25th May 2018 may be a memorable date for some, but others perhaps not. It was, in fact, the date the EU General Data Protection Regulation became enforceable, as did our local Data Protection (Jersey) Law 2018. Looking back to late 2017 and early 2018, there was a considerable nervousness and, in some cases, hysteria around this approaching deadline. There was a feeling of impending doom for many whom, having assessed their use of personal data, found both processes and culture to be severely lacking and there was only 14 hours to save the earth, or so it seemed at times.
Observing the behaviours at the time and looking back now in retrospect (which is a wonderous thing), we can take one major learning from the approach to the coming into force of this updated data protection legislation. Deadlines have a significant psychological impact; they make us take notice and act. They also cause considerable stress and panic which can lead to ill-informed decision making. So, what happens now that the deadline has passed and the ticking clock has finished its doomsday countdown? Does the memory remain or have we encountered data protection apathy?
In my experience, the answer is a little from column A, a little from column B. I have certainly seen and experienced the positive cultural changes within organisations who have integrated the spirit, language and process into the every day. In these organisations, data protection impact assessments (DPIAs) are not seen as an overhead but rather an obvious necessity and I regularly hear people query whether a new process involves personal data. These organisations also, interestingly, exhibit higher overall employee engagement and cultural positivity, stemming from a strong belief in their underlying values. And this is what makes organisations truly demonstrate their values after all, treating the personal data they hold with respect highlights integrity, respectfulness and honesty, many of which feature as core values of large and small organisations alike.
Of course, on the converse, I have also witnessed particular sub-sectors who for some reason felt that data protection was something they already did and so no change, but interestingly these are where some of the breaches are most likely to occur and indeed have occurred and often with some of the most sensitive data. There’s also the organisations who simply never managed to engrain the behaviours and practices into the everyday, perhaps because the task appeared too elephant like, or simpler still, because they didn’t see the link between their values and the values which the Data Protection (Jersey) Law 2018 aims for organisations to make commonplace. The deadline in these cases was perhaps too extrinsic a motivator. Driven by an external requirement and the threat of penalties/fines, which perhaps seemed too distant to the here and now problems at that time, or indeed the ones, which exist today particularly those resulting from the pandemic.
However, it is well known that intrinsic motivation is more effective and long-lasting when it comes to achieving goals on an ongoing basis. Therefore, for organisations who can recognise in themselves a latency or apathy in relation to data protection, it may simply be the lack of defined organisational goals in this area which are preventing true progress. Data protection is not a once and done tick box, it is an ongoing requirement which requires regular review and reassessment, particularly as technology advances and changes occur external to the organisation’s sphere of control. Equally, it provides an interesting opportunity to demonstrate organisational values and a culture of practising what you preach.
So, if you are reading this and feeling a slight shiver of nervousness, don’t hit the panic button; take stock, review where you are and where you need to be, and set some achievable goals to move your organisation and your people forward. And remember, there is no better demonstration of values than to live by them.
“The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official position of the Jersey Data Protection Authority (including the Jersey Office of the Information Commissioner) (the "Authority"). The Authority is not responsible for the accuracy of any of the information supplied by the guest writer/bloggers and the Authority accepts no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.”