Speaking at The European Information Security Summit 2019 in London, Matthew Kay, group data protection officer at Balfour Beatty, said that organizations “are very different” in how data protection and risk is approached, and it is up to the data protection team and board-level executives to dictate the right direction.
“In our organization we have four pillars: to lead, being experts, being trusted and being safe, and it is really important to align your work with the wider strategy of the organization as you’re likely to get more buy-in,” he said. “In terms of data protection, we want to be trusted in terms of how we process people’s information.”
Kay encouraged delegates to consider drivers for individuals, as not everything works the same for every person, and to consider the psychology of people and what motivation and coaching you have to do.
Looking at how to overcome internal challenges of employee and board-level buy-in, Kay recommended the following:
- Clear direction and strategy
- Policy framework
- User-friendly approach
- Context
- Contingency
- Budget
- Resource
He admitted that we’re all guilty of not reading policies, but it is about having a user-friendly approach because if you make a policy simple and just deliver the key points, you will get better buy-in and this can lead to better budget allowance.
“A lot of the time, if you cannot put it in language that individuals understand and appreciate, they are not going to respond to it as they cannot draw the line on how it relates to them in terms of data protection and security, so you have to bring it to life,” he said.
In terms of how to ensure individuals are aware of their data protection responsibilities, Kay said this can work both inside and outside the office:
- Senior leadership engagement – if they lead from the front the rest will follow
- Technology – there are so many tools that can be used to your benefit
- Trust – if you cannot trust people to work remotely why employ them in the first place?
- Communications plan and training – keep it to the point on what they need to know
- Incentivize – encourage and engage individuals who want to do the right thing
He concluded by encouraging regular and refresher training to ensure employees remain engaged, and an openness towards staff and partners. “If they are happy with what you are doing they are not going to complain, and if they are not going to complain, they will hopefully not go to the regulator and if they do, manage that complaint on a regular basis.”