Do You Have Data Protection Values in Your Culture?
In most successful businesses, sharing information is encouraged — collaboration and communication lead to the best decisions, right? Despite the positive benefits of a "sharing culture," companies operating in the digital economy must also develop a data protection culture.
The landslide of global data privacy and protection regulations has many businesses trying to weave data protection values into their culture of compliance. What's required, and how can companies reach employees with the privacy message?
Significant Privacy Regulations
The new European Union General Data Protection Regulation (GDPR) injects privacy mandates into all global businesses. Starting in May 2018, companies that process EU citizens' personal data for the sale of goods or services or monitoring behavior will face noncompliance penalties up to 4% of their revenue.
In the U.S., the Healthcare Insurance Portability and Accountability Act (HIPAA) requires that health care industry organizations, like hospitals, insurance companies and dental practices, as well as their service providers, keep patient protected health information (PHI) secure and private. To drive home how seriously this is taken, a single HIPAA penalty hit the $5.5 million mark in early 2017. Violators also pay vast amounts in public relations and corrective actions.
Privacy Is Everyone's Job
Even though employees sign employment agreements and complete training on privacy and data protection, exactly how should it impact daily interactions and work? Sharing and discussing news stories and relevant specific data protection rules can help employees connect privacy to their jobs.
IT and Web Teams
Yes, IT is already deeply involved in data protection. They manage backup tapes, secure asset destruction, disaster recovery and system access credentials. But does the IT rank and file need help to connect the dots between their role and data protection regulations and values? And do web operations and system folks relate privacy concerns to their jobs?
Educating IT and web teams on their GDPR "data protection by design" and "data protection by default" roles can bring home data protection values. The EU requires that data protection be built into data processing systems and procedures upfront during systems and implementation design. Anonymization, pseudonymization and encryption are ways you can potentially design in data protection.
Companies also rely on IT to meet the "data protection by default" rules. Technical teams must ensure that only the needed data is processed and that the data is accessible only by a defined group. HIPAA has similar "need-to-know" restrictions for PHI.
Both GDPR and HIPAA obligations extend to third-party vendors, too. The data protection light bulb needs to turn on during IT evaluation of third-party cloud storage and any kind of backup services where personal data is involved. Privacy even comes into play with secure media destruction.
Marketing and Public Relations
Consent is a key concept in familiarizing market teams with their privacy job. Marketing campaigns and website forms that process personal data must meet the new, stricter GDPR consent requirements. Obscuring consent policies with technical jargon will no longer be acceptable. Consent language must be clear, and users must clearly state or take an action to affirm consent to process their personal information.
PR departments need to be careful about divulging unauthorized patient information in press conferences after disasters or in press releases, too.
HR must live data protection values. This team is the keeper of employee health information and personal identifiers. Does HR build data protection values into the company culture and training? Under HIPAA, HR teams themselves must take extra precautions not to leak or share PHI. And under the GDPR, HR cannot transfer EU employee data to U.S. payroll, HR and other systems or reports, without proper consent or mechanisms such as Binding Corporate Rules. This has a big impact on common global business operations.
Increasing privacy and data protection regulations mean that companies must balance a culture of sharing with data protection values. Try making data protection values come alive in your culture with team-customized training and storytelling.