By Francois Kriel, Director at Kriel & Co
Gartner estimated in 2020 that 65% of people across the world will have their personal data protected by privacy regulations in 2023, compared to 10% just a year ago. We recon this prediction is well on track to tip the scale even further as more sovereignties, such as the EU, South Africa, Japan, Singapore, Brazil and the US are all moving or have moved towards legislations aimed at binding organisations to protect the information that individuals or entities have opted to share with these organisations.
But as legislation kicked in, is the trade-off between being fined (in case of non-compliance) or risking damage to the organisation’s public image enough to make a palpable difference in how employees treat personal data?
We believe one of the best ways to create lasting change in terms of data privacy best practice is when organisations take a serious look at how they are empowering employees to live and breathe a privacy-first approach.
Introducing data privacy greenhouse factors
Let’s visualise for a moment that the way in which employees are trained to manage personal data is a virtual greenhouse. One where this cultivated behaviour has sprouted seeds and grown a root system and a strong stem branching outward. When strong enough, the plant can be replanted into a garden or forest along with other trees, into a larger ecosystem.
Similar to a greenhouse effect, when organisations treat its commitment to anchor down internal change in the way its employees interact with personal information, the organisation is able to more effectively control what comes in and what goes out.
A greenhouse provides shelter from too much change in the direct climate, just as the organisation is able to direct a shared organisational culture. In a greenhouse, plants are also protected from pests that could cause disease. In the same way an organisation with a strong internal culture would be harder to breach since a desired state has already been established.
We illustrate a few factors designed to bolster the internal greenhouse climate and help organisations embody privacy-first principles set out in South Africa’s POPIA (Protection of Personal Information Act). These factors can help navigate the balance between the theoretical legal aspects, of which much has been written about, and the proceeding practical behavioural aspects thereof.
Factors influencing the organisational privacy-first greenhouse
When change management consultants refer to the desired future state, or the bigger picture to which ongoing compliance efforts lead beyond just compliance requirements, imagine the symbolism of replanting a strong and viable greenhouse product into the soil, knowing the plant will withstand the shift to the new environment because it has been through a detailed cultivation process inside a controlled greenhouse.
There are three factors that influence behaviour:
When an organisation or its employees do not truly understand its ‘why’, the organisation cannot fully commit to meaningful change. An organisation’s ‘why’ speaks to the reason for engaging in a shift around data protection and a different way of working.
In such an instance, the organisation is rudderless, and the change facilitator is typically unable to properly draw a line from the required change to the bigger picture. In other words, a critical greenhouse ingredient used to cultivate the optimal environment is lacking.
For an organisation’s commitment to put data privacy and protection of personal information first, each and every employee must be a data privacy champion.
First and foremost, this approach requires the appropriate awareness of why data privacy is important beyond being a tick-box exercise. Secondly, it requires an understanding of the tools or frameworks that need to be used in-the-moment to act when a scenario arises where data could be compromised. This is why training and rehearsal of what to do in case of cyber risk events (such as a data breach) is crucial.
Data privacy protection simply cannot be ‘outsourced’ as an issue for the IT department to implement. The decisions we make every day to click on a link, share a message or contact info depends on us in the moment, and again circles back to training and empowerment.
Hierarchical or authoritative organisational structures tend not to prioritise the empowerment of people. Instead, such an environment creates a fear-driven culture which is not conducive to data privacy-centric empowerment and does not cultivate people to be data privacy champions. A flat organisational structure and inclusive approach work best.
Executives tend to shift blame to failed change management efforts on other parties, especially, where pro-change cultures are not fostered. Leaders in organisations that do not treat the internal culture as a greenhouse effect, often fail to realise that their example is the most accountable role-players in any change situation and the ultimate data privacy champions.
The rest of the organisation will use their behaviour as a benchmark to follow, part of the greenhouse factors necessary for cultivating the overall optimal environment.
If executives fail to give effect to the tools, frameworks or policies that were designed by the organisation to protect Personal Information, they ultimately fail their commitment to the organisation and its stakeholders.
Factors influencing the personal information protection legislative environment within the greenhouse
POPIA environment greenhouse factors speak to practical legislative considerations that enable the ongoing commitment to data privacy to be executed. These factors only function correctly when the organisation creates a suitable environment within the greenhouse.
Cyber security best practices are exactly that – best practices.
All stakeholders in an organisation’s change plan related to privacy are required to decide on which measures or best practices it will implement as it speaks to (1) technical or cyber security measures and (2) behavioural measures.
Cyber security measures are usually the responsibility of the IT or technical departments, and behavioural measures the responsibility of the organisation’s people teams or departments.
Ultimately, the IT or technical team’s measures are positioned in an internal cyber policy which has been developed democratically – a change process during which the input and concerns of employees are acquired before the policy is formally implemented.
The result is a shared responsibility for a cyber policy that empowers employees to be data privacy champions alongside the IT or technical teams. Responsibility is distributed, and no longer only a perceived responsibility of those in the IT team.
However grim, it is a fact that it is only a matter of time before an organisation stands the risk of falling prey to a cyber-attack or data breach. That is why a RRP is such an important factor in an organisation’s POPIA greenhouse cultivation strategy to help correctly identifying and acting upon an incident.
However, Risk Response and Security Compromise plans are ineffective if fire drills, or stress tests are not conducted regularly in the form of staged cyber-attacks or breach events. These tests determine how successfully employees navigate these plans in-the-moment.
The knowledge that a stress test may be lurking around the corner is a very efficient motivator to keep employees on their toes and committed to being data privacy champions. Never knowing when you will be tested keeps you up to date with how the plan works. After all, nobody wants to be known as the person who failed a data breach test event.
Data protection and compliance is no simple task or tick-box exercise. However, an ongoing, consistent effort, cultivated in a privacy-first environment makes achieving these truly necessary compliance goals much more attainable.
About Francois Kriel:
Francois Kriel is an IMCSA accredited management consultant. He specialises in digital transformation, change management and data privacy. He is also a member of Privacy Officers Africa.
Francois supports organisations as acting or consulting CIO on a contract basis. He advises clients on the hiring of full-time CIOs and mentoring internally appointed Information Officers. His dynamic team at Kriel & Co currently empowers him to facilitate the Information Officer role at several high-profile organisations with a dedicated seat on the executive board at some client organisations.
Francois has extensive knowledge on data privacy (such as POPIA compliance) having established an inter-operable practice with the Technology, Media and Telecommunications department at top-tier law firm ENSafrica and advising several of the firm’s clients.
Empowered by the most current digital and legal expertise, he confidently advises organisations on practically achieving their organisational goals, data privacy obligations and change management requirements to effectively fulfil the role of CIO.
More about Kriel & Co:
Kriel & Co is an IMCSA-accredited management consulting practice specialising in change management, data privacy compliance, digital transformation and mentorship. The practice actively serves clients in a variety of sectors with a proven track-record of delivering innovative, cost-effective and sustainable strategies for digital change. Consultants are primarily retained on a long-term project basis by clients to oversee holistic digital transformation projects and initiatives.