We look at some of the reasons why day-to-day privacy compliance is not a walk in the park, and share our experience in how to tackle its challenges.
1. The law is not black and white
EU privacy law is built around eight, outcome-based principles. These principles are common sense to most people when they read them, which is a good thing.
They can also be flexibly applied to most situations, meaning the law (at least in theory) can remain relevant without endless amounts of legislation.
The catch is that they do not result in black and white rules, which in turn means you have to think about how to apply the law in any given context.
There is lots of regulator guidance, and a growing body of best practice experience that good advisers can draw on, but ultimately you are never far away from having to exercise your own judgment, and doing so means spending time and effort in establishing facts, options, pros and cons.
This challenge may be business as usual for strategic commercial decisions, but can be annoying for legal issues which are all too often ignored until the last minute. The solution: wherever possible, give yourself ample time to consider the position in the round, including escalation of issues as necessary.
2. It involves lots of stakeholders
Data is like water, it flows everywhere (even if properly controlled), so getting to grips with privacy compliance reasonably well involves engaging all of the people to whom it seeps.
For customer data these people are normally in marketing, IT, commercial, operations, finance and customer service functions. For employee data, you obviously need to factor HR and all managerial roles in as well. If you are being really comprehensive and addressing privacy issues in supplier data too, the list grows even longer.
You also need to think about your organisation's advisory and best practice functions. Procurement, internal audit, project management and more obviously information security and legal functions all have a vital role to play.
In practice, once you have listed them all out, there will not be many corners of your organisation you don't need to touch. Risk assess them, and then decide the order in which you will go about engaging with them.
3. Policies are just part of the equation
We've illustrated the many different stakeholders with whom you may have to engage. The next question is how best do you achieve this engagement?
We see organisations time and again relying on a data protection policy, information security policy and some standard internal comms to cover everyone. Invariably this approach does not really work.
Organisation-wide polices have an important role to play but also have a big weakness: they are by their very nature, general in their approach. So even if yours are visually engaging, concise and easy to understand (and many are not), there is no guarantee that any of your staff will understand how they relate to their day to day role.
Without this understanding, the chance of your policies being put into practice is limited. As with the best presentations, your audience needs to be properly engaged to listen and this means adjusting your material accordingly. It may seem obvious, but what you tell a member of the customer service team about how they handle customer data has to be fundamentally different to what you tell a project management professional.
You don't necessarily need more documents to achieve this adjustment, although short form practical guides can be of help in recording and preserving organisational memory.
You do however need a convincing and regular means of conveying a tailored message. One classic route is having privacy champions to act as intermediaries in each stakeholder department, and provide relevant reminders and context at team meetings, training and similar get-togethers. There are no hard and fast rules though; if you can achieve the right message through other means, use them.
4. You need to know your own business
Privacy compliance turns on the personal data you acquire, how you acquire it, who you share it with, where it goes and what it is used for. You need to be able to pre-empt many of these issues in order to comply (for example in providing up front privacy notices on your websites).
So if you don't know your own organisation's mind, you will at best be playing continual catch-up, at worst creating repeated breaches which will mount up over time.
From a practical point of view, achieving this collective knowledge requires your stakeholders to be sharing information on their current and intended future practices proactively, openly and in full; something which is easy to say but far harder to achieve across large and complex organisations.
It is not however an issue unique to privacy compliance, so if you think if your organisation is generally lacking in this area, push for solutions. They should bring wider business benefits as well as improved legal compliance.
5. It requires a privacy conscious culture
Ultimately, achieving privacy compliance is about marshalling people to follow a series of principles in their day to day actions. Detractors and cynics will always exist, but they have to believe that, whatever their personal views, it is better for them and their colleagues if everyone sticks to the party line.
Carrots and sticks are obviously required to assist in this process.
The ultimate stick (other than the criminal sanctions set out in the Data Protection Act 1998) is obviously disciplinary proceedings, so your HR team and related processes need to be up to scratch. You can also factor in messages around the harm non-compliance can do to your organisation, and the potential impact this can have on reptutation, revenue and jobs to assist.
Sticks alone are poor motivators though; you need to focus on more positive aspects of compliance as well. A classic approach is obviously to reward the right behaviours through employee targets. You can also put the human side of privacy at the heart of your message and ask your staff to treat others as they themselves would like to be treated. There are many others you can consider though.
6 You will need board buy-in
Your biggest stakeholder is of course your board, and your organisational culture also begins at the top.
You therefore need your board onside, and you need to keep them onside. Perhaps more importantly still, you also need for them to be seen to be onside.
This latter point is not always appreciated, nor something a busy board is necessarily willing to do, but it can work wonders in focussing organisational attention, especially if your overall culture is heavily centralised.
