Data Protection Governance – Indictment, Insanity, Genius…. Challenges for the Governing Body

Tim O’Hanlon is a data protection expert and founder of Tim O’Hanlon Strategic Management Services (TOSMS) with offices in the UK and SA.

“The definition of insanity is to do something over and over again and expect a different outcome.”
Albert Einstein

Alan_J_Perlis

“Simplicity does not precede complexity, but follows it. Fools ignore complexity. Pragmatists suffer it. Some can avoid it. Geniuses remove it.”
Alan Perlis

tim-bw

“Legislation like DPA and POPI is merely codifying good business practice.  It’s an indictment on management when our personal information, that is as fundamental to protect for us as theft of our possessions or incurring bodily harm, is not treated the same way by those in charge.”
Tim O’Hanlon

The story behind the quotes

So you may be wondering what these quotes have to do with Data Protection Governance.  Let me explain in the paragraphs that follow.

DPA and POPI legislation almost identical

Data Protection is a pertinent topic in South Africa at the moment as very similar legislation to the Data Protection Act (DPA) in the UK, called the Protection of Personal Information (POPI) Act, has been passed by the South African government and merely awaits announcement of the commencement date.

Large scale DP change initiatives

Since 2007, I have worked closely with the SA Law Reform Commission who were tasked with the development of this legislation.  At the time I was implementing POPI for a global Fortune 500 company in SA operating in the Financial Services Sector.  This gave my team and I the unique opportunity to deal with the considerable complexities that such legislation introduces, given a highly regulated industry, and a company of considerable size where the processing of personal information is the life blood of its business.

Working with the drafters of the legislation

This close association with the developers of the legislation, plus the many companies we have worked with since 2007, has given us lots of insights into the practicalities of dealing with changes in a company and the influence that governance has on this change.  The following content provides some insights that I hope will be helpful for governing bodies, and those tasked with influencing their decisions, when it comes to large changes like POPI and DPA.

Smarter solutions to deal with growing complexity

I said in my previous post that ongoing new sets of requirements that a company needs to implement add further complexity to an organisation resulting in an every-increasing challenge as far as oversight and control goes.  To mitigate this calls for smarter ways of dealing with change and necessitates a good understanding of what kinds of solutions are available to meet these new requirements and, more importantly, the impact these options will have on your operating models.  You want smart results that enhance the operation and contain risk wherever possible.

Removing complexity is key

The challenge here is to take the complexity and find ways to make it work for you by harnessing technology, the wisdom of experienced practitioners in whatever fields are at play and your own in-house expertise to create simple solutions that, at best, create barriers to entry of competitors and, at worst, make it easy for those impacted in the company to do their jobs with the minimum of risk to the company.  In the words of Alan Perlis:

“Simplicity does not precede complexity, but follows it… Geniuses remove it.”
Alan Perlis

Alan_J_Perlis

“Simplicity does not precede complexity, but follows it… Geniuses remove it.”
Alan Perlis

Find experienced practitioners

Companies who are faced with finding solutions for the risks they have assessed for DPA/POPI do not have the experience of regularly having to solve these problems for clients as a standard part of their business unless they are like TOSMS who specialize in this area. So they need to find experienced practitioners in this field who can provide these insights.  We have a comprehensive set of solution design modules for DPA/POPI that provide such options for companies to consider when making decisions about what to do before putting an implementation plan together.

Future post on the planning challenges

I will cover the sequence of steps and details involved with building a project implementation plan that covers aspects such as a data inventory exercise, high level and detailed analysis, governance review of operating models, critical success factors, etc. in a future post.

Get the wrong outcome from the wrong approach

Too often I have seen companies leaving it up to the operational team members of regulatory change initiatives to sort out how to fix the gaps that have surfaced during the analysis of the legislation.  Where the legislation is breaking new ground for the company, they have limited experience with what is possible and are not necessarily the right level at which strategic changes should be considered by the company.  As the Einstein quote implies, you may end up getting the same results that you have been getting in the past.  The very ones the new requirements are trying to prevent.  Slot the solutions into the way we currently do things and hope for the best!  This just may not cut it.

The right levels dealing with the right issues

So another key problem that surfaces here relates to the concept of Stratified Systems Theory (SST) developed by Elliott Jacques where the different levels in the organisation deal with differing degrees of uncertainty and impact and have different horizons that are the extent of their visibility.  At the highest level in the organisation you could have the MD shaping not just the company but the industry as a whole, especially if the company is a major player in that industry, and the results of her decisions and actions have long term, far reaching impacts for her company and the industry.  At a much lower level you could have an individual operating within a far more mechanistic, structured and unambiguous work space with very limited visibility and short term impacts.  So these are two levels on opposite extremes of the SST levels in a company and it is important to make sure the right levels are dealing with the right issues and are properly trained to deliver at these levels.

