Why data protection matters
How to make data protection engaging for others
I remember, many years ago, an exercise at school. The idea was to build confidence in public speaking. The teacher would give us a mundane object and say, ‘right, tomorrow you’re giving the class a two-minute talk on the biro or board rubber (I’m that old) or wastepaper bin. The surprising thing was how many people were genuinely good at it. One classmate had us laughing at the history of chalk, on the face of it not a particularly exciting topic. It hinged on delivery, yes, but also on explaining why an everyday object was remarkable in and of itself.
It’s entirely possible to do exactly the same thing with data protection. Two things though; (1) Data protection is usually more important than chalk, and (more controversially) (2) Data protection is more interesting than chalk!
So, if you’re a Data Protection Officer, or someone in your organisation given responsibility for data protection compliance, fear not. If you feel like you’re struggling to get people to take an interest or if you’re concerned they aren’t taking data protection seriously, you won’t be alone. The buzz around GDPR has fizzled out in the six long years since it was implemented.
It can be difficult to get traction, but the risks remain. The secret is to explain why it’s important, why it can be straightforward and (crucially) how data protection is a process to be worked with, not a straitjacket.
DPOs and privacy teams can’t do this on their own. As Claire Robson, Governance Director at the Chartered Insurance Institute says your people play a crucial role:
Data protection is all about us, as individuals. Therefore, it matters because our colleagues, customers, members, and stakeholders matter. We are in a position of trust, therefore we need to be trusted and to trust others, and if we don’t look after the personal information given to us in good faith, use it appropriately and keep it as safe and secure as possible, people could be subjected to harm. The best way to get others in the business engaged is to help them understand their rights as individuals, and the importance of their role as custodians of personal information. Ask them to put their “customer” (interchange this to suit your business!) hat on and think about it from the end user’s perspective. Most importantly, offer your support, understanding, and expertise to help them navigate through the maze of legislation and regulation, to find an end that supports the organisation to meet its purpose respectfully.
Matt Kay, Group DPO & Head of Privacy at Shawbrook Bank Ltd stresses the need to make data protection relevant to people’s day to day work:
With consumers becoming increasingly ‘tech-savvy’ and following several recent high-profile cyber-attacks and data losses, individuals are now acutely aware of the impact which mismanagement of personal data can have on their lives. Given the challenges posed and the increased regulatory scrutiny following the introduction of the GDPR, organisations must place a keen focus on compliance with applicable data protection laws. A key component of this is taking a pragmatic approach to risk management through understanding the needs of the business, the risks posed and how these impact on the rights and freedoms of individuals. Alongside this, it’s also essential to the requirements in language that your colleagues understand – make it simple, straightforward and applicable to their work.
So how can we breathe new life into our data protection programme? It can help to step back and remind people why we have data protection legislation in the first place.
Why data protection laws exist
GDPR has faced plenty of criticism for being a box-ticking exercise, but in reality, much of the legislation is about taken a proportionate approach and is based on sound principles. Principles which not just provide necessary protection and security, but also make good business sense. These principles are often based on past transgressions and mistakes.
Here’s where the point I started my article with comes in, because the reasons we have data protection are genuinely interesting (as is the Biro, Google it!). We all have a fundamental right to privacy – our customers, students, patients, employees, job applicants and so on. The ‘right to be left alone’ was written about as far back as 1890 by two US lawyers.
A key point came just after World War Two with the Universal Declaration of Human Rights including the 12th fundamental right – the Right to Privacy. It’s not hard to envisage why this was considered important in the 1940s. This is also where the concept of special category data stems from. People had been persecuted for their religion, their ethnicity, their sexual orientation and more. These characteristics needed, and indeed still need protecting.
Then came the development of rules, principles and country specific laws aimed at protecting people’s personal information and awarding people privacy rights. As technology advanced (personal computers, email, the internet, mobile phones…), new laws and regulations were introduced to protect us against new threats. Fast forward to 2018, and GDPR was seen as a game changer – not only cementing people’s fundamental privacy rights, but also making organisations more accountable for how they handle the personal data entrusted to them.
It can help if employees to see this through the prism of their own personal experience. We all have privacy rights and share data about ourselves with multiple organisations often in return for products or services. How do we expect others to look after our personal information, personal details of our children, our parents, our grandparents? Shouldn’t we apply the same standards to the personal data our organisation holds about others?
Let’s look at some core requirements under data protection legislation, and how we can ‘sell’ their importance.
Why data protection risk assessments are important
Yes, a Data Protection Impact Assessment (DPIA) will be mandatory for high-risk processing, a yes, they can take time to complete. But used well DPIAs are a really useful risk management tool. Started early, they’ll alert teams to potential risks before they materialise. Preventing unnecessary issues further down the line. DPIAs protect customers, employees and anyone else whose data is being handled, as well as protecting the organisation itself.
