How organisations ‘do’ data protection in practice

One of the joys of the DSS project is engaging with the different disciplines, industries and fields that come together under the umbrella of digital data use. One such field is information governance (IG) which covers issues of IT security and data protection. A recent brief piece  by IG specialist Richard Vibert offers a good overview of data protection issues from the perspective of data protection officers (DPOs). These professionals offer a birds-eye view of data protection practices across business, industry and the public sector.

Drawing on conversations with more than fifty DPOs, Vibert reaches the following conclusions:

[1]  The vast majority of organisations want to do little more than ‘tick the box’ of data protection – i.e. gain assurance from a consultant or legal firm that they are not going to be fined, and then not engage in data protection issues any further. The few organisations that take an active interest in data protection usually do so in the hope of gaining a competitive advantage – e.g. attracting customers who might be concerned about data protection issues.

[2]  Organisations operating within sectors that are already heavily-regulated (e.g. health and pharmaceutical) tend to engage with data protection issues in a more serious and extensive manner.

[3]  The effectiveness of any DPO depends on how they have been assigned responsibility within an organisation, and how the data protection role is located across different divisions and departments. Of course, this positioning reflects the importance that organisational leaders assign to data protection in the first place.

[4]  The main tasks that DPOs are involved in at the moment is answering basic data-related questions from across their companies. Vibert’s interviewees concurred that data awareness and data education is poor across most organisations. As such, the most successful DPOs are those who have developed data protection ‘sub-cultures’ across their organisations – focusing on educating employees and supporting them to work autonomously “within the modern data privacy framework”. Successful strategies include informal in-house workshops, ‘ask-me-anything’ sessions and the appointment of ‘privacy stewards’. In this sense, the DPO role shifts from being a data protection arbiter to one of data protection educator and enabler.

[5]  Dealing with third parties is the biggest data protection challenge for organisations – particularly in terms of third parties exposing the organisation to unknowable and/or uncontrollable risks.The EU GDPR requires some organisations to undertake data protection impact assessments’ (DPIA) to identify and analyse how data privacy might be compromised by the adoption of any new data-system (NB. in essence, this is essentially what the Victorian government has mandated schools to do prior to implementing facial recognition software). However, impact assessments and similar processes can only yield limited insights into what any third party is liable to do with an organisation’s data. Vibert sees this issue as requiring significant change – perhaps in the form of “technical and automated management of third party relationships”.

[6]  Interestingly, Vibert reports a general acknowledgement amongst PDOs that most organisations do not envision data protection in terms of the individuals (‘data subjects’) whose data they are dealing with. Instead, data protection is primarily seen from an organisational perspective – most immediately ‘de-risking’ data issues, ensuring that the organisation is seen as ‘compliant’ and avoids being fined and/or prosecuted. As Vibert notes, this results in confused consent procedures, incomprehensible privacy policies and other user-unfriendly data procedures.

[7]  Finally, Vibert reiterates a consensus amongst data protection professionals that no organisation is perfectly compliant. Any organisation will have built its data infrastructure over a long period –for much of this time making infrastructure decisions with little concern for data privacy or protection. In this sense, any improvements to organisational data practices will be iterative and gradual – compromised by the ‘legacy’ infrastructures within which they are being implemented. Organisations can only do a limited amount to comply with data protection requirements. The biggest driver for change is likely to come from new data products, systems and applications being adopted that have been designed to embody data protection values as default.