The Time Is Now for Privacy Officers to Build Privacy Cultures in Our Organizations
Originally published on the National Cybersecurity Alliance blog.
The increasing pace with which privacy laws and regulations are being introduced creates pressure on privacy officers and the companies they work for like never before. Establishing a privacy culture is the core pressure many companies face.
More and more, privacy officers are being asked to shape the culture of their organizations around privacy—but they do so within a broader culture that is deeply conflicted about privacy. Ensuring policies and procedures are in place to comply with regulations is just the first step. They must also double-down on their efforts to align all of their employees around the actions needed to ensure regulatory compliance and behave toward customers, business partners, and even employees in ways that build trust and confidence that the organization handles data appropriately.
The problem is that employees—and in most cases, this means you too—are caught in a “privacy paradox” that is even deeper than we all recognize.
The Privacy Paradox
There is a level to the privacy paradox that we all know about: it’s the fact that people say privacy is important to them, but they don’t act on that belief. (The Guardian calls it “the dark shadow that lurks over our networked world.”)
But we fool ourselves if we think that this paradox only refers to the fact that people blindly turn on location services and accept privacy agreements without a second thought. In fact, this paradox may go deeper than we even recognize and in ways that are even more challenging to the efforts of companies to align their cultures to new privacy laws and regulations.
Various surveys show that the very people we need to live and breathe our organizational commitments to privacy—our employees—are deeply skeptical and even disillusioned about the possibility of ever protecting data. How do we enlist our employees (and indeed our families and our fellow citizens) in a battle to reclaim control over data if deep down, many people believe the battle is already lost?
Sense of Despair
You don’t need to dig very deep into a major study done by the Pew Research Center in 2019 to find a sense of despair and defeat about the individual’s ability to control their data.
In the first place, people are resigned to the fact that their data is being collected, with 62% reporting that they can’t go through life without having their data collected. 81% of those studied felt that they have little to no control over the data that companies collect about them, and 59% have little to no understanding of what companies do with the data that is collected.
“Additionally,” write the authors of the study, “majorities of the public are not confident that corporations are good stewards of the data they collect. For example, 79% of Americans say they are not too or not at all confident that companies will admit mistakes and take responsibility if they misuse or compromise personal information, and 69% report having this same lack of confidence that firms will use their personal information in ways they will be comfortable with.”
This study and others like it are packed with insights for the privacy officer, but all told they depict a population that feels that control over personal information has slipped from their collective grasp.
Attitudes and beliefs such as these are not fertile ground in which to plant the seeds of privacy culture change. How do you bring an employee population into alignment with the emerging legal and regulatory paradigm if they fundamentally doubt the principles that the paradigm is built upon (principles like access, choice, control, transparency, etc.)?
Or to put the question in a larger context, how do we reshape our relationship with and understanding of personal data and the data economy in ways that feel safe and even empowering?
The Winds of Privacy Are Changing
The good news is that the winds are now at our back. The data privacy laws and regulations that have recently gone into effect or will soon go into effect (GDPR, CCPA, and myriad other national and state laws) are already recasting the dynamic between individuals and those who would monetize their data.
These data privacy regulations send a powerful message that it’s not too late for us to reclaim control over our data. These laws set the boundaries for a new model of data exchange, and their ongoing enforcement will make those boundaries ever clearer still. (They may even cause us to rethink how we monetize data.)
Amidst all these larger societal and social changes, though, much of the critical work will be done inside companies and organizations who, in seeking to comply with new laws, will also translate these principles first into practice and then into data privacy culture.
Clear Privacy Training and Awareness
Through a combination of clear training and the consistent application of messaging and practice around the idea that consumers have data rights, employees of companies will come to see that the companies they work for are the very same companies they exchange data with … and that many of them can be trusted.
It will be difficult to change hearts and minds around privacy, but it’s in our workplaces that we can start. That means that privacy officers need to embrace the mandate to engage with and even lead culture change initiatives, to ensure that the modern language of privacy and data protection permeates their company operations and communications.
At the very least, privacy officers can follow the lead of their colleagues in information security and create “privacy awareness” programs that regularly surface the kinds of knowledge and behavior employees need to protect the data that flows through companies and in turn drives the larger economy.
It’s only when people work in companies that understand and protect privacy that we will build the kinds of societies we want to live in and move away from the sense of distrust and despair that exists today.