Ten million dollars.
Those three words probably sent a shiver down the spines of Australian boards and executives as they contemplated the Australian attorney general’s Review into the Privacy Act as the review’s consultation period drew to a close in January 2022. If adopted, the proposals would bring Australia’s federal privacy regime much more in line with the EU model and General Data Protection Regulation principles. It would also increase financial penalties from just over $2 million to a whopping AUD $10 million.
Those same three words: Ten million dollars might also have generated a chuckle for those recalling Dr. Evil’s threat to detonate a nuclear warhead in “Austin Powers: International Man of Mystery.” For the record, Dr. Evil first demanded $1 million from the United Nations, accompanied by that classic pinkie-to-the-lip move. A million bucks might have been a king’s ransom in the Swingin’ Sixties when Dr. Evil went into cryogenic stasis, but in the late 1990s? When Austin Powers first battled Dr. Evil in the cinemas? That kind of money was chump change. Hence, the joke.
That’s not to say that $10 million is chump change in the 2020s, particularly not if a company is faced with multiple complaints or allegations of serious and continuing privacy violations. Plus, significant fines would likely do wonders to increase privacy awareness across Australia’s business and other sectors. In fact, I’ve heard commentators highlight the key role of fines and penalties to gain traction for privacy programs, as well as being a great tool for privacy professionals to “tell their story.”
With all due respect, I disagree — at least about telling stories.
Fines are a sugar hit. My personal opinion is that financial penalties are like energy drinks that athletes gulp down in timeouts. The drink might give the athlete a quick boost, but it won’t alter their skill level — or do wonders for their dental bills. And in our frenetic, 24-7 news environment, fines and penalties are the ultimate sugar hit. Sure, they make splashy headlines, but their impact tends to fade over time — and with inflation. Just ask Dr. Evil.
To my mind, an effective privacy program is all about working on the long game. It’s about building a winning formula that will last through endless practice runs and into the championship rounds, year after year. That’s why privacy programs tend to focus on embedding privacy by design into business-as-usual activities, rather than sugar hits and quick fixes. It’s all about good hygiene, about brushing and flossing. Not the sexiest topic around, but it definitely is painful and expensive if you’re looking at the commercial equivalent of a root canal because you didn’t heed your privacy professional’s advice.
Fines don’t tell a story or embed good practices. Don’t get me wrong. Multimillion-dollar fines do make great headlines. But those headlines, along with stats on countless thousands of affected customers — they don’t do justice to the very real, human tragedy that can unfold following a data or privacy breach. Those stats and headlines can’t express the anger and frustration experienced by victims of identity theft or the horror of an innocent person being incarcerated because “the algorithm got it wrong.” I would go as far as to say that headlines and big numbers are largely meaningless unless they can be woven into a story about a real person, an individual. As the apocryphal line goes — one death is a tragedy, but a million is a statistic.
Russel Densmore’s textbook “Privacy Program Management” has some great recommendations to help bring individual stories to life by leveraging your business’ privacy incidences — Chapter 7.2 in the 2nd Edition for the keen ones. Sharing your own “war stories” or inviting a victim of identity theft as a speaker can turn mundane brownbag sessions into something truly meaningful. Real world stories about people like you, your family and friends are much more likely to stick with staff, executives and board members. They are also more likely to motivate staff to “up their game,” as compared to trotting out some forgettable stats on the average cost of a data breach per hypothetical customer.
Storytelling: It’s an essential business skill and critical to the success of any privacy program. If you don’t believe me, check out this Harvard Business Review article and interview with Hollywood story and screenwriting guru, Robert McKee, “Storytelling that moves people.” Published in 2003, the article’s insights are still powerful today. McKee’s premise is that storytelling is hardwired into the way we think, how we process information and how we learn. And effective storytelling is all about creating an emotional connection with your audience. Those techniques apply equally to selling movie tickets and building a business case. To develop an effective business case, you need a hell of a lot more than killer spreadsheets or a decent return on investment. You need to create heroes, villains and real-world stakes. And those stakes have to be substantial and deeply personal — like someone’s life or livelihood being on the line.
Make the stakes in your privacy stories personal. You’re probably thinking: How could someone’s life be on the line because of a data breach? Isn’t that a bit melodramatic? Not if you consider the impacts of identity theft and data breaches, which can lead to the destruction of lives, businesses and careers. If your colleagues were to meet someone who personally experienced identity theft, spent countless hours on the phone with banks, credit and government agencies, all while desperately trying to prove who they are, I guarantee that will have a much stronger emotional resonance than a disembodied dollar figure or some statistic, even it’s in the multimillions. Those personal stories can turn quasi-compulsory brownbag discussions into events that not only touch staff members on an emotional level, and they also stand a much better chance of motivating colleagues to take extra care when dealing with personal information.
Good stories need good villains and even better heroes. I think it’s essential for privacy teams to run post-mortems on near-misses and “wargame” scenarios that reflect credible threats, along with creative, out-of-the-box attacks. Privacy professionals should also celebrate their privacy champions. Leverage internal communications to promote your private sharpshooters’ hero stories. Get those champions to speak about their motivations to protect personal data. Speak to the real-world impacts privacy breaches have on real people. And stress that your champions don’t see privacy as a regulatory “chore” but a topic close to their hearts.
Hero stories also provide great tools for uncovering the elusive “why” that business gurus often talk about. These stories can help illustrate your organization’s higher purpose and act as the “emotional glue” that will motivate staff to put in the discretionary effort needed in a successful privacy program. And if a successful privacy program is all about good hygiene, about brushing-and-flossing, you need something more than just fines to motivate your people. You need great stories that are deeply personal — like the information you’re trying to protect.
Photo by Joey Csunyo on Unsplash