(United Kingdom) Enrique Fernandez-Pino thinks culture is key to GDPR compliance, sharing five hacks to orientate staff behavior around robust data privacy practices. CIO Review reports as follows:
“It has now been over a year since the introduction of the new GDPR legislation, and we have just learnt that British Airways (BA) is facing a fine of up to £183m from the ICO. However, other than increasing the government’s coffers and knocking down a few percent on IAG’s shares, I am not convinced that it will have much effect on the way we look at personal data.
Human behaviour can only be influenced in two ways: carrot or stick. The stick approach is the very reason why authorities often seek punitive legislation. I am convinced that my equivalent at BA will now be getting all the money that he or she will have been requesting for years to prevent this fine. But I am also convinced that the rest of the world will read the article, be surprised about the size of the fine, wonder what the fine would look like for their P&L, and move onto the next conversation about monetising customer data.
The carrot approach, on the other hand, tends to have more pervasive results. GDPR is a very complex piece of legislation, designed like all pieces of legislation (by lawyers for lawyers). The average human would not read beyond paragraph two. Even as a trained lawyer, I had to ask for help from our legal department when the time came to implement the legislation.
The reality is that we need to make all this easy for our employees. In the Bible, Moses did not write fifty pages of policies. He restricted the commandments to ten for a reason. He made them easy; thou shalt not kill. There you go, that’s easy to follow. If we applied this principle to GDPR, the commandments would be very simple: thou shalt not use personal identifiable data unless the individual has positively agreed to it. It is very simple.
Although this is not an IT issue (it is a Board issue), I was given the accountability for implementing the new GDPR legislation in our company. The implementation work team saw the new law as a compliance item: in their eyes we had to avoid the monumental four percent turnover (£138m in our case, in other words, the entirety of our yearly profits) contained within the GDPR Law. For me it was a deeper need; we had to respect the fundamental right of our customers and employees to their digital privacy.” (Enrique Fernandez-Pino)
(Privacy press clipping sourced via CIO Review)
Jurisdiction: United Kingdom
Enrique Fernandez-Pino, who is Chief Information Officer with the Go-Ahead Group plc, suggests hard-coded behaviors are key to avoiding the big GDPR fines. This means that any compliance strategy must involve a significant company culture element.
Fernandez-Pino advocates making it simple for employees, and suggests five culture ‘hacks’ to this end: (1) start from the top; (2) create and use the language of privacy; (3) identify and focus on the communities within the company that have the highest impact on data privacy practices; (4) make compliance human, relatable and use the carrot (i.e. positive) approach to motivate change; and (5) create and communicate basic rules to drive compliance, erring always on the side of simplicity.
Fernandez-Pino sums up the GDPR with the phrase, “thou shalt not use personal identifiable data unless the individual has positively agreed to it”. While there are certainly other legal bases for processing under the GDPR, consent and transparency have to be the broad starting point of any comprehensive approach to data privacy compliance. Fernandez-Pino seems to be saying that, implicitly, you can’t have an exceptions-based culture. Rather, in his view, simple rules are easy to ingrain in routine behaviors and end up being an expression of your corporate values.