GDPR, big data security and culture - are you ready?
This article builds on a contribution by Caryn Vanstone to HR Grapevine Magazine, previously published online January 2018.
The General Data Protection Regulation (GDPR) will change the way organisations manage data. This impacts on a huge range of data issues, from we handle names or email addresses to employee details, customer bank records and histories etc. With the ever increasing use of "big data", artificial intelligence and autonomous systems (gathering ever MORE data about products, customers and employees) - the requirements to keep all that data compliant and SAFE is only going to get more and more essential. From a legislation point of view, the big date is 25 May 2018 and the UK Government has confirmed that it will apply in the UK, even after Brexit.
Organisations are already holding huge amounts of data about people. But this is going to grow exponentially in the years ahead. As digitalisation, artificial intelligence and autonomous systems become more and more commonplace, a range of NEW "big data" challenges will emerge.
For example, for many of us we already experience a certain amount of "intelligence" in our cars - on-board computers which tell us if there is a problem, or a service is due. However, the cars of the future will not only compare fixed performance information internally with pre-programmed trigger points, but will be communicating intelligently with the manufacturer's digital and autonomous factories on a constant basis. This means that these manufacturers will possess more and more data about driving habits, geographical locations and therefore the personal lives of those driving the vehicles. We are already giving away huge amounts of data about ourselves daily in all the phone apps we use, and the "internet of things" will mean that fridges, TVs (amongst other stuff) will be sending more and more information about us to companies. How the companies use, secure and protect that data will become a matter of real consequence to all our lives.
Of course system security will be essential. However, the biggest risk in data compliance and cybersecurity is always the behaviour of people, and there are two (main) routes that employers can take to try to limit the risks – imposed mechanical control and/or development of social, behavioural discipline.
“Control” involves disabling USB ports and drives, preventing the use of, and contamination from external devices or spending other large sums of money creating "walls" and "blockers" which disable the capacity of people to do the wrong thing. Most people find this frustrating and infantilising, and is often expensive and requires constant updating. And it can have other detrimental side effects:
- People become reliant on rules, procedures and routines, which send us somewhat to “sleep at the wheel”. This makes people less alert to potential risks, such as phishing viruses via email and more likely to accidentally click on something dangerous
- It also promotes an increased laziness of mind - we stop really asking ourselves if what we are doing is RIGHT, because we are following a pre-given path where responsibility for the decision is "outsourced" to the creator of the rule or procedure, rather than the user.
“Social discipline” is much more beneficial in the long term. By this we mean the support and development of individual and social behaviours based on rigorous thinking, integrity and adult responsibility - backed up by a culture which encourages challenge, holding the mirror up and learning. This means:
- Reducing routines, increasing requirement to think for yourself
- Improving connectivity and the "normalness" of feedback, challenge and support
- Developing skills such as improvisation and mindfulness to improve awareness to risks and bring people back to a state of challenging, thoughtful “presence” in the here-and-now of their work and actions.
One tool for adopting new cultural mechanisms in the workplace is storytelling – especially success stories which describe the behaviours you want more of like critical rigor, adult accountability etc. Helping leaders to compellingly find and share these stories is critical for the greatest impact.
At the very least, companies need to be pragmatically hosting conversations and exploring the implications of GDPR and cybersecurity risks in the Industry 4.0 age - and whether their culture is up to the challenge.
At best, we need to overturn organisational practices designed to dumb down workplace participation in favour of compliance and routines, and increase the capacity of people to challenge, question and notice what is going on around them, to make good decisions.
Leadership & Organisational Change Specialist, Lacerta Consulting Service Ltd