In the world of data protection and privacy, you need to be careful how you use the C word in polite conversation.
A note from the author:You may have read elsewhere on these pages that we are just a bit sceptical of the notion of "compliance" with GDPR or the Data Protection Act. Some people have taken me to task about this, so here is an article which clarifies my experience and thinking on the topic. So many businesses were sold on the pig-in-a-poke notion of "compliance" in the run-up to GDPR being implemented. It is clear nowadays that compliance on its own just doesn't work. This is my view on why that might be.Treat it as a starting point for a discussion, rather than a definition. Obviously this is based on my own experience. It would be interesting to take it further.
Allan Simpson - Responsible Data Use
As you read through the sales blurb created by most privacy management software providers, law firms and consultants you’ll see them using the C word constantly.
Of course, there needs to be compliance with data protection and privacy regulations, what would be the point of them otherwise?
Yet you need to understand this:
The world of data protection and privacy moves at pace. It twists and weaves. It can be difficult to define exactly what some parts of the regulations actually mean. Which means you can be compliant with the regulations for as long as you think you are. And until the ICO or a court of law tells you, “You are not”.
Senior managers and owners like the notion of “compliance” with a regulation. For them it often means a tick box exercise, the results of which can be placed in a box file and promptly forgotten about.
However in terms of the GDPR and the Data Protection Act, it just doesn’t work that way. You see, in terms of data privacy and protection, compliance is a fleeting moment.
If you measure compliance with a regulation in terms of passing your latest compliance audit, you were compliant at that time. You may not be compliant the next day. The world of data protection and privacy moves at pace remember?
Your organisation also changes shape regularly. People come and go. When they go, they take their skills and knowledge with them. When they arrive, they bring knowledge, skills and behaviours from other places with them. This can be a good thing. At the same time it can be like plugging a 110 volt hairdryer into a 240 volt socket. It may produce something other than the desired result.
So how does “compliance” work in the context of a constantly moving regulatory and practice environment rubbing alongside a constantly evolving organisational structure? Compliance today does not guarantee compliance tomorrow. What can you do about it?
The first thing you can do is understand that in the context of data protection and privacy management regulations, Compliance is actually only one part of an equation. A simple equation that looks like this:
Readiness = Compliance x Sustainability
In the real world of data protection and privacy, the best you can hope for is Readiness. Readiness means supporting your compliance efforts with sustainability. Readiness is a rolling measure of your ability to cope with the demands of data protection and privacy regulations.
It is the product of two parts: Compliance, which we have just been discussing, and Sustainability which we are about to discuss.
If compliance is an observed status at a particular moment in time, Sustainability is what keeps it alive and relevant to other moments in time. If Sustainability is starved of resources, Compliance will quickly wither and die.
On the other hand, if your compliance efforts are sustainable and suitably resourced, it means that whenever someone turns up to observe the status they see "compliance". At least, they see something as close to being compliant as you can reasonably expect.
(they describe the processing)
Training (the availability of)
(they are the processing or set the context of the processing)
Sales (cash in – resources to support) (most other components = cash out)
Privacy Management Budget
Reporting – Plan-Do-Check-Amend cycle
You can see there is much more to sustainability than meets the eye. Perhaps this is one reason why so many compliance focused efforts have failed recently.
You can quantify compliance using an assessment or a gap analysis.
It is simple to decide if something is compliant or not.
You either have a means to demonstrate compliance or you do not.
You have a policy about something or you do not.
Someone has been trained to do a task or they have not.
Let's take that last point, training, as an example. You will have a record of training to support the fact of the training. Whether or not the training was of any use and is actually implemented by the person, their supervisors or management is another matter entirely. You have a verifiable system for doing X and a written procedure for doing Y.
All good stuff which helps you to verify compliance. And you should.
The measurement of compliance activity is, as we noted above, simple. It is either there or it is not. It is either being done or it is not. Of course, that act of audit or inspection itself might be complicated and need specialist skills and insight, but the outcome can be usefully illustrated with a tick or a cross and perhaps an explanatory note or a suggestion of remedial action.
If a procedure is not being followed the results will have been manifesting themselves in the procedures which follow. You would like to think there would be a self-fixing or self-reinforcing activity involved in such cases. Where changes in the desired outcome will be noticed. For example things will cost more to produce, sales conversions will fall, costs of sale will increase, failure rates will rise, as will complaints.
It would be nice to think these would feed back to inform or illustrate the compliance status.
The fact that it usually takes an audit or inspection to take place before many organisations realise something is being done in a “non-compliant” way suggests not.
The overall measurement of sustainability is much harder to do. Some of the issues involved lend themselves to being quantifiable with raw numbers, whilst others are reliant on our ability to qualify them. On the plus side, the qualifiable ones can be identified using a strict audit. In that you are either doing them or you are not.
What can you measure from the following?
- Retention of knowledge and skills
- Distribution of knowledge and skills
- Sales revenues – Compliance doesn’t recognise how cash resources are created to support your data protection and privacy management obligations. Sustainability does.
- Profit margins
- Cash flow
- Privacy management budget expenditure
Let us take a look at what each of the sustainability factors means.
Instead of using the ubiquitous, “we take the protection of your personal data very seriously”, business bosses who genuinely care will nowadays talk about their approach to personal data protection and privacy.
The outdated, “we take… very seriously” translates roughly as, “we have nothing but contempt for you”. It is so much better to talk about the things you do which really matter.
You want to be trusted? Then be trustworthy. This has a close relationship with the Ethics component noted below but must not be confused with it. Trust is granted to you by other people, Ethics is what guides your behaviour.
Demonstrate, inside and outside your business, that accountability for every action involving personal data is important to you.
