Establish sustainable internal behavioural change during the privacy-first era

21 July 2021

Gartner estimated in 2020 that 65% of people across the world will have their personal data protected by privacy regulations in 2023, compared to 10% just a year ago. We recon this prediction is well on track to tip the scale even further as more sovereignties, such as the EU, South Africa, Japan, Singapore, Brazil and the US are all moving or have moved towards legislations aimed at binding organisations to protect the information that individuals or entities have opted to share with these organisations.  

But as legislation kicked in, is the trade-off between being fined (in case of non-compliance) or risking damage to the organisation’s public image enough to make a palpable difference in how employees treat personal data? 

We believe one of the best ways to create lasting change in terms of data privacy best practice is when organisations take a serious look at how they are empowering employees to live and breathe a privacy-first approach. 

Introducing data privacy greenhouse factors

Let’s visualise for a moment that the way in which employees are trained to manage personal data is a virtual greenhouse. One where this cultivated behaviour has sprouted seeds and grown a root system and a strong stem branching outward. When strong enough, the plant can be replanted into a garden or forest along with other trees, into a larger ecosystem. 

Similar to a greenhouse effect, when organisations treat its commitment to anchor down internal change in the way its employees interact with personal information, the organisation is able to more effectively control what comes in and what goes out. 

A greenhouse provides shelter from too much change in the direct climate, just as the organisation is able to direct a shared organisational culture. In a greenhouse, plants are also protected from pests that could cause disease. In the same way an organisation with a strong internal culture would be harder to breach since a desired state has already been established. 

We illustrate a few factors designed to bolster the internal greenhouse climate and help organisations embody privacy-first principles set out in South Africa’s POPIA (Protection of Personal Information Act). These factors can help navigate the balance between the theoretical legal aspects, of which much has been written about, and the proceeding practical behavioural aspects thereof. 

Factors influencing the organisational privacy-first greenhouse

When change management consultants refer to the desired future state, or the bigger picture to which ongoing compliance efforts lead beyond just compliance requirements, imagine the symbolism of replanting a strong and viable greenhouse product into the soil, knowing the plant will withstand the shift to the new environment because it has been through a detailed cultivation process inside a controlled greenhouse. 
There are three factors that influence behaviour:

1. Internal values

When an organisation or its employees do not truly understand its ‘why’, the organisation cannot fully commit to meaningful change. An organisation’s ‘why’ speaks to the reason for engaging in a shift around data protection and a different way of working.

In such an instance, the organisation is rudderless, and the change facilitator is typically unable to properly draw a line from the required change to the bigger picture. In other words, a critical greenhouse ingredient used to cultivate the optimal environment is lacking.

2. Organisational structure

For an organisation’s commitment to put data privacy and protection of personal information first, each and every employee must be a data privacy champion. 

First and foremost, this approach requires the appropriate awareness of why data privacy is important beyond being a tick-box exercise. Secondly, it requires an understanding of the tools or frameworks that need to be used in-the-moment to act when a scenario arises where data could be compromised. This is why training and rehearsal of what to do in case of cyber risk events (such as a data breach) is crucial. 

Data privacy protection simply cannot be ‘outsourced’ as an issue for the IT department to implement. The decisions we make every day to click on a link, share a message or contact info depends on us in the moment, and again circles back to training and empowerment. 

Hierarchical or authoritative organisational structures tend not to prioritise the empowerment of people. Instead, such an environment creates a fear-driven culture which is not conducive to data privacy-centric empowerment and does not cultivate people to be data privacy champions. A flat organisational structure and inclusive approach work best.

3. Executive leadership

Executives tend to shift blame to failed change management efforts on other parties, especially, where pro-change cultures are not fostered. Leaders in organisations that do not treat the internal culture as a greenhouse effect, often fail to realise that their example is the most accountable role-players in any change situation and the ultimate data privacy champions. 
The rest of the organisation will use their behaviour as a benchmark to follow, part of the greenhouse factors necessary for cultivating the overall optimal environment. 

If executives fail to give effect to the tools, frameworks or policies that were designed by the organisation to protect Personal Information, they ultimately fail their commitment to the organisation and its stakeholders.

Factors influencing the personal information protection legislative environment within the greenhouse

POPIA environment greenhouse factors speak to practical legislative considerations that enable the ongoing commitment to data privacy to be executed. These factors only function correctly when the organisation creates a suitable environment within the greenhouse.

1. Cyber security best practices

Cyber security best practices are exactly that – best practices. 
All stakeholders in an organisation’s change plan related to privacy are required to decide on which measures or best practices it will implement as it speaks to (1) technical or cyber security measures and (2) behavioural measures. 

Cyber security measures are usually the responsibility of the IT or technical departments, and behavioural measures the responsibility of the organisation’s people teams or departments. 

Ultimately, the IT or technical team’s measures are positioned in an internal cyber policy which has been developed democratically – a change process during which the input and concerns of employees are acquired before the policy is formally implemented. 

The result is a shared responsibility for a cyber policy that empowers employees to be data privacy champions alongside the IT or technical teams. Responsibility is distributed, and no longer only a perceived responsibility of those in the IT team.

2. Risk Response Plan (RRP)/Security Compromises Adoption Plan

However grim, it is a fact that it is only a matter of time before an organisation stands the risk of falling prey to a cyber-attack or data breach. That is why a RRP is such an important factor in an organisation’s POPIA greenhouse cultivation strategy to help correctly identifying and acting upon an incident.

However, Risk Response and Security Compromise plans are ineffective if fire drills, or stress tests are not conducted regularly in the form of staged cyber-attacks or breach events. These tests determine how successfully employees navigate these plans in-the-moment. 

The knowledge that a stress test may be lurking around the corner is a very efficient motivator to keep employees on their toes and committed to being data privacy champions. Never knowing when you will be tested keeps you up to date with how the plan works. After all, nobody wants to be known as the person who failed a data breach test event. 

Data protection and compliance is no simple task or tick-box exercise. However, an ongoing, consistent effort, cultivated in a privacy-first environment makes achieving these truly necessary compliance goals much more attainable.