Data Protection Day: Remember the People

This week sees the celebration of “Data Protection Day” (or Data Privacy Day). Being a data quality geek I must point out that the actual day that is celebrated in a European context is Data Protection Day, and that is the 28th of January, when we will be celebrating 43 years since the original Convention 108 of the Council of Europe opened for signatures. “Data Privacy Day” is, much like heating water for tea in a microwave oven, a bizarre Americanism that I can never fully accept. Around the world, people are hosting events in person and online talking about various things to do with data protection and data privacy.

But, in the midst of all this, it is important to remember the true meaning of data protection. It’s not about the legislation or regulation. It’s not about the penalties and the fines. They are akin to the wrapping paper and shiny baubles of Christmas. The true meaning of Data Protection was, and always will be, people. Whether those people are data subjects whose data is being processed by a Data Controller, or they are the people tasked with carrying out that processing or overseeing it, or they are the people in regulator agencies tasked with monitoring, investigating, and enforcing laws, it’s important to remember that people are at the heart of data protection (even in these times of AI and automation).

People and Governance and Culture

Ultimately, a lot of what we have to do in data governance, whether it is for the purposes of data protection or some other business driver, boils down to changing how people think about data in the context of their role. It also often requires us to get people to think differently about risks associated with the use of data, both in terms of how they perceive and understand risk as well as how they assess and mitigate risk.

This is complicated by the fact that, in many organisations, people don’t really understand their data. It has historically just been ‘stuff’, and usually ‘stuff’ that was managed by the IT department. This often manifests itself in things like Registers of Processing Activities that are effectively lists of systems or lists of types of documents rather than describing the things that the organisation does and the data relating to people that they use to do those things. This is a challenge that affects more than just data protection as it has implications for analytics, process automation, data sharing, and even the implementation of new technologies and ways of working.

It’s also complicated by the people aspects of governing data and the need to change the organisation culture around data in most organisations. Ultimately, as Upton Sinclair famously put it: “It is difficult to get a man to understand something, when his salary depends on his not understanding it“. This often manifests itself in barriers to change or bottlenecks of effort arising because people either don’t understand the importance of the change, or don’t want to understand it, or understand it and simply don’t want it (because they have conflicting priorities or metrics).

The Post Office Horizon Inquiry – A Collection of Case Studies

While the UK’s Post Office Horizon scandal is not, in the first instance at least, a data protection issue, it does provide a stark illustration of the types of problems that can arise when organisations embark on an organisation transformation involving data and data processes.

The implementation of the Horizon system, and the subsequent prosecution of sub-postmasters arising from reported discrepancies in the accounting records generated by the Horizon system, has resulted in the most severe impacts on people. Loss of jobs, loss of homes, and loss of reputation. In many cases people suffered loss of freedom as they were prosecuted and sent to prison. In other cases, people lost their health and even their lives.

At the heart of the issue seems to be (and the inquiry is ongoing) a situation where key decision makers at different points didn’t want to understand that maybe it was the computer that was wrong, often because their salary depended on them not understanding that. From Post Office investigators who did not question the system because they “were not technically minded” to senior executives who failed to act on reports of defects and issues with the system, the entire saga highlights the importance of organisation culture, understanding of data in the context of processes and roles, and the role of good data governance processes to identify, triage, and mitigate issues in data. Particularly where the impact of those issues can be so significant and severe.

Data Leaders in organisations of all kinds should look to the lessons they can learn from the Post Office scandal. The need to ensure that people who are engaged in governance and oversight roles have an appropriate level of ‘data nous’ and understanding of how data flows and is used in the organisation is essential. But it is also essential that the data governance structures and processes you put in place can provide adequate safe guards to counter any belief that the computer is always right. It is also essential that those governance structures and processes are adequate to ensure that the design and implementation of systems that create, manage, move, or otherwise handle data can be trusted and trust worthy.

Otherwise it will ultimately be the people in your organisation and in wider society who might bear the impact of any errors.

How can Castlebridge can help Data Leaders?

Castlebridge can help data leaders diagnose the people, process, and technology issues affecting the trusted and trustworthy use of data in your organisation. From Data Protection to Data Strategy, our consultants have extensive real-world experience and insights.

If you are a Data Leader who wants to have a chance to discuss some key strategic themes for data in organisations and society, you might be interested in our Data Leaders Summit taking place in Wexford in March. Details can be found at the Data Leaders’ Summit conference site.