personal data in every aspect of its processing? I mean "living and breathing" respect for the rights and freedoms of the people who entrust data about themselves to your organisation.
We're talking beyond "protection" and beyond "compliance". For many organisations, personal data fuels the business and for some it's a business imperative to squeeze out every last drop even if it means compromising the respect for the individual - their rights and freedoms.
Questionable practices
Aside from the big cases currently stealing the headlines there is no shortage of other examples involving questionable practices being followed.
It was widely reported a few months ago that some airlines use an algorithm to intentionally split up families who do not pre-purchase seating on a flight.
Remember, somebody working in, or associated with the airline thought this was a great idea.
Somebody else approved it.
Then a team of people worked to implement it.
And, there's no doubt some metrics being reported to someone else, on how much revenue it generates.
Or how about the service that provides parents with automated risk ratings for potential child minders. Risks associated with potential drug use, bullying, bad attitude and disrespectfulness (among other parameters) by scanning their Twitter feeds, Facebook pages, and Instagram posts?
Organisations must live up to the principles of data protection legislation (lawfulness, fairness & transparency, purpose limitation, data minimisation, etc.) and although some may be able to demonstrate compliance, many are obviously still not doing the right thing. And this is despite some other very specific requirements for organisations to consider negative impacts to individuals e.g. DPIAs, as well as Data Protection by Design and by Default - but these do not go far enough in my opinion.
Engraining "respect for personal data" is not easy
It goes beyond having neatly written policies and procedures. It goes way beyond training and awareness. It goes beyond having a network of "privacy champions" in all departments.
It requires mindsets to be changed at all levels of the organisation where the processing of personal data is concerned - instinctively asking the questions "is this right?", "is this fair?"
In a previous article I wrote about the absolute must of having the right "tone from the top". Respect must be embedded in all levels of leadership and management, and it must be engrained across the workforce who are involved in, or depend upon the processing of personal data.
It will be worth it in the end because of the opportunities available to differentiate your organisation from competitors - enhanced reputation, increased brand value. (Aren't those also typically listed as "key risks" in your risk log?)
How do organisations truly achieve "respect for personal data"?
Engaging people with organisational change management competences is essential as they have the knowledge, techniques and experience to help facilitate the change but it can only occur after other essential mechanisms are established. For example, having a Data Protection Strategy is another "must" as well as ensuring it is aligned with existing business strategy and business objectives. This then must be cascaded and embedded in individuals' (top to bottom) performance objectives, values, behaviours, etc., - essentially their daily work.
Living and breathing respect for the personal data fuelling the business.
The key "must"
The principle of respect must be given the same level of focus and attention that is given to the achievement of business objectives - in some organisations simply known as "winning". Remember, personal data fuels the business - respect and knowing what's right and wrong must be part of the equation. If the focus and attention is missing or is allowed to erode away, the hard work will be wasted.
Don't forget your employees
No matter whether you are a global corporation with hundreds of thousands of employees or an SME with a smaller workforce, comprehensive data protection legislation such as the GDPR places obligations on your company to protect the rights and freedoms of your employees.
If you are working for a global company and have operations or offices across the world, you should not assume that a level of protection (or nature of processing) that is appropriate in say, Denmark or the UK will be acceptable in another European country or region of the world.
This is especially relevant where you may have offices in countries with repressive governments, where risks to the rights and freedoms of your colleagues may be higher, and with more severe consequences.
Consequences could involve physical abuse, torture, persecution, and not just to your colleagues, but also their families.
When scoping a risk assessment or DPIA, remember to take into account other perspectives. Conducting a PESTLE analysis will help draw out factors you may need to consider as part of risk assessment - the political and social perspectives will be highly relevant.
Quick and easy tip to see who gets it
It is often possible to get a quick feel for whether an organisation treats data subjects and their data with respect. Without leaving the comfort of your office or armchair, take a quick look at the privacy notice of your organisation's website, or a competitor.
- Is it understandable from a layman's perspective? Or is it a page of legalese that was most likely written by a lawyer who is probably more interested in protecting the interests of their organisation rather than your rights and freedoms?
- Does it reach out to you and give you comfort that your data is in the right hands or is there a feeling of deception?
- Does the tone and style match other pages on the website or does it resemble one you've seen somewhere else and is so generic that it's obviously a cut/paste and find/replace?
As privacy notices are often public and so easy to access - and are one of the more easier privacy tasks to complete - I'm puzzled why organisations don't pay more attention to them. If an organisation doesn't get the simple things right, what's happening behind the scenes?
Does this resonate with you?
I help global privacy leaders develop their data protection strategy & roadmap aligned with business purpose and business goals. Establishing a privacy-centric culture is a vital element of the strategy.
Interested? Let's get on a call this week. I'll outline the approach in more detail.
Passionate Information and Project Management Professional
5 年This article really resonates with me. I have close family members who were split up on a flight where one child who was literally a babe in arms so they needed to be together from a support perspective...very shocking to now learn that it could have been deliberate. What also comes to mind is even the mindsets of the fellow passengers - there was no compassion and wild assumptions around the split. No one even wanted to move to allow the family to sit together. Why do I say all of that? Because even as regular citizens we subtly encourage questionable practices for our own comfort and we do not consider the long term implication of picking and choosing what we consider to be the ethical application of the use of data.
Conducting AI Risk Assessments, PIAs| Building privacy management programs| AI & Privacy Engineer| Lecturer, Instructor & Advisor| University of Toronto SCS| Digital Governance, Risk & Privacy Coach| Opinions are my own
5 年Hi Tim! Great article : it strikes me that we should start advocating to companies what the best outcome of using personal data is - how to wow customers in this culture of greed. It occurred to me we haven't been asking for the moon yet and we should, we might catch a star now and then!
EMEA Senior Business Analyst
5 年You've excelled yourself with this article Tim! Your message is beautifully summarised in the sentence ----? It requires mindsets to be changed at all levels of the organisation where the processing of personal data is concerned - instinctively asking the questions "is this right?", "is this fair?" To achieve this mindset change is hard but incredibly rewarding as it needs the consistent and ongoing challenging of engrained thinking, behaviours, belief systems and assumptions.?
Helping organisations with their Data Protection and Information Security needs.
5 年Nice, informative, well written article as usual Tim.
Privacy & Data governance @Datavant. Exited Founder of Trace. Dual qualified in Privacy & Cyber Security Risk
5 年Well written article, neatly and concisely capturing some incredibly important points about a potentially dry subject (for some, not for me) in a very relatable way. Great data protection thinking is about lifting the issues up above the detail of regulation into the sphere of ethics, brand, business strategy, and you have done this. This is how we get engagement with the subject, thank you.?