Why a Record of Processing Activities is not a box-ticking exercise
Yes, many organisations will need a Record of Processing Activities. Yes, there are a lot of fields to complete. BUT without a record of what data you hold, what it’s used for, what systems it sits on etc. it can be difficult, from the outset, to meet your legal obligations. How can you protect data you don’t know you have, or where it’s located? Also an up-to date ROPA has the following benefits:
✔ Data breaches – a RoPA helps you to quickly locate the source, the systems, the data affected etc.
✔ Retention – a RoPA helps you to clearly flag data which is no longer needed and can be deleted.
✔ Privacy notices – if you don’t have a clear record of your purposes for processing, your lawful basis and the suppliers you use your privacy notice is unlikely to provide a true reflection of what you do.
✔ Privacy Rights – a RoPA helps you to identify necessary search criteria for Data Subject Access Requests (DSARs) and helps locating data for erasure requests.
Why the right of access (aka DSAR) should be respected
Data Subject Access Requests can be time-consuming and sometimes downright tricky to fulfil. But let’s not forget this right empowers all of us to ask organisations what personal data they hold about us, and why. It gives us a level of control over our personal data. Where would society be without the power to exercise our legal privacy rights? While your staff may be handling requests, one day they might have a genuine wish to exercise this right themselves.
From a more straightforward point of view, DSARs also serve to remind us of the importance of good customer service. Happy customers seldom submit requests for a copy of their personal data!
Why data retention is important
There’s a legal requirement not to keep personal data longer than required under GDPR. Yes, this means having to have a retention schedule which is actually implemented in practice (tricky I know). There are also other solid benefits in meeting this core principle. Remind people of the risks of over-retention, or indeed not keeping personal data long enough:
✔ The impact of a personal data breach could be significantly worse if personal data has been held on to for too long. Affecting more individuals, potentially leading to more severe enforcement action and raising the prospect of increased complaints (more DSARs and erasure requests!)
✔ Certain personal data may need to be kept to meet contractual or commercial terms. The associated risks in not keeping this data include difficulty responding to complaints or litigation from customers, or regulatory enforcement.
Why privacy notices are important
We recognise the privacy notice is the Siberia of your website – uninviting, cold and seldom visited. But essentially it is your shop window. Done well a privacy notice clearly demonstrates your commitment to taking data protection seriously, and may be an indicator of how you act internally. Those who do take a peek may discover it’s not fit for purpose. That’s probably why they strapped on their snowshoes in the first place! This could be someone set to launch a complaint, or another business running due diligence. Your privacy notice is likely to be one of the first areas of scrutiny if subject to regulatory scrutiny. Details matter.
Why robust supplier management is important
Supply-chain breaches are becoming common. Too common. It can be helpful to remind ourselves why it’s important to make sure contractual terms with our processors are robust. This helps protect all parties up and down the supply chain.
When people give you their personal details, they are entrusting you to look after them appropriately. When you allow another company to access this data in order to provide you with a service, you’re exposing them to risk. GDPR requires organisations to put an agreement in place which protects individuals whose data is ‘transferred’ in the event your supplier suffers a data breach or otherwise violates the GDPR.
Think about an external payroll provider – all employees will want their data to be protected and for there to be legal recourse should something go wrong. Ultimately the law is in place to enshrine and fully protect the rights of individuals in all situations.
Making data protection relevant
Gerald Coppin, Deputy DPO at Springer Nature London says it’s important to make your people aware of the real-world implications should matters go wrong:
To engage others in the business, those in data protection roles can start by highlighting the real-world implications of data breaches. Sharing case studies and statistics about breaches that led to significant financial and reputational damage can serve as a wake-up call. By illustrating the potential consequences of negligence, data protection professionals can make the issue relatable and urgent. This approach helps colleagues see that data protection isn’t just a box to check, but an integral part of their daily responsibilities.
Gerald also suggests bringing data protection alive through games or competitions:
Incorporating gamification into training programs can also pique interest. By turning learning about data protection into a game or competition, organizations can foster a more engaging atmosphere. This approach not only makes the learning process enjoyable but also reinforces the importance of attention to data privacy in a memorable way. Recognizing and rewarding employees for their commitment to data protection can further encourage ongoing participation.
Policies, training and awareness
Data protection training plays an important part in getting core messages across, as long as the training content itself is engaging and fit for purpose. Policies and procedures play an important role as long as you make sure they’re easy to read and at hand to reference. For me, though, the key is raising awareness on an ongoing basis. This needn’t be too time consuming, but sharing internal near-misses and external cases which will resonate with your people is more likely to foster engagement and keep data protection top of mind. Share reminders in different formats, via the intranet or email newsletter. Experiment!
Ultimately as Robert Bond, Senior Counsel at Privacy Partnership Law says, we are all legally obliged to take this seriously:
Whether you are a UK business or a multinational, compliance with data protection law is essential, if not mandatory. Having an appropriate compliance programme demonstrates accountability and coupled with training helps to minimise loss of control of personal data. Remember that if data is the new oil of the internet, please don’t have a gusher.
Right, where’s that wastepaper bin? I’m doing a quick chat on the subject. Did you know bin collections were first suggested to English local councils in 1875?
As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.