When we decided to use our experience in Compliance and Data Protection to set up our own Data Protection support business, we did this for more than just making sure that organisations comply with data protection laws. Our belief is that companies shouldn’t protect their customers and employee data just because a regulation dictates, but because they have a responsibility to those individuals whose data they process.
This is a real shift in mindset for some organisations, particularly those who prior to the introduction of GDPR adopted a risk-based approach to Data Protection knowing that the maximum fine was nowhere near the fines that they could receive from other regulators. And helping people to shift that mindset from one of “doing it because we have to”, to one of “doing it because we want to” is the first step on the journey to compliance.
It was Aristolte who said “We are what we repeatedly do. Excellence, then, is not an act, but a habit” and we believe this to be true for organisations trying to comply with Data Protection. Build it into the mindset of the employees and those who take care of the data, make it habit, rather than an act carried out because a process tells you to “send securely” or “check the accuracy of the data”. Doing this ensures that all your employees will naturally think about data protection upfront and stop it becoming a tick box exercise or an afterthought as we have seen so many times in the past.
It is a cultural shift and having worked with large organisations, changing that mindset and behaviour is a challenge, but with the right attitude and belief from the top that peoples data should be treated with respect then you are well on the journey to data protection compliance.
Training sessions, managers challenging bad behaviours within their teams, data protection champions weaved into the fabric of an organisation, building Data Protection into existing frameworks (like performance / bonus objectives) are all simple ways to start changing that culture, but you also must recognise that this isn’t a one time thing, this is an ongoing activity that you must continue to work on and develop on an enduring basis.
There is still a long way to go in terms of attitudes towards data protection, but the more we dive into the digital world where our data is everywhere and we are being profiled by organisations to understand what kind of sports we play, what type of cheese we like or whatever it may be, the more people are understanding about their rights and how their data is being used.
We want to ensure that people understand their rights and have an understanding of how organisations treat their personal data and while we do still have a long way to go, we’ve seen a shift in individuals understanding around Data Protection with the number of complaints the ICO receiving substantially increasing and organisations taking a greater responsibility by reporting more breaches to the ICO since the introduction of GDPR, although some of this could be attributed to the mandatory aspect of breach reporting in certain high risk situations.
Data, without doubt has become a currency and will continue to be so as organisations collect more data, profile more consumers, buy data in from other organisations or sell data to another organisation and with GDPRs focus on putting the consumer in the driving seat when it comes to their data, organisations should see this this as the opportunity to get control of the data they hold and treat it with the respect that you would expect your own data to be treated with, regardless of whether or not a regulation enforces you to do so.