The imminent GDPR is a timely reminder that all organisations should be proactive in their management of their data – both hardcopy and electronic. However, new storage proposition, the explosion of cloud services and creeping growth of shadow IT has meant that organisations are collecting and processing ever larger electronic data sets. At the same time, a reluctance or lack of direction to destroy anything in hardcopy format (“just in case”) has led to a comparable growth of hard copy data.
Given that most organisations are balancing the requirements to be compliant with legislation and associated regulation, with the need to take reasonable cost out of the business wherever possible, it makes sense to view GDPR as an opportunity to revisit data management and promote a data aware culture.
If we take the definition of ‘culture’ from management guru Tim Ferris as, “what happens when people are left to their own devices,” then the need for a data aware culture in modern business becomes even more important.
Changing corporate culture is not simple, so here we offer three thoughts which organisations should consider adopting:
Data belongs to everyone
In many of our conversations with our clients, the typical answer to the question, ‘who owns this data’ is “the IT department.” The concept of data ownership, as opposed to system or technology ownership, is still emerging. By making individuals accountable for the data that they collect, store and transfer, the onus is back on employees to ensure that they question their current practices.
Data considerations in business processes
By introducing data considerations into business processes, organisations will benefit from a greater awareness of the need to consider data. Particularly personal and sensitive data as it traverses the enterprise. Organisations may wish to adopt a data privacy assessment stage within their programme methodology. This will give early identification of data issues and allow for appropriate controls to be applied at the appropriate time, rather than ‘bolted on’ at the end.
Creating a positive data culture
Allied to the first point, appointing local or department ‘champions’ for data related queries can be one way of spreading positive messages. This can help organisations with their data management problems (‘throw it away!’) and providing the first point of contact. Creating a positive data culture will depend on clear guidance and an absence of fear. Otherwise employees will default to keeping everything, often in triplicate, usually in multiple locations.
Three methods you can implement to embed these changes into your business:
Communicating to employees over lunch
Getting people together over lunchtime can be a great way to propagate messages in a more informal setting. If we accept that there’s no such thing as a free lunch, we also need to think about how to best engage employees giving up their lunch hour. Options such as bringing in an outsider, offering different food choices or allowing employees to bring up their own data concerns (in a non-judgemental environment), is likely to have greater engagement than PowerPoint and Pizza.
Relate work scenarios to home situations
One of the most effective methods of improving information security in recent times has been to talk to employees. Talking about the impact of a security incident in their home life. Inviting them to connect those same risks to the workplace. It gets people thinking. Just as we wouldn’t store run-of-the-mill newspapers or outdated copies of the Yellow Pages at home. There’s often no reason for storing (most) paper documents indefinitely. Seek advice from data governance specialists to understand what must be kept and for how long. This will also start to save your organisation storage costs.
Gamification to build awareness
The past five years has seen a dramatic rise in ‘gamification’ as a method for learning and changing behaviours in organisations. Games can be fun for the learner, yet significantly improve in developing a data aware culture. The playing of such games bringing a high level of engagement and an increase in knowledge retention. As organisations increasingly adopt gamification to improve cyber security awareness, there’s a great opportunity to extend this to data management issues. This can all be done with a view to meeting compliance requirements and reducing costs wherever possible.
If you would like to discuss data management with one of our specialists, please contact our Practice Lead, Paul Gribbon on 020 7877 0060.