Beyond compliance: the Seven Deadly Sins of privacy management

By Simon Davies

Any company that has a data protection officer or privacy adviser will understand the fundamental risks of bad data management. Keeping too much customer information – and for too long. Failing to provide even basic security measures. Risking data breaches because of poor staff training and support. These are obvious 1.0.1 aspects that no company in this age should make. Nevertheless, they do make such mistakes every minute of the day.

But what about the more systemic aspects of good privacy? What are the Good Practice principles that create a solid and confident foundation for privacy protection ? These practices might not be required in law, but they are essential.

After more than thirty years in the privacy space, both campaigning and litigating against companies – and advising them – here are the eight common failings that I believe are most prevalent:

  1. Putting your DPO too far down the management chain. Ask any smart military expert. Whenever any aspect of a campaign becomes critically important, you move the person responsible for that aspect up the command chain. Data Protection and privacy have now become such critically important issues for customers and for reputation that top level reporting is essential. Make sure the officer responsible has direct access to the CEO.

    Your staff – and your customers – are your most important privacy resource. Identify interested and relevant staff and turn them into privacy champions.

  2. Understand the difference between compliance fulfilment and risk mitigation. Most data protection officers – like most DP advisory services – are compliance focused. They often operate a checkbox process rather than looking deeply at company information practices to assess risk. Instructing such a person to “just make us compliant” won’t help you avoid many of the hidden risks. These days, when a privacy disaster unfolds, you can’t rely on a compliance defence. The media – and your customers – will no longer buy the argument that you simply stuck by the rules.

  3. Cut and pasting your privacy policy. Contrary to popular wisdom, a surprisingly large number of people actually do read privacy policies. These are exactly the type of customers who will militate to protect their rights. Your privacy policy is the company’s front-facing declaration about how it intends to protect information. It is a commitment and should be sensitively and accurately created. Avoid rhetoric and cliches.

  4. Many companies are reactive rather than proactive. Your staff – and your customers – are your most important privacy resource. Identify interested and relevant staff and turn them into privacy champions. Implement brainstorming sessions to determine risk. And, simplistic as it may seem, build real or digital suggestion boxes.

  5. Create a direct link between customer services and the privacy officer. Your customers are a forward intelligence resource that can warn of impending risk, but far too many companies use “off the shelf” customer support systems that are incapable of identifying and actioning privacy-related complaints. These tend to disappear simply because they have nowhere to go. Consider creating a flag system that can be accessed by the DPO.

  6. Create an integrated information protection system. Don’t fall into the trap of pigeon-holing your departments. IT services, data protection, security and privacy should be a fully integrated ecosystem. Too many companies use archaic definitions of privacy, data protection and security to implement separate departments that rarely communicate. Doing so will create poor information practices and will substantially increase risk.

  7. Relying exclusively on your antivirus software. While the vast majority of bugs and attacks can be detected by antivirus software, it would be a fundamental error to sit back complacently and assume that facility will solve all your problems. Ensure that the company is in touch – in real time – with virus alert services and news feeds. Create a forward-looking security policy that isn’t just a press statement. Make sure you build security risk mitigation into every layer of both products and management. And – most important of all – realise that human behaviour often overrides automation. Insider risk, stupidity and the human factor must be factored into Good Practice procedures.