Why privacy is the new corporate culture

By now, most companies know that compliance with the imminent General Data Protection Regulation (GDPR) is more than a ‘tick box’ exercise. Indeed, so great is the extent of this legislation, combined with the sheer size and scale of the EU market, that I believe it may well ultimately drive a global transformation of the way business is done. Take, for example, Apple, which will roll out its GDPR solution first to the EU, and then to the rest of the world as it attempts to beat the competition on privacy.

The specific changes the GDPR will bring are well publicised: including, but not limited to, strict rules for the lawful collection and processing of personal data, supporting specific rights and freedoms of individuals, adopting privacy by design and hiring a Data Protection Officer (DPO). But, to truly appreciate the spirit of the regulation, it’s important to understand its two key principles: forcing organisations to be accountable for the way they behave, and giving consumers greater control over how their data is used. Fulfilling these objectives will be no small feat; necessitating a dramatic shift in the way companies view and utilise data. In fact, recent research by Crownpeak has found that 36% of organisations feel privacy will be central to corporate culture after the GDPR comes into force.

So what are the benefits of instilling a privacy-centric ethos, and how can this be achieved by Chief Privacy Officers (CPOs) and their colleagues in marketing, operations, IT, security and the General Counsel’s office?

Why we need a new privacy culture

The chief reason why businesses must revise their privacy culture is simple: if the GDPR is only seen as an operational challenge or legal hoop to jump through, it won’t be given the priority it needs to be effective throughout all departments. What does “effective” mean?  Well, of course, less committed companies may be at greater risk of failing to comply and incurring hefty fines, but GDPR fundamentally changes market conditions. Companies which respond well to those changing conditions will drive higher levels of trust, engagement and reputation, and will differentiate themselves dramatically against the competition. Those which fall behind risk a similar kind of brand damage as Facebook experienced following the Cambridge Analytica scandal.

This makes it essential for companies to create an atmosphere where employees have a responsible and active attitude towards data privacy. As Elizabeth Denham, the UK’s Information Commissioner, said at the ICO’s annual Data Protection Practitioners’ Conference:

 “I want to see comprehensive data programmes as the norm, organisations better protecting the data of citizens and consumers and a change of culture that makes broader and deeper data protection accountability a focus for organisations across the UK.”

How privacy will be good for business

The advantages of implementing a privacy-focused culture extend far beyond basic compliance. For starters, it will be crucial to map how and where data is used across the company so it can be adequately protected. Secondly, in doing so, organisations will achieve a greater level of interdepartmental collaboration that helps to break down silos. It can also allow companies to stand out from the competition.

For Denham, “there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals”. Trust is becoming increasingly important to consumers, so if companies get it right, those consumers will be more open to sharing their data — offering deeper insights into themselves and better quality, more accurate details. But if they get it wrong, companies will lose customers. Global studies show that more than half (55%) of consumers surveyed have decided against making an online purchase due to privacy concerns. This means there’s no better time to go public about adopting extensive privacy measures and share dedication to best practice with the world beyond your company’s walls.

Collaborating for cultural change

Understanding the need for change is all very well, but how can companies actually alter the mindset of their workforce? Shifting a business’ paradigm is a tall order. For the unheralded CPOs who have borne the torch of GDPR awareness and compliance so far, it is a chance to extend their role through intelligent partnership, working with the Chief Information Security Officers who hold the purse strings for information security programs.

However, to do so effectively, this team will need buy-in from the entire C-suite and other stakeholders too. Instilling a sense of responsibility in heads of departments is crucial. Not only can these team members become beacons of best practice, but the GDPR makes it clear that the burden lies with an organisation in proving that they are compliant. Hopefully, the business benefits of compliance should be enough to convince most departments.  If not, the sheer weight of the €20 million fines should be persuasive. Working with the CPO, the CISO (and the DPO if your organisation has one), the obligation will rest with heads of departments in understanding and documenting exactly what data they are collecting and processing. In the case of a data breach, this increased transparency means departments will have nowhere to hide – and this can be a powerful reason why they should embrace their accountability now.

Preaching procedures

To support these new responsibilities, CISOs will also need to introduce data protection and security procedures that align with the GDPR – which means either creating new policies if none are in place, or revising existing ones. Some businesses have explored implementing penalties for rule-breakers, while others have sought to introduce a rewards system for those who show compliance. Yet the core ingredient for all will be better understanding, not just of the requirements but of the potential benefits to the business too: if businesses want their workforces to recognise the importance of the GDPR and meet its requirements they must provide in-depth educational programmes. This means working closely with Human Resources (HR) to explain the GDPR, why data protection matters, and the wider impact of a breach. Due to disparity in organisational data usage — marketing may have a different approach to data processing and collecting to finance – training may need to be tailored. However, the overarching ethos of maintaining privacy should remain the same.

Instigating change

With the above steps in mind, it’s important to remember that there is no prescribed framework for GDPR compliance. Ultimately, it’s a regulation that has privacy at its heart, and requires all members of organisations to make the right judgements about protecting people’s rights.

Creating and working within a culture of privacy is integral to helping employees make decisions that protect consumers’ information and the interests of the business — and this is perhaps the greatest challenge the GDPR sets. However, if companies can achieve this goal, they can set their sights beyond simple compliance, and define their culture in terms of respect for the law and the rights of individuals.  Those who do will build bulletproof relationships with their customers and stand head and shoulders above their competition.


By Adrian Newby, Chief Technology Officer, Crownpeak

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/