Privacy awareness: a matter of behavioural change

February 24, 2019

Privacy awareness: a matter of behavioural change

What is the greatest risk of privacy incidents in the workplace? The human! Lost USB sticks, unauthorized viewing of files, or sending an e-mail incorrectly are part of the daily routine of organisations. Fortunately, privacy awareness is therefore high on the agendas of Privacy Officers and DPOs. Unfortunately, people often mistakenly think too easily about it. Privacy awareness is about realizing behavioral change, and that is a complex challenge. In this blog you will find an explanation of how you can use your privacy awareness to steer initiatives towards behavioural change.

Change requires attention

Imagine: your policy prescribes that employees may only use approved online tools (e.g. SharePoint, not Google Drive). Yet you notice that Google Drive is often used. What can you do to change this? The first reaction is often: there is a lack of knowledge about which tools are approved. This is not surprising: the lack of knowledge can certainly be the most important problem that needs to be addressed. This can be solved, for example, by communicating a message about this via intranet. It is just not the only aspect of the problem that can be addressed if you strive for behavioural change.

Behaviour is difficult to change. Once people are set in certain ways, it takes effort to do things differently. When a department has been working with Google Drive for years for sharing documents with personal data, this department must go through a change process. Often people are willing to change, but it is a process that should not be underestimated. It requires patience, knowledge of behaviour, and flexibility from both those who want to change their behaviour and the environment.

Knowing, wanting, and ability

One way to look at behavioural change is by means of Marcel Balm's behavioural change model. Balm describes three important aspects for realizing behavioral change: wanting, knowing, being able.

1: Knowing: you need to know what the new behaviour entails

Someone must be aware of the fact that a change in behaviour is desired and it must be clear what this change means. In the case of approved online tools, this means that employees must know which tools they are not allowed to use, and more importantly: which tools they should use. Working on the 'knowing' aspect means that you have to focus on communication and training. For example, you can use e-learning.

2: Wanting: you have to want to change your behaviour.

To ensure that people are motivated to change their behaviour, you can focus on making the problem discussable. The employee must understand why something is urgent. For example, you can explain why Google is not a reliable party for processing sensitive data and what the risks are. When employees are included in the big picture, they are more likely to be self-motivated to change. To effectively stimulate intrinsic motivation, it is important not only to communicate in one direction, but to enter into dialogue. For example, you can regularly organise knowledge sessions in which the discussion is central.

3: Ability: you must be able to change your behaviour

The third aspect of change is 'ability'. Because people are fallible - after all, everyone is sometimes tired or distracted - you cannot assume change from the perspective of man alone. You have to do everything you can to design an environment in such a way that it is easy for the employee to behave as desired. This is also the underlying idea of the principle 'Privacy by Design': when you design systems and processes in a privacy-friendly way, it becomes easy to work in a privacy-friendly way. In case of unwanted use of Google Drive, it is important that there is an alternative that is easy to use. For example, the UWV has mastered this principle well (Dutch). When it turned out that they regularly had to deal with data leaks with Excel files on, they decided to block the sending of Excel files.

Learning from incidents

People are fallible, so you will always have to deal with data leaks and security incidents in the workplace. Incidents are also there to learn from. Unfortunately, the final conclusion of an incident analysis is often "it was a human error". A human error should be the beginning of an analysis and not the end. So when you want to change behavior following an incident you can try to understand the behavior. This way you can see which aspect of behavioural change is most necessary (wanting, knowing and/or ability).

Do you want to know more about Privacy by Design or privacy awareness? Or do you need help with an incident analysis or with the design of an incident analysis? Contact us!