The Significance of Building a Data Protection Culture

The term ‘organisational culture’ was first coined back in 1951 by Dr Elliot Jaques. In essence, Jacques described ‘organisational culture’ as “a factory’s traditional way of thinking and doing things”. Since then, key thought leaders have continued to develop the term's meaning and apply it to modern business.

With that, the term more commonly recognised as ‘company culture’ evolved. Defining the personalities of businesses both small and large, culture paints a picture of an organisation from the workplace environment through to ethics and values. This is something considered to be even more important in modern times, especially so as Millennial and Gen Z employees continue to push higher ethical expectations in areas such as Corporate Social Responsibility.

Yet, as the Information Commissioner's Office postpones substantial data compliance fines for the likes of British Airways and Marriott, it seems organisations are neglecting a key element of company culture.

Put simply, the handling of sensitive data (and in particular customer data) falls under business ethics. In fact, ethics were a driving force for the changes that emerged with the European Union’s General Data Protection Regulation (GDPR). Even now, with new leaks circulating, should we question whether a lack of the right company culture is to blame for instances of data protection negligence?

Untouched culture

Back in May 2018, the GDPR was something of a culture shock for many. In reality, it should never have been like that.

Despite organisations claiming that sensitive and confidential customer information was being used in the right way, it wasn’t. The benchmark was raised with the GDPR. Many businesses had become too complacent and the blurred lines of what was the right and wrong way of processing sensitive data had suddenly been made a lot clearer.

Although business leaders began to seek alternatives, was culture at the forefront of their decisions? Possibly not. Instead, data procurement methods were sought after in the hope that businesses would not lose complete control of their data handling. In many cases, the security of data was an afterthought as quick and convenient off-site methods were trusted to comply with the new legislation.

For some, their methods and ideologies didn’t change much, meaning that internal culture towards data protection remained the same. As new data protection cases continue to make the headlines, it’s clear that outdated methods and cultures simply will not cut it any longer.

From the top

The UK's Information Commissioner Elizabeth Denham once stated the importance of introducing data protection as part of the cultural fabric of an organisation. In fact, it was only a year ago that Denham, when speaking at the Data Protection Practitioners’ Conference, admitted: “I don’t yet see that change in practice”.

With data security experts continually reminding businesses to move away from a ‘tick-box’ mentality, how should organisations force that change? Well, aside from data protection officers, the responsibility rests with directors and upper management. Company culture needs to be driven from the very top of the organisation and developed throughout.

Education plays a huge role in the success of this. Although we cannot expect each individual to understand the ins and outs of data protection, courses and expert guidance is now readily available (and has been for some time) . For example, key to sensitive data destruction are appropriate levels of security.

Under the GDPR, strip cut shredding levels P-1 and P-2 simply cannot be considered to provide an adequate protection for personal data. While tailored advice on how to remain compliant is available, most organisations should consider a minimum standard of P-4 cross-cut or P-5 micro cut levels of security. By sharing that guidance, both individuals and larger departments can then begin to understand the responsibilities of the business and focus on accountability as well as how to approach their role throughout the process of data destruction.

Setting aside budget

In addition, business leaders must set aside budget for robust data destruction methods. Without it, cheaper alternatives are sought, which can then bring with them unsightly and highly expensive results. 

As most security experts agree, for confidential paper documents the most secure method of destroying data is using an internal shredder at the correct security level. For larger departments, this may mean multiple shredders are required to ensure each individual can complete their role effectively.

While the approach to methods may differ depending on factors such as the size of the facility or information processes, there are Best Practices that can be ingrained into almost any company culture. For example, many security experts promote a ‘shred little and often’ approach to ensure paper documents don’t build up and, as such, are not placed at risk of loss or theft.

By implementing these small, but positive changes to sensitive data destruction procedures that are enthusiastically backed by senior management, an organisation can feel comfortable in knowing that it has done everything possible to apply a positive data protection culture.

Time for a change

As we approach a new era of the GDPR, organisations need to truly reflect on whether they themselves must enter a new era of internal data protection culture.

From top to bottom, all departments should be proactive in deciding whether their sensitive document destruction procedure is appropriate to their real-world requirements. Only when businesses develop an holistic approach to data protection culture can they be sure that they’re tackling document security correctly.

Mark Harper is Senior Business Leader and Specialist in Effective Document and Data Media Security Destruction Strategies at HSM