How to create a culture of privacy

Published on Mar 31, 2022

It is becoming increasingly apparent customers trust brands and organisations that respect their privacy. Evidence of this is found in several reports, such as the 2021 Consumer Privacy Survey, which revealed 86% of consumers care about data privacy and want more control.

This desire for greater privacy and control extends to the marketing practices consumers say they approve of, and the ones they don't. The 2022 Digital Consumer Trends Index reveals the marketing preferences of consumers include loyalty programs, emails and contests, while location-based tracking and ads that follow you are almost certainly out.

What this data shows is that privacy management has considerably more business implications than those related solely to legal compliance. Today, privacy plays such an important role in a company's competitiveness that it is now essential for sustainable, long-term growth and profitability. The 2022 Data Privacy Benchmark Study defines privacy as a business imperative and a necessary element of customer trust for organisations after 90% of global respondents said they would not buy from an organisation that does not sufficiently protect their personal data.

While most companies recognise their legal obligations and have implemented a privacy programme for UK General Data Protection Regulation (GDPR) compliance, many are failing to realise the business opportunity within their grasp. We understand the complexities organisations face when balancing privacy concerns against several other strategic objectives and priorities. Having said that, we believe the solution is to create a culture of privacy to drive alignment between ethical data protection practices and favourable business outcomes.

What is a culture of privacy?

As alluded to above, the first point to make when defining privacy culture is that it goes beyond regulatory compliance. Instead, a culture of privacy is a shared understanding and an agreement between all business stakeholders about how personal data should be used to further strategic or commercial objectives.

Put another way, within a culture of privacy, legal compliance is only one of the goals of a successful privacy management programme. How personal data supports other business objectives is of equal importance. To do this, you need to consider privacy and data governance in the context of satisfying customer expectations, fulfilling contractual commitments, defining core values and strategic objectives, as well as adhering to your regulatory obligations.

In addition to driving better alignment with other business functions, this approach increases the ability of the privacy teams to execute strategies such as privacy by design and default, while discussions relating to privacy budgets will be easier to achieve.

And of all the business benefits, attaining the best use of your data for both you and your customers is a genuine win-win scenario.

5 steps to create a culture of privacy

For good or for bad, organisational culture is often deep-rooted. Thankfully, it is possible to move towards a culture of privacy over time by following the five steps outlined below:

  1. Get leadership buy-in and establish privacy as a core value Organisational culture starts at the top. Bringing about change to instil a shared vision and ideals towards privacy requires a commitment from senior executives. There needs to be an alignment between a business's strategy, practices and the attitudes of its culture. Build support with a few influential individuals who can advocate to executive management to begin. Then expand to provide a high-level overview of how the programme will work.

  2. Create a privacy management team Implement a robust governance structure within the organisational hierarchy. Ensure the privacy management operation is fully funded, resourced with an appropriately sized and trained compliance team, and equipped with the necessary privacy technology to fulfil its responsibilities. Appoint a Data Protection Officer or head of privacy compliance to lead.

  3. Communicate the importance of privacy culture Inform everyone in the organisation about how they play an individual role in privacy management and GDPR compliance. Explain privacy is an essential core value within your employee handbook and induction sessions. Invest in technology to deliver regular online privacy awareness training to embed fundamental principles throughout the organisation. You can also run campaigns to highlight the importance of privacy culture on the 28th of January each year to celebrate Data Protection Day.

  4. Deliver role-based privacy training Provide the teams and individuals delivering specialist roles additional training relevant to their jobs so that they understand exactly what is expected of them. This role-based privacy training will help employees understand how and where specific privacy and data protection policies, laws and regulations impact their daily roles.

  5. Identify privacy champions and technologists Privacy champions and technologists are individuals who promote the privacy programme from within their team or department. These individuals, who require additional role-based or certified training to develop the necessary skills, support the privacy team in a decentralised capacity and help business owners meet any data protection responsibilities within their scope of operations. This approach also creates a pool of multiple skilled professionals that, with additional training, could make suitable candidates should vacancies become available for full-time privacy roles. Given the shortage of experienced privacy professionals, it makes sense to develop from within.

Moving towards an ethical and customer focussed business strategy

Companies establish business ethics programmes to promote integrity and earn trust from stakeholders. In short, business ethics affects the bottom line by improving profitability and increasing customer loyalty. Now that moral behaviour is linked to brand value, ethical data practices are one of four essential components in this conversation. Meeting the privacy expectations of your customers and employees is a necessary detail in creating lasting relationships. By implementing a culture of privacy, you're demonstrating to all stakeholders just how important they are to your business.

In this sense, privacy can be a powerful business differentiator. Building privacy by design and data minimisation practices into your data strategy, adding ethical marketing techniques, and being transparent about your processing operations are the kind of actions and accountability measures needed to position your business as a trustworthy brand.

Final thoughts

Privacy management and data protection compliance are often perceived as business inhibitors. This impression is neither just nor fair. However, it is essential to set the right tone so that everyone sees privacy in a positive light. Show the teams and departments who rely on personal data that they can still achieve their objectives and that you're willing to work with them to show them how. A culture of privacy is essential to this end, and everyone is better off for it.

For more information, we wrote about creating the right environment to develop a culture of privacy in our GDPR Training Paths – Prioritising Privacy guide in our resource section.

Freevacy can help you design and deliver role-based privacy training to your teams. We also recommend the BCS Foundation Certificate in Data Protection and the IAPP Certified Information Privacy Technologist (CIPT) industry qualifications for individuals selected to become privacy champions and technologists.

To find out more about data protection and privacy management training, email contact@freevacy.com or call our team on 0370 04 27701 today.

Click your chosen course below to see our next available courses dates

Freevacy has been shortlisted in the Best Educator category.
The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.