Effective Communication for Data Protection Professionals
By : Tojola Yusuf, CIPP/E
The implementation or maintenance of a client’s privacy and data protection program cannot be achieved without communicating effectively with the staff or management of the client. Communication during meetings, awareness or training sessions, risk assessment, incident response, and audits is inevitable. In addition, effective communication is beneficial to both the data protection professional and the client. To the data protection professionals, it helps them understand the business and existing process. For the client, it helps to understand the purport of the process, expectations and imbibe data protection as a lifestyle.
For the above reasons, this article seeks to highlight methods that can make communication benefit both the data protection professional and the client.
Effective Communication Methods
- Simplification is magic
Communication in the data protection journey is a frequent and continuous exercise because people need to be carried along. As professionals, we may find the technical terms simple, but it is not always the case for non-professionals. Hence, the need to simplify terms when communicating. This can be achieved by breaking down every technical term to its simplest form.
In addition, using real-life cases or relatable examples that align with the nature of the client’s work aids simplification. For example, in explaining automated decision-making to a client in human resources, it would be great to cite examples like the use of applicant tracking systems that filter resumes, the use of fully automated proctoring during recruitment exercises, and other similar examples. For a client in the credit industry, examples such as the use of automated tools to determine loan eligibility will be helpful. The data protection professional must understand the client’s business and industry to do this effectively.
Similarly, where clients are expected to complete questionnaires or surveys, the questions should be simplified using non-technical terms. It reduces back and forth while also saving time.
Simplification has proven to aid understanding, application of training, and correction of misconceptions.
- Don’t be the dictator.
It is important to ensure that every communication aids the growth of the clients’ knowledge and understanding of data protection. Explain the reasons for giving the advice. For example, while telling a client not to seek the consent of data subjects for an activity, it is an opportunity to explain why consent is not appropriate, including the adverse effects it may have on the business and the data subject. Similarly, where a new project a client is working on will require the conduct of a Data Protection Impact Assessment (DPIA), reaching out to the client, it is not sufficient to inform them that a DPIA will be conducted. It is also important to explain why.
Upon conclusion of the assessment, the concern should not be focused only on the implementation of measures or safeguards against identified risks. Still, time should be created to explain the risks identified and the possible impact on the business. In addition, creating awareness and educating the client should not be limited to scheduled training and awareness programs. Every conversation should be a mini-awareness session.
It gives the client further conviction to listen to your guidance, enabling you to get the work done. Do you know how drops of water make the ocean? That is exactly how all the lessons that are given make the clients conscious and aware of data protection robustly.
- Always drill down
Never take all responses from questions you have asked as they are. Instead, drill down to be sure you get what you intend from the conversation. This is especially important where data protection consciousness is yet to be imbibed. This is more commonly found with new clients.
I will give a few examples:
(a) you may ask a client if they process or use personal data in a project, and the likely response you will get is a resounding ‘no’. It may stem from the fact that they think it is bad to process data and deem it fit to hide the fact, or they just do not know what personal data means in its simplest form. Questions such as the following will help determine if they use or will use personal data for the project- “Who does this project benefit?” “What is the aim of this project?” “Will you interface with anybody?”
Ask for evidence.
(b) when you ask if a client transfers data across borders, the natural response may be “no”. Further questions like the following will help you to achieve your desired goal- “Who are your service providers?” “Where are your service providers located?” “Which software or platforms do you use for this project?” “Who built it?” “Is data stored on the cloud or on-premise?” “Where are the data centres located?” “Do you have affiliate companies?” “Where are they located?” The responses to these questions will give you an idea of the client’s cross-border activities.
- Persistence is key
Besides the everyday tasks that come with everyone’s jobs, the clients always have many other compliance matters unrelated to data protection that they are addressing. Clients are always busy with one compliance issue or the other. Therefore, persistence on the part of the data protection practitioner is vital. Planned follow-up, monitoring, and reminders are useful tools for every data protection practitioner. It may be easy to lose track of the various work streams of data protection activities for various reasons, including the failure of the client to respond to action points because they are overwhelmed by other tasks, they forgot about it, or they do not understand the urgency of the pending data protection action points. Therefore, it is important to consistently communicate and remind the client until all action points are executed.
The data protection professional must plan and organize activities diligently in being persistent. Without persistence, data protection projects will be left uncompleted or undone.
- Invite yourself
Sometimes, clients commence projects without considering data protection issues that may arise from such projects. This can be for several reasons. As a result of the above, the data protection professional may need to invite themselves into such projects even when not invited. This is most vital at the initial stage when the client has not gotten sufficient awareness or training on data protection to help them know when to consult. When there is widespread awareness, this may become minimal.
Where you are not invited, invite yourself, ask questions, and make friends. One thing that may aid monitoring is the appointment of privacy champions in each department or unit of the client’s organization who will be your eyes and ears in these departments. Although some clients may be very covert in their operations because they are yet to come to the realisation that the data protection professional will play a vital role at the conception or design stage of many projects. At this point, the professional needs to make the client understand the pivotal role they would play at the initial stage and through the lifecycle of projects.
- Check the pulse/Ask for feedback.
It is advisable to check the organization’s pulse on their perception of your communication methods. While you think a method works fine and helps you achieve results, there may be easier or better ways to communicate or get work done for all parties involved. Besides, it is not unusual for people to think they are communicating until they get the feedback that they are not communicating effectively. When interfacing with clients, checking the pulse may be done through survey forms or orally.
The benefit of communication in a data protection compliance journey cannot be overemphasized. However, communicating effectively should go hand-in-hand with the professional’s technical expertise. While it is not news that the compliance journey must be supported by the client, a data protection professional that communicates poorly will have a lonely, stressful, and futile journey.