Leadership and Culture Drive Privacy Protections
By Don Peppers and Martha Rogers, Ph.D
It's becoming a common trend - someone's laptop gets stolen or computer discs go missing. To make matters worse, they contain scads of personal information, which is now compromised and out there for bad guys to misuse.
The latest occurrence was a major one. In October, discs containing the names, birth dates, addresses, bank account information and national insurance numbers of 25 million UK citizens were lost by the HM Revenue & Customs office in a courier mishap. The fact that these types of privacy breaches are common may illustrate a lack of concern for privacy issues within organizations. And without a culture that understands the importance of privacy to build customer trust, companies are basically asking for this to happen.
"Organizations have not taken privacy and data protection seriously," says UK Information Commissioner Richard Thomas. "It's about leadership and culture. Too often it's left to the techies," and not part of the entire company culture.
Thomas agrees that most privacy breaches are not deliberate, but the result of carelessness. He emphasizes that the best defense against problems is to ingrain privacy focus and data protection into a company's DNA. Organizations, both public and private, should be concerned with earning the trust of customers by acting in their interests.
Regulation in some instances is important as well, though it's the balance of internal and external forces that will ultimately foster a safe and secure environment.
"This is largely a matter of enlightened self interest," Thomas says. "So much depends on the trust and confidence of your customers, your employees, and your stakeholders. Your reputation is on the line. It should be on the agenda of every chief executive and every permanent secretary. It's the CEO who must provide clarity of responsibility and accountability."
Creating a trust-based culture
Every organization has a culture, often loosely defined as "how things are done around here," and it is passed on largely by imitation. The habits and patterns that build up over time into a "culture" will have far more impact on a company's overall actions than will even the most detailed written procedures.
Culture is hard to define, harder to manage, and even harder to change. Here are a few pointers to influence an organization's cultural DNA:
- You get what you pay for. People do what they are rewarded to do, so give employees incentives for practicing strong data and privacy protection.
- Actions speak louder than words. If you're a senior person at your firm, your employees will imitate what you do, not what you say. Senior management across the organization should set a good example. The CPO cannot build customer trust alone. Don't hire a CPO as your privacy strategy. Hire one because of your strategy.
- Find the influencers in your organization. Networks of employees form spontaneously, and the key influencers of other employees' behaviors and attitudes are probably not the most senior people in your organization. Identify those employees other employees turn to most when asking questions or solving problems.
- Focus on a single, simple, unifying mission. You can rally people around an idea if the idea is universally appealing, but specific and tangible enough to offer guidance.
- Celebrate small victories. Find examples of the right cultural values being put into practice, and socialize them within your firm. Let people know how things are really done around your firm.
The issue of an enlightened culture becomes more important as consumer awareness and expectations increase. Individuals are offering up more personal data than ever in their interactions with business and government agencies, in return for valuable services. But their expectations of service and protection are increasing as well. Get caught in a breach situation or mishandling information, and you can damage customer relationships forever. For this reason it's in the best interests of everyone within a company to be concerned with privacy and data protection.
"Both official and personal information are increasingly seen as valuable assets held by all organizations, which need to be treated with the care and respect afforded to other types of assets," Thomas says.