Your team will take their cue from your leadership. If you behave as though data protection and privacy really matters to you, it will matter to them.
People still need to be motivated to do things the right way. Demotivated employees will find short cuts and workarounds. They might also keep incidents to themselves. Keep your team motivated.
Being able to access help, support, advice and resources to support your privacy management project will help to keep it running. If you block access are make it difficult you add friction to prevent things from working as effectively as they should.
Your processing needs to have an ethical foundation. In other words doing the right thing with the personal data you use. You may have heard the expression “moral compass”?
This is your overall organisational capability. Which is built upon the individual capabilities who walk through the door every day and leave again at night. Other capabilities are provided by 3rd party vendors who carry out specialist data processing on your behalf.
You recruit people with knowledge, you train people to give them knowledge. It makes sense then to let them put it to work for you when you employ them. Knowledge underpins your overall understanding of what is really going on. Knowledge is practical intelligence about privacy, data protection and other related issues in the context of not just your own processing operations but your own wider business and competitive environment.
Skills in this context means dexterity. In the sense of data protection and privacy skills, you might relate to this in terms of how the knowledge and intelligence is deployed by the people in your business to the benefit of you and your data subjects.
Seeing what is happening is an important line of defence for you. An organisation that doesn’t observe won’t stop mistakes from becoming incidents and developing into full-blown breaches.
Your team needs to have confidence that they can deploy their knowledge and skills in the right way, supported by supervisors and management.
How do you get to Carnegie Hall? You won’t become good at this stuff if you don’t practice it. This isn’t some ticky-box exercise you can do once then park it in a lever arch file until you retire. This is a living, breathing, active part of your business. It will reward you if you take it out and play with it from time to time. Practice helps everyone to become familiar with the processes, issues and problems involved. It also means people get used to reporting and handling things like incidents and DSARs. Practice breeds confidence.
A regular review of what you do is an important part of any privacy management operation. Reviewing decisions. Checking procedures. Looking for changes and unintended consequences.
There should be scope for curiosity. People are curious. They want to try things, they do have questions. Encourage this in the right way so they know where the boundaries are if they want to experiment. Also if you are to take advantage of curiosity there needs to be an open and frictionless way for people to ask questions.
Sales revenues are the tangible, measurable results of effective marketing. Marketing and sales are critical building blocks of your privacy management programme. Sales means “cash in” to your business, whilst every other aspect of that we’re considering here involves cash going out. If there is not enough cash, you are going to have a sustainability problem. If you have a sustainability problem you will soon have a compliance problem too. Effective data protection and privacy management can create the conditions where you can make more sales. The GDPR / Data Protection Act 2018 can actually support your ability to make more sales if you let it.
Make sales at the right profit margins. Avoid the temptation to discount to make new customers at the expense of your margins without at least trying to leverage the value in the data available to you first.
A sales is not a sale until you have the money in the bank. You can’t invest in effective privacy management unless you have the cash resources to do so. There needs to be a strong emphasis on getting cash in.
Who is responsible for making all this happen? Top level management, such as board directors, are regarded as the data controller. This is where the privacy management buck stops. Yet management responsibilities can and should be distributed throughout your organisation. Some sort of planning is needed. Just what sort of planning is appropriate depends upon your organisation. Some businesses need deliberate planning, in others planning is best described as “emergent”. That’s OK. We already know the world of data protection and privacy can change at very short notice. Emergent planning, tackling the issues as they appear, might be the best way to deal with this problem. Either option is better than having no plan at all.
Simplicity aids implementation. We’ll look at implementation shortly. Whatever management protocols you put in place they need to be simple. Otherwise there is a risk they won’t hold the attention of managers for long enough. Yet these protocols need to be sophisticated enough to manage your support for processing personal data. So they need to be just complicated enough to handle the job in hand. And no more than that. Data protection and privacy can be a complicated subject. It changes all the time. The law of requisite complexity applies: Just complicated enough to deal with the issues. No more. Keep it as simple as is practicable.
How do you make sure things are going as planned? How do you exercise control over your processing of personal data? There is a need for management to be in control. This is part of the Accountability principle. If you’re not making sure a procedure is followed or a policy is being obeyed, who is? How do you exert control?
There needs to be a privacy management budget. It is there to stop you overspending on data protection and privacy and at the same time it is there to ensure you are deploying appropriate resources to support your data processing. Again, this is part of your accountability.
This is all about execution. You can have all the data protection policies in place and even have people around who can recite the text of each regulation involved. That’s all “know why”. What you need is “know how”. In the context of data protection and privacy it is often the case that you need to develop your own know how. Know why won’t get your data mapping or your vendor assessments completed. Know how can.
Make sure things are actually working. Guard against unintended consequences. Whatever you have planned, you need to implement it. Whatever you implement needs to be checked. If it’s working as planned, carry on. If it’s not working as planned, amend it and try again. You may have read about technology business learning how to “fail fast”. There is no reason why other businesses can’t learn from this. Failing fast relies upon competent reporting based on plan-do-check-amend. This is what stops you from wasting money on activities which don’t work.
The results of each of these four phases need to be presented to supervisors or managers on a regular basis. Otherwise nobody will know whether or not your personal data processes are actually working.
Well that’s not strictly true is it?. I reckon your employees and your customers will soon know if your processing isn’t working. How will you make sure this insight informs your business sustainability?
Sustainability is the key to your ongoing success in managing the personal data available to your business.
Compliance matters, of course it does. However it is simply a fleeting notion – a momentary dalliance on your part – without the ability to sustain it. What is the point of investing heavily in compliance with data protection regulations only to let it wither and die for the want of a handful of activities to sustain it?
This is what true readiness for data protection means:
Readiness = Compliance x Sustainability