It could be argued the EU General Data Protection Regulation has led to widespread global data protection and privacy, with organizations around the world recognizing the value of good data governance. Of course, the less glamorous impact has been the very different privacy practices that have emerged globally, with both organizations and enforcement agencies interpreting these principles slightly differently and resulting in differing ways of how compliance can and should be achieved.
A data protection authority has the responsibility to interpret these privacy rules and then apply them to their business or organization. This has led to widespread differences and quality in interpretation and implementation, yet one common challenge remains outstanding: how to embed a culture of privacy across the workforce. How do you inspire employees to behave and act differently regarding personal data handling and access? How do you make privacy interesting to employees? How do you make it part of your organization’s value proposition?
A focus on compliance at the expense of culture could also mean a restricted view of a prospect or customer for a salesperson, which would, in turn, impact conversion rates and profitability. It could confuse employees wishing to understand their target customers better, given their lack of understanding about what can and can’t be done with personal data.
A common misconception among data protection and chief privacy officers is that a culture of privacy is the conclusion of an awareness, education and training program only. It is not — and this misconception should be a concern for any DPO or CPO — but until now, there has not been a systematic way of measuring privacy culture within an organization or addressing this potential gap.
This was the main driver behind why we developed the world’s first employee privacy culture survey and engaged in a formal research project working in collaboration with Queen Mary University of London's Faculty of Law, Dentons law firm and technology consulting company Capgemini.
The 10-minute survey covers 12 themes, such as governance and accountability, retention and deletion, data security and data incident reporting, focusing on questions relevant to the GDPR and other global privacy standards and laws worldwide.
Employees are asked to answer 50 questions using the psychometric Likert scale that records employee views anonymously from “strongly agree” to “strongly disagree.” The survey findings are then supplemented with conversational insights from individuals via workshops in different areas of the organization to better understand why employees may not be behaving in the expected privacy-compliant way.
Organizations are then provided with a comprehensive report that covers the best and worst-performing themes and deep insights into specific issues at both function and country level, in addition to high-level recommendations on how to address them. Individual organization results are then shown against an overall benchmark of all participating companies.
The world’s first 'Global Privacy Culture Survey Report 2021'
As part of our research, we recorded the behavior, attitude, perceived control, knowledge and culture of more than 3,000 anonymized and pseudonymized employee respondents from 10 global organizations across six different industry sectors and 52 countries. We obtained feedback from 13 different functions, including marketing, human resources, customer services and technology.
It was heartening to read that the top-three performing themes from the survey across all industries and countries were data breach and incident management, governance and accountability, and compliance and monitoring.
The report is good news for DPOs, chief information security officers, lawyers and compliance officers. Our follow-up workshops indicate some of the foundational elements of privacy and security, i.e., how to recognize and report a potential data incident, are landing with 97% of respondents feeling confident that they can recognize the consequences of not reporting a data incident.
However, digging deeper into the survey results and through the workshop conversations, we found data sharing and deletion still cause confusion, particularly when dealing with third parties. In addition, it was also apparent the ability to recognize and report an individual data rights request is not always clear.
The five lowest-performing themes across all organizations were privacy risk management, records of processing, retention and deletion, transparency and policies, training, and awareness and culture. Notably, these themes include more technical aspects of data protection, privacy, security and governance. Knowledge and behavior will be heavily dependent on the maturity of an organization’s data protection and privacy program, as well as concepts, such as the data protection impact assessment feature in general onboarding and annual compliance training.
The ability to train and reinforce key privacy concepts and the more technical aspects of privacy and data protection is crucial to building your privacy culture from the ground up. Employing creative individuals with a capacity for articulating information often seen as boring and tedious, then harnessing existing communication channels that are known to be effective, is essential to achieving the level of confidence and compliance you seek. But most importantly, measuring the effectiveness of your awareness, education and training program by giving your workforce a voice and allowing them to tell you where to focus your effort next may be your most powerful tool on the road to a privacy culture.
Photo by Dayne Topkin on Unsplash