So, as with any other stakeholder, you need to consider carefully what message you are going to relay to your board both initially, and on an ongoing basis to generate and sustain the necessary behaviours. This message should be a carefully blended mix of background, the pro and cons of compliance (and non-compliance!) and of course, solutions to existing issues. Don't expect success immediately though. Boards are typically the toughest stakeholders to bring onside.
7. You may need to achieve a change in your organisation's mindset
Say what you like about values, in practice when discussing the management of information, many organisations and their staff lapse into treating their customers and employees as mere numbers.
Given the scale of some organisations this attitude is quite understandable, but from a privacy point of view it drives the wrong behaviours, in particular a common desire to manipulate data on a whim. The possibilities afforded by modern technology are a particularly strong driving force in this area.
How can you change this attitude? Convey one key message: privacy is not about numbers, it is about people. All our legislation comes from the common root that privacy is an unalienable human right, written in to the European Convention on Human Rights, and to be respected as a bulwark against the potential evils of "big brother" in all its forms.
Not everyone will agree with this sentiment, especially when applied to organisations outside government, but in our experience, once couched in such terms even ardent sceptics do start to "get" why legislators see privacy as important, tend to tow the organisational line, and may even be willing to challenge the basis of their own views.
8. It is about good business processes and controls
This point should come as no surprise. We've talked about culture a lot in the points above because in the absence of the right culture, people typically pay lip service to processes and controls. Culture will only get you so far though, because people always make mistakes and forget things, however innocently. In practice, as in business in general, both culture and controls are essential.
It is important to remember that:
- Whilst some processes are unique to privacy compliance, e.g. subject access requests, many are not. Privacy compliance can therefore be about process and control evolution not revolution. For example, compliance requires that you regulate change well, especially new sources, uses and means of manipulating data. For most organisations, this requirement translates into good IT development and IT supplier controls which should be there already.
- It takes a broad skill set to deliver processes and controls on the ground. You may need a team of people do so in practice, and this team may need to flex for different audiences within your organisation. Privacy compliance can probably not therefore be left just to your lawyers.
9. Suppliers can be ignorant and/or stubborn
We'll discuss this issue in more depth in a later post; suffice it to say here that some suppliers are ignorant about how their actions can affect your legal position, some are aware but feel their business model won't stand up to shouldering some of your legal risks, and others are downright dismissive of them.
Many suppliers also want to be guarded about their own business practices. This stance can be due to legitimate confidentiality reasons especially trade secret concerns, but also because, pre-contact, they are engaged in a sales process, where airing unpaletable truths usually goes down badly.
This issue typically makes supplier privacy discussions time consuming, and sometimes awkward and fraught with tension. The catch is you have to get through this process to a satisfactory conclusion. If you are a data controller, you are responsible to the world for your supplier's compliance mistakes.
10. Many of the risks are low likelihood, high impact
Lets look at a common example to illustrate this point.
You are sailing close to the wind from a legal compliance point of view, if (say) you can't get a supplier of customer data services whose information security practices are at average at best, to sign up to a decent written contract covering many of the guidance points recommended by the UK and EU regulators. You will have satisfied the requirement of principle 7 (security) that a written contract is in place, but overall you are unlikely to feel confident that you have discharged the substance of your duties.
What is the risk here? You could be placed in breach of Principle 7 in the future by this supplier (the area in which the media, regulators and public are generally most agitated), but what are the chances of this happening? Even if the supplier did put you in breach of Principle 7, the potential ramifications are unquestionably high, but what chance the media actually becoming very interested, customers actually leaving you and/or the ICO actually levying a fine?
Unless you are in very blatant circumstances, experience tells us that these risks in general will be categorised as low likelihood, but high impact. Furthermore, you will be making this assessment relatively late in the day once contracts are near conclusion, a lot of preparatory ground work has already been invested, and the impetus to move to signature is strong.
Why is this an issue? High impact scenarios normally make most people sit up and listen, but when they are remote, people naturally end up in a dilemma; should your organisation be conservative and seek better protections or gamble that nothing bad will occur and carry on regardless?
Stakeholders are typically split on this question. Those on the conservative side at best look like they are frustrating the organisations' immediate aims, at worst face potential accusations of being "uncommercial", and/or blocking major projects for the sake of remote risks. Those on the aggressive side look like they are playing fast and loose with an organisation's reputation. Heated debates can result.
This is not the "blame game" at work, it is normal, commercial reality, and in most cases professionalism will win the day eventually, leading to an amicable and prudent solution.
The catch is that risk-based decisions such as the one outlined above are not simple. To return to the theme of this post, they do not make the road to privacy compliance an easy one on which to travel. Like the other factors set out in this post, they are, however, surmountable.