Last week a person responsible for information security and data protection opened his heart and mind about how hard has been for him to get the top management (namely the CEO & CTO) to see the importance of his areas of responsibility.
He likes the company and believes in its vision, but feels alone in his responsibility areas. The rest of the company lacks understanding and interest into data protection and information security.
They are a European B2B technology company with a few hundred employees. They also serve major global corporations around the world as their service excels in its class.
With his permission, I anonymously tell some key points that we discussed and realized together.
It is an internal selling game
I suggested to him that if he wants to be heard, he needs to "sell" internally the value of these things.
We both came into the conclusion that before moving on to the main arguments, he should pretty much forget about trying to convince his superiors by the risk of investigations by the data protection authorities and facing #GDPR sanctions. It has become clearly apparent that the authorities do not have enough resources for supervision, and the investigation process is too slow and clumsy.
Instead we identified two powerful points that will sensitise the ear of even a tough minded business and tech top manager.
Point #1 Investors and Due Diligence process (DD)
Have the CEO / CTO think themselves about a future due diligence process (DD) in acquisition, merger, or funding round situation with a VC, private equity fund, or a purchasing company.
It's actually the funds and investors that have become the sharp-teethed compliance sharks, because they have lots of money and reputation at stake.
It's not enough to just claim that you are compliant, they want you to demonstrate precise details of how you have reached your claims of compliance and risk mitigation.
They don't want to get their portfolios stained by a company, which was able to rise into fame and great market position, but at a later time got exposed of neglecting its "business unsexy" data protection and information security duties.
A privacy disaster in one or two years after the investment could lead to everyone questioning the VC's or private equity fund's whole due diligence process, and raise suspicions about the actual risk position of the rest of the companies in their portfolio.
Therefore, it is the due diligence process that can for a good reason be brutal and easily kill the deal, even when everything else in the company looks good and sound.
Point #2 The colleagues and employees in the event of a major data breach
It is bad enough that the decisions of the CEO & CTO to disregard data protection could lead into a data breach and privacy disaster for their customers. But such breach could also burn a painful mark into the careers of their employees and close colleagues.
Clearly, a bad data breach can be devastating for the data subjects affected, but also for the managers and employees running the company during the breach. Besides the hit into their careers and increased challenges in finding employment opportunities, they might face the feelings of tremendous stress and guilt for months or even years to come.
Part of data protection professional's work is still to battle for attention
For the most peope, data protection is not fun nor sexy (although some people do get off by it). Risk management involves protection also from unlikely events, and it is not the most natural mode of operation for the human psyche.
Despite the fact that the majority of people do mean well and take great responsibility in their work, the reality in business management is that it is always harder to bring attention to some topics than others.
A company is in constant struggle with its environment, and the top management's focus gets easily drawn into the short- and mid-term revenues and costs. Therefore, it is sometimes necessary for a data protection profesionnal to know how to touch both the rationale and emotions of the decision-maker, and in that way eventually win the much needed attention into data protection.
The due diligence process and data breach consequences are two issues that can really hit the right nerves and give spark to the business relevance of data protection in the busy minds of top management members.