The sizeable gap

Is it more important for a Data Protection Leader to be an expert in data protection law, or to orchestrate behavioural change from top to bottom?

I’m still surprised by the number of job ads for data protection leadership roles that focus heavily on the need to have either a legal background, or a deep understanding of laws and regulations, yet almost fail to specify critical leadership behaviours, let alone competences needed to change behaviour in all levels of an organization.

It’s about People
In simple terms, data protection is about people.

People entrust companies to process their data about themselves, and companies must demonstrate they respect their rights.

People (employees) in companies process the data.

Senior managers and leaders in companies are people making critical decisions that make or break the success of data protection compliance initiatives.

The legal bias
Unfortunately, many data protection compliance initiatives float around companies tagged as ‘necessary evils’ or ‘compliance issues’ typically anchored in legal or compliance departments. It is still rare to find a Data Protection Strategy aligned with key data-fueled elements within the company’s business strategy and anchored in the parts of the business who mostly benefit from the processing of personal data.

These ‘necessary evils’ often only pay lip service to ‘the people factor’.

Policies and procedures are often imposed on employees without any of their involvement in the drafting process. There may be some generic data protection education, or an off-the-shelf eLearning package.

Just giving employees information doesn’t change their behaviour. 

Senior managers and leaders often see themselves above the need for the specific education needed for them to understand fully the implications of decisions they’ll take that can make or break the success of the project, program or BaU process.

The successful Data Protection Leader
To be successful in fulfilling the aims of legislation such as the GDPR, a Data Protection Leader needs to be able to actively guide, lead, influence and inspire a diverse range of stakeholders (people) in their companies. They need to understand how companies work, not least the ever-changing ‘invisible architecture’ of inter-personal power dynamics, relationships, agendas, motivations, etc. that are unique in all companies. 

Focusing on people requires influencing their behaviour. The successful Data Protection Leader understands and applies the same tools used around us all in other contexts influencing our behaviours. Often, the same behavioural science techniques used by their own company’s product development and marketing departments to influence consumer behaviour.

The successful Data Protection Leader uses these tools to influence senior executives and other leaders to respect data protection in the same way as they respect say, data analytics – two sides of the same coin. The leaders are coached in key data protection concepts relevant to the decision making expected of them, particularly risk acceptance and investments, especially investment in behavioural change across the organisation.

Employees will then start to ‘get it’ instead of trying to decipher bold, generic corporate statements and principles about ‘GDPR’.

They will then know exactly what’s expected of them at 10.12 on a Tuesday morning when they are scoping a new marketing campaign, or at 14.30 on a Thursday afternoon when they are participating in a kick off workshop for the new consumer app.

Conclusion
Often, small and simple behavioural changes drive significant results. The first change companies must make is to recognize that data protection is not solely a legal issue.

Many competences are required – including strong legal expertise – and companies need to appoint Data Protection Leaders who are well equipped to guide, lead, influence and inspire people at all levels of their organization.

Tim Clements
Copenhagen, Denmark