Data protection regulations are clear and have been for some time now. So why are organisations still tripping up? Mark Harper of HSM says a lack of company culture may be affecting their approach to data protection.
The term ‘organisational culture’ was first coined back in 1951 by Dr Elliot Jaques. In its essence, Jacques described it as “a factory’s traditional way of thinking and doing things”. Since then, key thought leaders have continued to develop its meaning and apply it to modern business.
With that, the term more commonly recognised as ‘company culture’ evolved. Defining the personalities of businesses both small and large, culture paints a picture of an organisation, from workplace environment to ethics and values. Something considered even more important in modern times, especially as Millennial and Gen Z employees continue to push higher ethical expectations in areas such as corporate social responsibility.
Yet, as the UK Information Commissioner’s Office (ICO) postpones substantial data compliance fines for the likes of British Airways and Marriott, it seems organisations are neglecting a key element of company culture.
Put simply, the handling of sensitive data (particularly customer data) falls under business ethics. In fact, ethics were a driving force for the changes that came under 2018’s GDPR laws. But even now, with new leaks circulating, should we question whether a lack of the right company culture is to blame for instances of data protection negligence?
Back in May 2018, GDPR came as a culture shock to many. But in reality, it never should have been like that.
Despite organisations claiming that sensitive and confidential customer information was being used in the right way, it wasn’t. The benchmark was raised. Many businesses had become too complacent and the blurred lines of what was the right and wrong way of processing sensitive data had suddenly been made a lot clearer.
Although business leaders began to seek alternatives, was culture at the forefront of decisions? Possibly not. Instead, data procurement methods were sought after in the hope that businesses would not lose complete control of their data handling. In many cases the security of data was an afterthought, as quick and convenient off-site methods were trusted to comply with new legislation.
For some, their methods and ideologies didn’t change much, meaning internal culture towards data protection remained the same. But as new data protection cases continue to make the headlines, it’s clear that outdated methods and cultures simply won’t cut it anymore.
From the top
UK Information Commissioner Elizabeth Denham once stated the importance of introducing data protection as part of the cultural fabric of an organisation. In fact, it was only a year ago that Denham, speaking at the Data Protection Practitioners’ Conference, admitted “I don’t see that change in practice yet”.
With data security experts continually reminding businesses to move away from a ‘tick box’ mentality, how should organisations force that change? Well, aside from data protection officers, the responsibility falls under directors and upper management. Company culture needs to be driven from the top and developed throughout.
Education plays a huge role in the success of this. Although we can’t expect each individual to understand the ins and outs of data protection, courses and expert guidance is now (and has been for some time) readily available. For example, key to sensitive data destruction are appropriate levels of security.
Under GDPR, strip cut shredding levels P-1 and P-2 simply can’t be considered to provide an adequate protection for personal data. And while tailored advice on how to remain compliant is available, most organisations should consider a minimum standard of P-4 crosscut or P-5 micro cut levels of security. By sharing that guidance, both individuals and larger departments can understand the responsibilities of the business, accountability and how to approach their role throughout the process of data destruction.
In addition, business leaders must set aside budget for robust data destruction methods. Without it, cheaper alternatives are sought, which can bring with them unsightly and highly expensive results. As most security experts agree, for confidential paper documents, the most secure method of destroying data is using an internal shredder at the correct security level. For larger departments, this may mean multiple shredders are needed to ensure each individual can complete their role effectively.
And while the approach to methods may differ depending on factors such as facility size or information processes, there are best practices that can be ingrained into almost any company culture. For example, many security experts promote a ‘shred little and often’ approach to ensure paper documents don’t build up and are subsequently at risk of loss or theft.
By implementing these small, but positive changes to sensitive data destruction procedures, – that are enthusiastically backed by senior management – an organisation can feel comfortable in knowing that they have done everything they can to apply a positive data protection culture.
Time for a change
So, as we approach a new era of GDPR, organisations need to truly reflect on whether they themselves must enter a new era of internal data protection culture.
All departments, from top to bottom, should be proactive in deciding whether their sensitive document destruction procedure is appropriate to their real requirements. Only when businesses have a holistic approach to data protection culture can they be sure that they’re tackling document security correctly.