Can the different levels deliver what is expected?

This is a key governance issue.  You could get an MD who has come up through the ranks and just taken his job with him as he has advanced and is therefore ill equipped to deal with the nature of work as MD.  The degree of ambiguity and uncertainty changes.  The level of detail involved changes.  The scope of impact is different.  Knowledge of a broader spectrum of subjects is required.  These are not capabilities you inherit as you progress.

The role of operational and executive management

Using these concepts as a guide, it is clearly not ideal for the operational or middle management to make the decisions about solutions where operating models need to be reconsidered – for example when risk assurance, data architecture or client service can no longer deliver what is required in an optimal way as a result of the new changes required.  There are a number of operating models that may need to change depending on the extent of the impact and risk the new requirements place on the company.  These options need to be surfaced at the governing body level in the organisation where, collectively, the members have the best view of the company and the right kind of visibility as far as legacy, status quo and new developments are concerned.  This is your own in-house expertise I was talking about earlier that needs to be harnessed at the right level, in the appropriate manner.

The wrong attitude and the wrong culture

I have had sponsors of large change projects not wanting to know what the complexities are that need to be conveyed up the line to the governing body notwithstanding the need to look at systemic problems and unintended consequences.  The kind of “I-am-paying-you-to-sort-it-out” response is a slippery slope of blind delivery that has no chance of creating genius, that is for sure!  So a culture that is steeped in “cover your backside” and “avoid any form of exposure or vulnerability by taking it up with the boss” is destined to fail when complexity is knocking at the door as may be the case with POPI or DPA.

Ownership and when to engage the decision-makers

So that does beg the question: at what point in the process of introducing new regulatory requirements should the governing body of the company get involved and how?  The problem in the regulatory space is that all too often the legal or compliance department has the job of raising the alarm and getting the nod from the governing body to investigate the impact of new legislation on the company but then the responsibility of complying with the new requirements remains for too long with these individuals/departments.  This is then exacerbated by the engagement of subject matter experts at similar levels in other areas of the business to help drive implementation of the solutions.

Do not miss a key milestone

The problem with this is that it misses a key milestone of getting the governing body to deal with the more fundamental change issues around operating models that will not surface directly from the legislation but if dealt with could be the determining factor in making sure the company is not going to fall foul of doing the same things over and over and expecting a different result.

The job of the sponsor

For some very big companies, even if there is a well structured change management governance structure in place to drive the new legislation, often it does not have the ear of the top governing body so a gap is created and the changes then lack the benefit of the top strategic levels of thinking and decision-making when it is needed.  The sponsor of the regulatory change initiative must be able to harness the wisdom of experienced practitioners in the key fields that are at play, their own in-house operational expertise and provide consolidated content for the Governing Body to deliberate on.

A future post on governing body reporting

When should this happen and what should be prepared are million dollar questions that will be covered in another post.

Target operating model facilitation

Against the above background and looking at the governing body, they need to know their game well when it comes to their operating models.  There is the added challenge with DPA/POPI that for some companies it covers every nook and cranny of the organisation so a broad spectrum of expertise needs to be available for a properly integrated view to develop.  We have developed a set of “Target Operating Model” questions for DPA/POPI that are directed specifically at the governing body in a company to facilitate a look at the strategic level issues arising from analysis of the detail in the legislation.  We have over 100 questions at the detail level that are graded according to the level of granularity at which the discussion needs to take place. See our Target Operating Model service for more details.

Is your compliance structure up to the task?

The legislation is not going to tell you that you now need to consider implementing a more  rigorous compliance model – say the Three Lines of Assurance model – given your current model’s inability to cope with the added focus required by DPA/POPI (see our service called Setting Up 3 Lines of Assurance Model for more details). We see this a lot where an industry is not as heavily regulated around compliance as, for example, the financial services sector and along comes this legislation and their compliance structures are just not able to deliver a sustainable solution.

Can your records management regime deliver?

The legislation is not going to tell you that the level of granularity at which control of records is now required needs a fundamental rethink of the whole records management model in the company.  Grounds for processing, consent, retention, and so many other rules deal with each record and the need for classification and categorization to manage this may not have been a need before. There are many examples I could site based on our experience. Our TP-RMS Records Management Solution covers these challenges in detail.

Get your facts together at the right level

So let legal and compliance experts and the subject matter experts in all the different business units impacted in the company do the analysis required and generate the heatmaps and other change related details to support their recommendations on people, process and system impacts (see my previous post on this aspect and the tools and methodology we use).  The key step at this point is to provide a consolidated input in a way that is appropriate for the governing body level in the company to be able to consider the far longer term impacts of change needed in the company relating to operating models and the associated risks their decisions are likely to carry.

