Your employees probably won’t ever clamor for the latest data privacy rules and insights. Still, successful organizations can find a middle ground between total apathy and unbridled enthusiasm regarding employee buy-in on data privacy.
Effectively implementing privacy measures involves adopting new practices, protocols, and, more significantly, entirely new mindsets and behaviors.
At Gartner’s annual Security & Risk Management Summit last month, Gartner Managing Vice President Mary Mesaglio’s excellent keynote, How to Get People to Care About Security and Risk, provided insight on this topic. In her keynote, Mesaglio argued that changing all types of behavior is about psychology.
“If you’re concerned about secure user behavior,” Mesaglio said, “evaluate security through a psychological lens, rather than a technology or a business lens.”
Like security, data privacy requires behavioral changes to fully allow organizations to carry out top-level business objectives. Mesaglio’s keynote is extremely applicable to companies as they build out their privacy programs.
Let’s examine the top three themes of Mesaglio’s keynote and analyze how they can help drive organizational buy-in on prioritizing data privacy.
1. Generate Buy-in With Emotional Appeals
Throughout her keynote, Mesaglio addresses some myths about why people adopt positive behaviors. The first of these myths: If we show or tell employees how important it is, they’ll take ownership and adopt secure practices and behaviors.
In reality, Mesaglio argues, a person knowing something is important or will lead to positive results isn’t always enough to result in a behavioral change. She illustrates this with a relatable analogy: When presented with the choice of eating kale or chocolate, it’s difficult to refuse the chocolate, even though you’ve been taught your entire life that greens are healthier than sweets.
Figuratively speaking, security and privacy programs and practices are chock-full of kale. They don’t immediately increase convenience and carry a large element of delayed gratification. So how do we overcome the human desire for instant gratification and get employees to eat their kale?
“Explaining rational arguments for security doesn’t lead to secure behavior,” according to Mesaglio. “Tap into real emotive messages to overcome that effect and increase [peoples’] sense of ownership.”
In other words, people are more likely to care about and take ownership of security- and privacy-oriented practices when they truly feel it’s their responsibility and they want to. Instead of just showing and telling, help employees make an emotional connection to protecting their privacy and the privacy of your customers.
Try putting this principle into practice at your company by explaining how privacy plays into your employees’ daily lives and overlaps with their personal concerns and experiences. Ensure these messages are relayed downstream and across multiple levels by making them easy to communicate and focused on an emotionally compelling essence.
2. Remove Shame and Retribution From Mistake and Error Reporting
There are entire national campaigns based on the idea that people will alert the appropriate channels if they witness bad or dangerous behavior. If an employee makes a possibly dangerous mistake or an error that could put your company in jeopardy, how can you be sure they’ll report it?
For instance, say an employee writes a program that accesses more data than it should have or clicks on a phishing email after repeated warnings about them. In these situations, Mesaglio explains, “[f]ear and shame don’t help a person change behavior, but [instead] make them feel exposed and vulnerable, which more likely has a paralytic effect.”
People are unlikely to admit to or report mistakes if they’re worried about being reprimanded or punished. More likely, fear and shame will take over, and when fight-or-flight kicks in, they’ll probably choose flight.
What’s the solution? “Ensure employees feel psychologically safe admitting a mistake,” Mesaglio said.
Companies building out their data privacy programs can do this by establishing clear channels for reporting privacy mistakes and missteps which inherently acknowledges that mistakes happen. Ensure that whoever manages the reporting channel considers employee comfort and safety highly important.
Doing this increases the likelihood of employees reporting their mistakes or, just as importantly, raising the alarm about dangerous behavior or wrongdoing by others in the company. Empowering whistleblowers like the Amazon employee who reported other employees for violating customer privacy can lead to meaningful change across organizations.
3. Make Privacy Frictionless
The final theme that Mesaglio tackles in her keynote is that people will avoid dangerous or harmful behavior if they know it involves risk.
There are plenty of examples of risky behaviors, habits, or practices people engage in even though the dangers are well known. In some cases, people may decide the benefits or momentary positive feelings are worth the risk. However, just as often, people may engage in risky behavior because it’s simply more convenient.
In Mesaglio’s view, this certainly carries over into security and other areas of risk mitigation. “Laziness is built deep into our nature,” she said. “The bigger the gap between the level of convenience people experience in their private and professional lives, the worse your life as [chief information security officer] will be.”
The presence (or absence) of friction can be the difference between people taking action or not. Since many traditional risk mitigation programs and practices can appear cumbersome and limiting, there’s an opportunity to, as Mesaglio puts it, “remove the friction employees experience from controls.”
By ensuring their privacy practices are as accessible and user-friendly as they are effective, companies can remove friction and complement the incredible work they’re already doing by having a privacy program in place. It’s important to identify ways to automate processes so your teams can focus on maturing the program, rather than dealing with problems and issues as they arise.
Datagrail Helps Ensure Your Data Privacy Program Has Everyone on Board
Changing behaviors and encouraging people to adopt new habits isn’t always easy, but when we meet people where they are and recognize their motivations, it’s far easier for them to invest in new practices and ways of thinking.
The values and principles Mesaglio explores in her keynote can be enacted in specific and practical ways. DataGrail partners with you to help ensure your employees take ownership of data privacy at your organization.
By removing the burden of overseeing the finer points and details of data privacy like data subject requests (DSRs), data mapping, and data protection impact assessments (DPIAs), we allow you to focus on the big picture: Making your company more privacy-centric and scalable.