After serval years as Chief Privacy Officer for Unilever, in early 2016 I became the Data Protection and Information Security Officer for John Lewis Partnership (and Waitrose UK) and had a fantastic time helping 85,000 employees and the Board understand their accountabilities and responsibilities when it came to GDPR. I helped to drive through the necessary organisation change, created education campaigns, including new processes on how to deal with customer data protection queries and their data subject rights. I had to change the culture and mindset of the organisation on how and why they used personal data across JLP’s vast data lakes.
I also established a data ethics committee across the group which included our Marketing, Data Analytics and Ecommerce functions, all of which were heavily utilising the 25 million customer records to drive growth, sales and product innovation. My line manager was the CFO, the Board & Audit Committee were my weekly audience, both of which held me accountable and responsible for driving this massive transformation change across the organisation. This got me thinking, and so in late 2018 I established Privacy Culture Limited, with the sole aim to help DPOs embed a culture of privacy across their workforce. My first engagement as interim Data Protection Officer (DPO) at the Bank of England was thoroughly enjoyable, as I was able to quickly help the Bank on its journey to further embed a culture of privacy.
Since then, I have provided thought leadership, vision and strategic privacy advise to Boards and CPO & DPOs across the UK and internationally. I believe it is my civic duty to promote and communicate the wider benefits of responsible data use, both for our society and digital economies, whilst ensuring we respect the confines of data protection regulation, data ethics, law and individuals right to privacy.
The Privacy Culture Horizon survey
During the last two years, we have been developing the Privacy Culture Horizon platform. The platform allows the DPO to accurately measure the workforce’s attitudes, behaviours, knowledge, controls and culture. The Privacy Culture Horizon survey helps organisations to identify where educational gaps exist and where (intelligently) certain roles, functions, locations require specific tailored, modular based training i.e. in to help educate, reach, change mindsets and improve attitudes towards privacy.
Our platform helps communicate and educate the workforce. In late 2020, in conjunction with Queen Mary University of London, Dentons law firm and Capgemini we ran a global benchmarking exercise that created the world’s first Global Privacy Culture Survey of the employee workforce.
This 2021 Global Privacy Culture Survey Annual Report is a summary of that research. It seeks to help organisations and their DPOs, CPOs, CISOs and CDOs better understand why and how culture is such a significant factor in influencing the hearts and minds of employees. The survey will monitor, benchmark and track these trends for the next 10 years.
Below you will see our findings and recommendations according to the best and worst performing areas across our 12 key themes of data privacy, protection, security and governance and the attributes of culture, knowledge, behaviour, attitude and perceived control, as well as valuable insights by function, location and job role.
Top five worst performing areas
According to our research the lowest scoring results from the survey was Risk Management; despite ‘risk’ being mentioned over 75 times in the General Data Protection Regulation text alone.
Retention and Deletion
There is a clear lack of understanding and process maturity surrounding the application of data retention and deletion schedules. This problem is not isolated to one organisation, as nearly every participating organisation scored poorly in this area with 50% scoring ‘unsatisfactory’ overall.
Records of Processing and Lawfulness
Records of Processing Activities (ROPA) survey questions scored poorly with 50% of participants scored ‘unsatisfactory’ overall. Following the survey workshops, we can also conclude some interesting revelations that could encourage and foster a debate for both a change in perception and application of this, principally GDPR, requirement.
Policies, Training and Awareness
This area not only focuses on the application of an organisation’s culture, policies, and training and awareness programme; it also enables us to unravel why certain themes do not appear to be operating satisfactorily, and what might be done to resolve this.
A transparent approach to data protection and privacy is central to effective internal and external communication. Transparency is key for data subjects to understand their rights, how their personal data is protected and who is accountable when those rights are violated.
Other interesting findings
Functions have distinct cultures, so it is pointless trying to treat them the same or expecting them to be equally responsive when it comes to engaging with your data protection and privacy activities. Spending a little time getting to know the personalities of these functions in terms of how they operate and where their pain points and pressures are will help you immensely when thinking about developing your Privacy Culture.
We are now able to look at and understand the differences between industry sectors, to try and understand which naturally perform better than others when it comes to privacy. For this exercise, we have grouped our organisations into the sectors of Finance, Data Services, Charity, and Consumer Services.
From a regional perspective, we can see that progress is being made across Europe, USA, Canada, Australia, Japan and other developed economies, but there is still a lack of maturity across less regulated countries or jurisdictions where data protection and privacy can be perceived, handled and managed in a less prescriptive, more libertarian manner.
It has been said that an organisation is only as good as the people who work there, and this is reflected in its culture, products and services. It could be argued that GDPR has led to wide-spread global data protection and privacy uprising, with organisations around the world recognising the value of good data governance. Of course, the less glamorous impact has been the very different privacy practices that have emerged globally, with both organisations and enforcement agencies slightly interpreting these principles differently and therefore as a result – differing ways of how compliance can and should be achieved.
The DPO has the responsibility to interpret these privacy rules and then apply them to his or her business environment or organisation. This has led to wide-spread differences and quality in interpretation and implementation, but yet one common challenge remains outstanding – ‘how to embed a culture of privacy across the workforce’. How do you inspire employees to behave and act differently when it comes to personal data handling and access? How do you make privacy interesting to employees? How do you turn it into one of the organisation’s values?
The results of this study indicate that organisational culture mainly impacts motivation, promotes individual learning, affects communication, and improves organisational values, group decision making and solving conflicts. If we are ever to move the conversation to how personal data can add business value, drive stronger revenue growth, help margin expansion and drive data utilisation, then we will need to move away from ‘tick box’ notions of data protection and privacy compliance, abandon the scare tactics of non-compliance, and even stop worrying so much about fines from regulators.