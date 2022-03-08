The process of changing the culture of an organisation to motivate its people to live and breathe data privacy doesn't just happen by itself.
What I’ve seen in many organisations is that data privacy and cybersecurity are perceived as an ‘IT problem’ or that it is the responsibility of a couple of people or external consultants to manage the risks.
To change perceptions that data privacy and cybersecurity form part of the shared day-to-day responsibility of everyone as opposed to an add-on to my daily work life, it is important to blend these concepts into daily workflow. For this, we advocate for the data privacy ‘change champion’.
The change champion model considers the most effective route of persuasion or to advocate for change across, well, literally all levels of the organisation. It is far more likely that teams will align themselves with or be persuaded to consider changing their behaviour if the message comes from someone they’ve worked with or someone ‘who have walked in their shoes’ or can show empathy for the change they are going through. What makes a good change champion?
These are typically individuals who volunteer (first prize) or are selected to facilitate change inside the organisation. The champion is an active member within the change process during all stages. They promote and advocate the desired future state. They embody the change by setting an example to peers or teams. They motivate others to share in the experience.
Change champions understand that they are creating the perfect environment in which to nurture and multiply pro-data privacy behaviour. They understand the legislative requirement of the current POPIA laws in South Africa. However, they may not fulfil the information officer (IO) or deputy information officer roles required by POPIA per say. Instead, they support the execution of the information officer’s duties. The C-suite are not always the assigned change champions – sometimes it is their direct reports, middle managers or others, who work with teams day-to-day. In some industries such as retail, health care or aviation, change champions are not only selected from management but also frontline personnel or first responders.
Metaphorically speaking, change champions can be considered ‘beekeepers’ managing the ‘mood of the hive’ at multiple levels of the organisation as they work with its golden currency – the personal information and data of the organisation and its customers.
With that said, here are a few considerations organisations should keep in mind when identifying and cultivating privacy champions: 1. Look out for sweet spot characteristics of a change champion
A change champion is a person who embodies natural leadership abilities or holds a position of influence within the organisation that allows them to enable, inspire and empower ‘all the bees in the hive’. Some of the characteristics to look out for when considering change champions include:
2. The task of privacy champions goes beyond that of a sting operation
- Trust and social capital: The candidate has been with the organisation for an appropriate amount of time with strong relationships and social capital.
- Leadership competencies: The candidate demonstrates good leadership qualities, potential or competencies as identified in the organisation’s development plans or frameworks.
- Pro-change attitude: Sometimes great leadership competencies and social capital are not sufficient on their own. The candidate should also be open to change, technology or new ways of working in general.
The term ‘training’ tends to be received negatively by employees and teams. To be effective, privacy ‘training’ should not be a 'tick-the-box' sting operation. It goes without saying that training designed to cultivate a pro-privacy internal culture should be formalised. Consider crafting tailored empowerment and awareness moments that are relevant to actual roles performed internally, the needs of the organisation, the organisation’s privacy statement, purpose, culture and values.
Privacy awareness and empowerment opportunities become part of the day-to-day workflow and should not be positioned as a separate training exercise. Internal stress-tests, fire drills and cyber security campaigns are designed to force teams to engage with a threat. We are training an individual’s fight, flight or freeze response that gets triggered by a risk event to act in the correct way, using the correct procedure or reference the correct point of action. If these incidents are not actually rehearsed or if standard operating procedures (SOP) are not updated to reflect privacy requirements, a person’s fight, flight or freeze response in the moment will default to whatever ‘feels right’ then and there. We need it to default to an appropriate behaviour.
To be effective against cybersecurity threats, new habits and behaviour form over time. Change champions need to model these behaviours.
Keep in mind that awareness messages resonate deeper when they are consistently repeated via various touchpoints. These touchpoint channels may be delivered to all senses by way of online learning opportunities through streaming and videos; by way of in person via small group workshops, townhall meetings and simulations; or by way of visual memos via posters, newsletters, booklets, pamphlet and emails campaigns. 3. Keep calm, and stay busy!
Beehives have one secret to success – their work is a never-ending cycle of product refining. The desired future state that is the internal protective behaviour towards data privacy will by nature never end, nor rest in a perfect state. Inspiring and manifesting ethical interaction with the modern data privacy-first organisation’s most valued currency remains an ongoing task.
Introduce privacy awareness and empowerment moments as early as the induction process for new team members. Then, refine and redefine during role changes, at departure moments, and at the start of or debrief of new projects or campaigns.
In fact, change champions are always on the lookout for new and improved ways in which to refresh and update behaviour that simply does not contribute to a pro-data privacy culture.
A simple dashboard
of all empowerment and awareness moments keeps track of successes and measures impact. Include metrics such as the percentage of the workforce that have undergone awareness moments during a given period or responses to stress tests. Specify the nature in which this moment presented itself or was executed. Note the channels and messaging utilised. Record the percentage of training completed and the results to quizzes or simulation exercises. Jot down any noticeable evolutions recorded over time. Highlight the number of reported privacy incidents and steps taken. 4. Privacy architecture is intentional
Change champions should not be expected to be privacy architecture experts. They only need to work within the environment in which they are already immersed in.
Privacy architecture experts such as the information officer (IO)
or chief information officer (CIO) are often required to craft policy and procedures linked to the technology boundaries in place or to be created. For an IO or CIO, change is included as part of an active goal or, ongoing project or KPI.
A recent article revealed
that more and more organisations are hiring trained and skilled technical experts in the role of the privacy architect. These roles are tasked with the KPI for each change champion to build privacy into the technology used by the organisation.
In an age where data is every organisation’s golden currency and worthy of protection, there are no compelling reasons why the rise of the role of privacy change champions should be sidelined. We have found that the change champion strategy significantly improves attention management, team morale and overall internal alignment with the desired future state to prioritise pro-data privacy. Applying this model lessens the chance of falling back into old habits.