In November blog, Juha wrote about the importance of planning and control as guarantors of data protection level – both important things. Well-designed means that services and systems are also easy to use. The vast majority of employees of companies and communities have little to know or care about the GDPR; This is quite normal, and even a fanatical security manager or data protection officer can’t hope for more.
This is why it is essential to consider how GDPR requirements are communicated, trained, and implemented internally at the design stage.
Communication should start at the stage of the project where it is known what and what kind of data is stored and used, i.e., right after the data’s status and mode has been mapped. Unfortunately, communication is often left in a couple of e-mails anointing that the legislator has given us an announcement and which must be complied as it is. The guidelines then use a few French lines to tell what not to do, and that’s it.
In my experience, at this point, there is a risk of making the first mistake and a rather expensive one. Coercion is a lousy motivator: if the staff is even explained in outline what it is about and how abuses can affect business, the human mind is more effortless to embrace and motivated to work on privacy. The GDPR is an indigestible legal text to interpret without direct guidance on how people should handle the requirements. Still, in capable hands, conditions can be used to identify necessary practical actions designed to be usable in an organization.
Employee training should always be tailored to the client’s needs and situation and not cut corners by directly copying what has been done in the past. A well-planned training will consider the rationale for the data protection work, making it easier for employees to understand and accept the requirements. Of course, data protection is the company’s responsibility, but blundering in your job usually slows down the career development or may even be the end of it. Ignorance is no longer a valid justification.
Unfortunately, usability is often left at the level of beautiful presentations and diagrams, which are not listened to in the staff’s experience and expertise. Who knows better than the team how the company handles things? The inherent sin of service design, on the other hand, is the lack of testing already at the design stage; in practice, processes are often copied, and so, not necessarily designed for concerned needs.
To end up with, a GDPR or data mapping project designed and implemented in collaboration with an expert is always better than a Google search generated list(s) of measures that are primarily left to staff to interpret and enforce. In the worst case, it remains partly undone.
At GDPR Tech, we have expertise in the planning of communication, training, and service usability. A reasonable additional investment in implementing the change will pay for itself when the project results are evaluated afterward. The mere order from management to act one way or another is likely to remain a shorthanded performance leaving the secure processing of personal data not to become part of the organizations operating culture.
The author is an all-rounder in business information security who has recently foul into the intricacies of service design and experienced enlightenment about usability as an integral part of the whole.