Data protection has matured incredibly over the last 10 years. The ‘privacy industry’ has gone through a metamorphosis not seen in many other disciplines. Now, as we reflect on the organisational changes the pandemic introduced, we must recognise that being able to quickly access and share accurate data is critical to every business’ success – regardless of where employees are working from.
As a DPO, how do you measure compliance within your business when all this data is being shared? And how do you decide when ‘good enough’ is actually good enough?
An all or nothing equation?
We often measure business success purely in terms of winning and losing, such as being in the black or the red, being compliant or non-compliant. For example, you cannot have an 80% balanced budget or a 90% safe medical device. Data, however, doesn’t always play by these rules.
Data as a commodity has grown from long-held views of structure and rigidity into big data information stores that are mostly accurate. When pulling back non-normalised data, getting 80% of what you requested is often considered satisfactory. This begs the question for data legislation: “How can compliance be evidenced when the technological tools get designed with ambiguity?”
While there will be notable exceptions for ridiculously high levels of accuracy for, say, nuclear organisations or military assets. By and large though, the commercial and public sector world have finite resources and need to choose wisely for the best return.
This is novel and can cause the established yes/no functions of a business to feel uncomfortable.
What is ‘good enough’ for data compliance?
This is a question that has challenged me time and time again. At what point should an organisation consider the efforts carried out to be satisfactory? There are two variables to consider when coming to a subjective decision:
- How important to the overall strategy is your activity?
- What are the risks involved in the scenario?
I’ll walk through a fictional scenario that could apply to many organisations. Let’s pretend you’re running a tabletop scenario of a data breach to prepare for the event of a real one. During the scenario, various departments and senior leaders come onto calls throughout the day and third-parties are looped in to test their responsiveness.
Halfway through, one of the main buildings experiences a power cut where half of the staff working on the tabletop are based. There is now a major incident to contend with. A few questions have probably started to crop up. Do we get rid of the tabletop exercise, pause it, or consider it complete? What if it had to be carried out on that day to achieve an organisational certification?
This is where yes/no thought processes can disregard the importance of value, purpose, and subjectivity. What I would see here is an opportunity to both consider the tabletop completed with an appending of the real-world major incident. That was not the original scope of the tabletop exercise after all, nor did we get to complete the scenario start-to-end.
The entire purpose of testing and reviewing procedures is to understand your fitness. Finding compliance problems along the way is the only way to really improve. Accepting there will be gaps in processes, policies, and procedures is equally important – we live in an imperfectly perfect world, after all!
It’s doing nothing about the gaps that would be a serious concern.
Improving staff compliance
Have you ever sat through a quarterly staff briefing and near the end there is a brief statement that your compliance training is due next week? Chances are many employees will rush through it and forget much of what they just crammed in.
The trick to improving this process is not really a trick at all – the key is being visible and engaged with your co-workers. Actively listen to their challenges and be prepared to change your opinion of how compliance can be achieved. (Remember, there is more than one way to gain compliance!) If you are lucky enough to have a sense of humour about the process, even better.
You can work on smiles and relate back to the same silly stories about the business success of 90% effective medical devices to drive your point home. This not only helps your staff get engaged with what can be dry and complex material; it builds all-important trust and a willingness to help you do your compliance roles. We all know compliance is not down to just one person.
A tool to help improve compliance
In closing, think about a time you were assessing a product or solution. Did you ever have one where you thought, “This tool would remove a huge compliance hurdle for me or the company”? What if you could reduce the chances of someone falling for a phishing attack to nearly 0%?
This is what excites me about our Egress Defend product. It proactively stops breaches from phishing to such a point that it’s changed the way I perceive that risk to our business. Using Defend also means compliance roles can have a little more time for smiles and employee engagement and spend less time breach handling!