Spectacular failings by governing bodies

Over the years we have witnessed the spectacular failings of firms with a criminal history at governing body level like Enron and Arthur Andersen, and later, the sub-prime crisis stable of greed-driven governing body level individuals and their failed companies and, along with this, a host of large corporates whose share prices were decimated due to poor governance at governing body level where they should have known better under the circumstances.

The consequences – more regulatory control

Hindsight is a precise science so here’s hoping the key lessons of the past have been learnt but such an indictment on the governing bodies of companies has meant rafts of legislation and governance directives to control how the boards (governing bodies) of companies need to manage the affairs of their companies.

Global governance benchmark: king iii

In South Africa, King III is the standard and spells out the obligation of board members.  It is a set of principles that can be applied as a governance benchmark of good business practice for companies anywhere in the world. Here are some pertinent principles for DPA/POPI:

Principle 6.1

The Board ensures that the company complies with applicable laws and considers adherence to non-binding rules, codes and standards.

Principle 6.2

The Board and each individual director have a working understanding of the effect of applicable laws, rules, codes and standards on the company and its business.

Principle 6.3

Compliance risk should form an integral part of the company’s risk management process.

Principle 6.4

The Board should delegate to management the implementation of an effective compliance framework and processes.

Equipping boards to meet their regulatory obligations

So there can be little doubt that there are some obligations that the board, and top management, of any company should be driving when pervasive and paradigm-shifting legislation like DPA/POPI comes along.  The reality is that I have yet to experience a suitable level of training being provided for governing bodies (boards and top management teams) at a practical level (not just a regurgitation of what is in the legislation but company specific, practical training that relates to their jobs in the company – risk, governance, compliance, etc.). This is essential before any meaningful conversation can happen about “the effect of applicable laws, rules, codes and standards on the company and its business” – principle 6.2.

POPI regulatory training

We have a specific training module we use that breaks the legislation up into workstreams (logical groupings of work) and helps provide the necessary structure to this training, with appropriate practical examples to help.  It is designed to cover the subject at a level of detail that is appropriate for a governing body as opposed to a group of compliance and legal people running the project.  It is also designed around specific project focus areas (workstreams) so the conversation from the governing body down is properly aligned to implementation issues. For more information about this training visit our TP-RTS: Regulatory Training Solution (including POPI).

Questions the board needs answers to

The main conversation that needs to happen at the governing body level is about operating models as covered earlier.  There are a number of questions the board should be demanding answers to given their obligations around King III.  Some examples are covered below:

Where Will We Be Losing Sleep With DPA/POPI?

Here the conversation should be at a strategic level about where they need to take action given critical success factors that point to certain priorities based on risk profiles – more about this in a future post.

Do we Need to Change the Way we do Business Due to DPA/POPI?

This is about operating models.  We did some work for a direct marketing company about 4 years ago at which point they were deriving leads from over 30 lead brokers. Their entire operating model was dependent on the ongoing supply of leads and suddenly the realization hit home that the majority of these brokers would be out of business once the legislation was in force. Today they have fundamentally changed their operating model to ensure sustainability of their business.  This came about through strategic interaction at governing body level with a team that saw the risk and made it their business to fully understand the legislation and make the strategic changes to their operating model over a two year period.

How do we Handle Legacy, Status Quo and New Developments?

This is a key issue, for example, in the telecommunications industry where cell phone companies have large numbers of technology developments going on at any point in time to stay ahead of the game.  Legacy systems are a big headache – in the one corporate we worked with they had over 100 systems with some of their largest client databases sitting on legacy systems without the ability to make changes to those systems.

Where Can we Harness Opportunities that DPA/POPI Creates?

This is about smart solutions that improve aspects such as productivity, control, environmental impacts, client service, even spend of wallet per customer.  It is about creating genius by unravelling the full extent of the complexities that arise and finding simple solutions that remove this complexity.  It goes well beyond just looking for a quick fix to minimize the disruption to the business, something I have see happen so often over the years and is the basis for my quote about indictments on management.

Do we Need to Take On Short Term Pain for Long Term Gain?

The opposite psychology to what was a major contributor of the sub-prime crisis, namely, a short-sighted preoccupation with delivery of instant results that killed any longer term more sustainable business models.

Follow up

I trust the above has been useful.  I will undertake to elaborate on various other aspects mentioned in this post with the aim of helping those dealing with governance of DPA/POPI. Please don’t hesitate to contact us should you wish to discuss any of this further. Our details can be found under Contact Us. Alternatively you are welcome to complete the Request Form and we will respond.