Building a Privacy Culture for GDPR, CCPA and Beyond
New privacy laws and regulations are coming thick and fast, and we’re not done yet.
Industry analyst Gartner says by 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today. That means big change!
In order for employees to operate effectively in the new business environment created by these regulations, privacy professionals need to do more than define policies and processes for compliance. What’s required is leadership in creating an entire organizational culture around protecting data.
Making privacy a central pillar in company culture won’t be done with training alone. It will require aligning executive messaging, training, and ongoing communications around the knowledge and behaviors all employees must master to perform in the new privacy-sensitive world.
Who Cares About Privacy Anyway?
Practically speaking, do people working in the call center or the software development team care deeply about privacy? Not likely. They probably couldn’t even tell you what ‘GDPR’ and ‘CCPA’ mean. In fact, our 2020 State of Privacy and Security Awareness research found that 62% of employees reported they were unsure if their organization even has to comply with the CCPA!
So the onus is on privacy leaders to help everyone in the organization open their minds to caring about privacy, at least enough to meet the company’s minimum compliance obligations – but preferably more to strengthen the brand and truly protect business and customer data.
There is a need to create and influence the conditions that allow for a culture of privacy, but also a practical reality of adapting to culture that already exists. That includes tackling the beliefs and biases employees bring from outside company walls. We can consider this challenge from a “layers of the onion” perspective.
The Broader Culture
The outer layer of the onion is the one over which you have very little control: the broader culture from which employees come. Every single employee brings a raft of assumptions, beliefs and pre-conceptions with them.
Recent data from the Pew Research Center shows today’s population has little faith that companies care about protecting or respecting individual control of personal information. That includes the people that come into the workplace every day. We can’t change the broader culture—but it’s good to know where you start.
But let’s talk about where you can have more control, by jumping to the core of the onion then working outward from there.
The core layer is training.
While developing formal training may be the most concentrated (and necessary) way to communicate with employees about privacy policies, people tend to pack too much into a training curriculum, make it too long, or use legalisms that will blow right by many people. This must be avoided; don’t create training people hate.
Use training to baseline the clarity and relevance of an overall privacy program. Keep the training as short as possible, with a positive tone about how good it is for the business.
Role-based training variants will ensure people in very different jobs get information relevant to them. This approach takes a little more work up front, but it pays off when people in different jobs find the training relevant.
Privacy Culture for GDPR, CCPA & Beyond
Join MediaPRO's Tom Pendergast for a fast-paced webinar exploring some key best practices around aligning your culture with privacy laws and changing the mental models of your employees.Watch Now
Reinforcement and Awareness
The next layer outward, reinforcement and awareness, may become the most memorable.
Informal communications offer the chance to use humor, directness and brevity about the privacy values, best practices, tips, and guidelines that matter most to the organization.
Use these channels for communication, boiling down desired employee behaviors to the very basics. For example, reinforce erring on the side of considering data private, or encouraging proactive incident reporting/breach notification.
The next outward layer is the other advocates who privacy leaders need to help carry the flag. People don’t always need to get privacy messages from the privacy people.
Practically speaking, the whole company will be better off if there are other people, in all areas of the company, who not only get the importance of privacy goals, but then marry that understanding with real expertise in their particular area of the business.
These people are privacy champions. They will help carry the message far and wide in the company and report back when they think there are areas where you need to make a broader impact.
Finally, we’ve got company culture; the tribal norms, customs, beliefs and behaviors that are unique to every organizational entity. This one will be a bit harder to influence, but it can be done if approached strategically.
Culture develops over time, and can be the result of shared experiences, values, philosophies and the kind of people that get hired on. It’s also heavily influenced by executive leadership, whose words and actions can shape the way everybody in the company thinks about many things, privacy included.
For example: in company A, the CEO really gets the idea that maintaining customer trust means consistently demonstrating that you are taking care of customer data at every step in the customer lifecycle. She never misses an opportunity—whether she’s talking to the press, the board, or dropping into a working meeting—to highlight how people in every part of the business can play their role in upholding the privacy principles you’ve committed to. She models the attitudes that the rest of the executives adopt and that spread through the organization.
In company B, the CEO pays lip service to the need to stay in compliance with privacy laws, but insists that mere compliance can’t get in the way of maximizing the value the company extracts from the personal information its customers share. This cowboy insists your company is on the cutting edge, finding innovative ways to use customer data to bring value to the company. He doesn’t ever come out and say that privacy is unimportant, but the clear subtext of his message makes it that much harder for “Privacy by Design” workshops and reminders about data minimization to seem relevant.
Clearly these leaders will have a lot of influence and sway with the entire team. So when building a culture of privacy, it’s important to get executives to understand and accept privacy’s value, then consistently weave it into their communications.
There are certainly other avenues to influence company culture, such as those who control the regular channels of company-wide communication, HR, Corporate Communications or administrators. Those people should also be cultivated and enrolled in helping to spread the privacy message.
A Culture of Privacy Is Possible
All of this may sound complex and difficult. Yes, it is challenging, but it can be done.
At the macro level, the very existence of new privacy regulations means they reflect the will of the people as expressed through their elected government. These regulations are a very public call for businesses to improve their privacy practices.
At the micro level, privacy leaders have likely allies in the company. If a company already has a security awareness program in place, the security team will have goals very similar to privacy. They can be allies in making data protection a core value at a company level.
There are also external allies in the information security community, and even a rapidly growing vendor community in the privacy market. Deep down they care about privacy too.
Dream big about what you can do to promote privacy in your company, and best of luck in your journey.