Engaging your employees on the subject of Data Protection?
Data protection is not a box ticking exercise, if done properly it can aid your business, from having the right security measures in place and minimising the risk of breaches, to creating a good reputation for your business. Doing the right thing is a good selling point equalling happier customers or employees.
But one individual in a business cannot do this alone. You need the engagement and involvement of all employees if you are to really succeed. So, how do you do this? A multi factor approach works well, elearning courses are a good starting point but won’t engage all your employees, at all levels. Conversations and discussions ideally have to be had, an understanding of what activities involving personal data are being carried out in your business, and logical, common sense conversations can then follow. Be it on a one to one basis, or forming Forums and/or workshops where real life issues/ideas can be discussed.
Initial thoughts about Data Protection…
For the most part when you engage individuals in the workplace on the subject of data protection the initial thoughts are pretty standard, it’s complicated or difficult, it’s considered last or not at all, it’s a bit of a nuisance, it carries fines, but it’s important.
It’s not easy to grab the attention and focus on this area, especially with the individuals whose day to day work lives don’t regularly cross paths on the subject matter.
What is Data Protection by Design?
Data Protection by Design and by Default is the consideration of privacy and data protection at the design phase and throughout the process for any new project/service/process/system etc that involves the processing (storing, transferring, sharing, assessing, deleting etc) of personal data.
It is not a new concept and has been around for the last couple of decades as part of data protection, but became a legal requirement with the introduction of the General Data Protection Regulation in 2018. The idea behind Data Protection by Design is that it avoids wasted time and effort with having to resolve data protection issues after the fact, to create privacy bolt-ons. Honestly conducted Data Protection by Design should generate successful controls and construct well ordered designs.
Risk focus of the business
Unless you have the proper buy-in from the top down it can also be difficult to engage everyone at all levels on this subject matter. We recently asked groups of individuals within one business where they thought the main focus of concern was for the business when it came to new activities involving the processing of personal data. We gave the options of: risk to the business, risk to the data or risk to the individuals. Possibly not that surprising was that 80% stated the focus was on the risk to the business with only 3% holding the opinion that the focus would be on the potential risk to the individuals, whose data is being processed. The concern of risk to the business itself is not incorrect when it comes to data protection, however the concern should be spread across all 3 options. Risks to the individuals needs to be a serious consideration, data protection needs to be viewed as more than a box ticking exercise.
How can Data Protection by Design help businesses? How does it impact your organisation?
When you take into account and consider Data Protection by Design a lot of areas of risk are covered from compliance with the Data Protection Act and UK GDPR to public relations.
Data Protection by Design impacts in the following ways:
- Ensures you have appropriate security measures in place
- Assesses the risk in processing personal data e.g. sensitive data
- Covers the needs for public notices such as Privacy Notices, and assesses internal policies and procedures
- Considers the dangers of data breaches for the data you process
- Examines any possible legal decisions – are appropriate contracts in place, assessing the grounds for processing personal data
- Possible Impacts on the data subjects (customers, employees etc) whose data you process
- The data itself – how do you store it, for how long – could this be done better
- Reputation of the business – doing it right is a good selling point, happier customers e.g. clear marketing management – subscriptions, opting in, how to opt out – sets a good picture of the business
What are the elements that make up Data Protection by Design?
- That you take a proactive & preventative approach, not reactive or remedial.
- That the controls, settings etc are there as a default. That user’s privacy is automatically protected and that you are not relying on the user’s actions to achieve this.
- That the controls, settings etc are embedded in the whole process and not just in the design itself but in the design process as well. Data protection should form part of the core functions of any system or service.
- Data Protection by Design in operation should not impact negatively on any other function, full functionality should continue – A ‘Win-Win’ scenario is possible. It shouldn’t ever be seen as a sacrifice e.g. privacy over security or vice versa, you should be able to achieve both. This then creates better products and services, in turn makes for happier customers, and reduces the risk of data breaches.
- That security is in every part of the design and function – End to End Security. Security of personal data is considered and incorporated into the entirety of the life cycle, up to the very end with consideration for how it will be disposed of.
- Transparency is considered properly from updated Privacy Notices explaining what data is being processed, why it is being processed, how it is being processed, for how long it will be processed and what the individual’s rights are. Transparency also includes information communicated internally from policies, procedures, carrying out audits to assessing the processing in the form of Data Protection Impact Assessments.
- Ultimately, respecting the User’s Privacy – making your designs user centric, the best Data Protection by Design genuinely considers the User’s needs and interests.
How to demonstrate Data Protection by Design?
The 7 key principles of data protection set out in the UK GDPR are a good way of demonstrating Data Protection by Design. These key principles lie at the heart of processing personal data.
- Lawfulness, Fairness and Transparency: Are your processing activities within the law, are they fair to the individual and are you being open and clear.
- Purpose Limitation: You must have a clear and limited purpose for each processing activity involving personal data.
- Data Minimisation: Limit your processing to the absolute minimum of personal data to achieve your purpose, never collect extra data “just in case”. State what you process and retain for the absolute minimum time, “For as long as we need it” is not acceptable.
- Accuracy: To avoid misleading data keep it up to date and if correction is required make sure it is done in a timely manner.
- Storage Limitation: Once you have stated your purpose make sure you assess and establish your retention period. Be clear and transparent on retention e.g. if retaining for a legal requirement, make that clear.
- Security: Ensuring you have the appropriate technical and organisational measures in place to protect against data breaches.
- Accountability: Compliance with the Data Protection Act and UK GDPR is the responsibility of the Controller (the organisation stating the purpose of processing) but it should be a collaborative effort across the organisation.
Thoughts once engagement occurs…
Data protection should not be considered only because it may cause big fines! Protecting the data you process, be it that of your customers or your employees is a duty of care, your responsibility! A shared responsibility throughout your organisation.
If Data Protection by Design is truly embedded in your design and thought processes then you are on the road to achieving a wider scope of concern which will incorporate the assessment of risk to the individuals, without losing the focus on the risk to the business.
You should be encouraging your employees to ask questions and challenge concepts from a privacy point of view. This shouldn’t have to cost you any extra in money or time, and in the long run will save you from having to resolve issues after the fact or navigate damage to your organisation’s reputation.
After engaging with employees in organisations on the subject of data protection, we found that their initial thoughts of complication, difficulty, breaches etc went to thoughts of a shared responsibility, a collaboration, that they felt engaged, more informed, reassured and encouraged to learn and challenge more.
How can we help?
At Mondas Consulting we can offer Data Protection as a service which includes training and awareness for your teams. With our experience and expertise we can create a compliance package for you which will include a tailored, made to measure training programme suitable for your organisation. If you want to learn more or have any questions contact us here.