Enrique Fernandez-Pino, Group CIO, The Go-Ahead Group plc (LSE: GOG)
It has now been over a year since the introduction of the new GDPR legislation, and we have just learnt that British Airways (BA) is facing a fine of up to £183m from the ICO. However, other than increasing the government’s coffers and knocking down a few percent on IAG’s shares, I am not convinced that it will have much effect on the way we look at personal data.
Human behaviour can only be influenced in two ways: carrot or stick. The stick approach is the very reason why authorities often seek punitive legislation. I am convinced that my equivalent at BA will now be getting all the money that he or she will have been requesting for years to prevent this fine. But I am also convinced that the rest of the world will read the article, be surprised about the size of the fine, wonder what the fine would look like for their P&L, and move onto the next conversation about monetising customer data.
The carrot approach, on the other hand, tends to have more pervasive results. General Data Protection Regulation (GDPR) is a very complex piece of legislation, designed like all pieces of legislation (by lawyers for lawyers). The average human would not read beyond paragraph two. Even as a trained lawyer, I had to ask for help from our legal department when the time came to implement the legislation.
The reality is that we need to make all this easy for our employees. In the Bible, Moses did not write fifty pages of policies. He restricted the commandments to ten for a reason. He made them easy; thou shalt not kill. There you go, that’s easy to follow. If we applied this principle to GDPR, the commandments would be very simple: thou shalt not use personal identifiable data unless the individual has positively agreed to it. It is very simple.
Although this is not an IT issue (it is a Board issue), I was given the accountability for implementing the new GDPR legislation in our company. The implementation work team saw the new law as a compliance item: in their eyes we had to avoid the monumental four percent turnover (£138m in our case, in other words, the entirety of our yearly profits) contained within the GDPR Law. For me it was a deeper need; we had to respect the fundamental right of our customers and employees to their digital privacy.
Personal identifiable data, or data that can be traced back to an individual by crossing it with other databases is not OK to manage or monetise, unless the individual has positively agreed to it
As humans, we value our privacy. We live in individual houses, which we lock behind us when we leave. We own individual cars, which we also lock. We glue the envelopes that we use to send letters to other humans. Our phone number can be “off-directory.” Even in childhood we never liked when our parents tried to control our movements. Humans like privacy, and the digital world should not be any different. We should protect data simply because it’s a human right, not for fear of the penalties from the ICO. This mindset must start from the top. If the CEO does not believe in this principle, the implementation will be an uphill struggle. The Institute of Business Ethics (IBE) defines ethics as “starting where the law ends,” and this should always be in our minds when dealing with personal data.
Changing culture is probably the most difficult task in corporate environments. For me the key lies in using “culture hacks,” a term often used by Gartner. The key to changing behaviour and creating a culture of respect for customer and employee privacy lies in the following “hacks”:
• Culture hack 1 – Start from the top. If the CEO and the Board are not on board (excuse the pun), the chance of creating a cultural change is remote.
• Culture hack 2 – Create the language. Embed the principle of privacy in the leadership teams, especially in their language. Create a common and simple language around privacy.
• Culture hack 3 – Focus on certain communities. Four communities will give you 80 percent of the coverage. The leadership team: they rarely have access to personal customer data, but they frequently handle employee data. The marketing team: they tend to be the ones more inclined to monetise customer data and sit on the largest temptation and risk. The personnel team: with access to all employee records, including sensitive data like medical records or children, they must consciously handle these records with great care. The IT team: particularly employees with enhanced access to databases.
• Culture hack 4 – Make it human. Start with the carrot approach. Ask people how they felt when affected by previous data leaks (Yahoo, etc), and ask them to reflect on the impact the leak had on them as an individual.
• Culture hack 5 – Make it simple. Instead of long worded policies, make it easy for people to remember. Aggregated data where no data can be tracked to the individual is likely to be OK to create and monetise. Personal identifiable data, or data that can be traced back to an individual by crossing it with other databases is not OK to manage or monetise, unless the individual has positively agreed to it.