Save content
Have you found this content useful? Use the button above to save it to your profile.
Digital security concept
istock_mf3d_aw

The pain of GDPR compliance and its long-term effects

by
9th Oct 2018
Save content
Have you found this content useful? Use the button above to save it to your profile.

Jason Cobine mulls over the GDPR compliance challenges facing organisations across the country and asks what policies and thinking should be put in place to change the way people think about data.

GDPR has no exemptions that organisations I work with can rely on; perhaps for the first time with data, we are all in it together.

The challenges facing organisations trying to comply are magnified by the amount of fake news surrounding it. I haven’t been surprised by the feeding frenzy from those trying to cash in, yet I am somewhat alarmed by the number of ‘experts’ on this untried legislation. I understood that it took 10,000 hours to become an expert in something and I’m wondering how the experts managed that. C’est la vie.

What truly concerns me is that this is a massive cultural change and I fear that the policies being written and disseminated are not going to empower the people that need to deal with data on a daily basis.

During my 29 years in the field of risk, insurance and business continuity, I have seen many issues that could have been avoided by educating people. Yet it seems that policies are written to ensure employment or contracts can be terminated rather than actually encouraging people to comply. I realise that this is partly due to legal precedent, yet motivating people by fear is far weaker than motivating them by other means.

Having listened to many people and taken in copious amounts of information, I think that the feeding frenzy has prevented people from understanding the mission of the data regulators. They want organisations to be careful with data and respect the wishes and privacy of people like you and I. It is not a lot to ask yet achieving that aim is undoubtedly awkward. It is a lot less awkward if the culture of an organisation recognises this.

I have a nagging doubt that people will not be motivated to do the right thing if they are told off or disciplined when they make mistakes. I’ve seen many policies that tell people what to do yet they are rarely allied with the cultural piece. Even rarer is the right level of education and reinforcement that motivates.

The deadline will come and go yet the mission of the regulator is not going to be achieved if the culture of blame continues to be the most pervasive in organisations.

One issue that no-one seems to have thought about is the way salespeople treat data. Arguments over who owns it are regular, especially with the advance of online networks. Roughly 50% of people take data with them when they leave one organisation for another. There are at least two companies in breach when this happens and the individual has broken the law. It is theft after all.

The existing regulations state that this shouldn’t happen yet half of the population think it’s OK to take it when they really know that they shouldn’t. It could be argued that the policies that discipline people have worked because they have stopped the other half from doing this. Yet half is not enough. It should be a single digit number, at the very worst.

So policies and procedures are not working now. New ones will not change that if they don’t address the cultural side of human behaviour.

What can be done? A new type of policy is required. Naturally, it should start at the top of an organisation. It should motivate people to change the way they think about data. It should be readable, not shrouded in jargon. It should reward people for doing the right thing. It should be something that everyone is reminded about, but not beaten up over.

I built my business from scratch without pilfering data, so I know how hard it is. Yet it was a cultural decision that has been proved to be correct.

Tags:

Replies (2)

Please login or register to join the discussion.

avatar
By CJMaslen
10th Oct 2018 10:22

Auto enrolment, GDPR, health and safety, new or expanded regulations ad infinitum all have a shared effect. They spawn an immediate industry of experts eager to cash in. The costs of doing business are increased and more and more time is devoted to administration instead of doing the job.

Thanks (2)
Locutus of Borg
By Locutus
21st Oct 2018 13:20

GDPR, whilst well intentioned, has been a huge waste of time, sadly including several hours of my own time.

Across the country, hundreds of thousands, perhaps even millions of hours have been spent drafting privacy policies for the sake of it, that have little effect in the real world.

I can’t see that data is much more secure now than it was before. Consumers just automatically click “accept” to the privacy policy buttons that increasingly appear on websites, as it is yet another lengthy “terms and conditions” statement not to read.

Data will still go missing, as it did recently with BA and employees will continue to remove data from their companies, as they have always done. Rogues will still ignore data protection, as they have always done.

Policy makers really need to get away from the culture of, just for the sake of it, making well-intentioned but impractical legislation that protects few.

Thanks (0)