Saturday 7 November 2009

Chasing the (data protection) dragon ...

“I’m not indispensible, you know...”

I’ve been giving some thought recently about the role I ought to play should a data breach occur. Is it appropriate for me to throw myself forward, take full control and keep the contents of the Information Commissioner’s guidance on data breach management all to myself? Or should I assume the role of a coach, pointing those involved in the breach to the various corporate policies that (ought to) exist and ensure that they accept accountability for the consequences of any mishaps that had corrupted their own processes?

This question was prompted by a very thoughtful article which appeared in the Times online edition a few days ago, on 5 November. The journalist Philip Delves Broughton was reflecting on the development of a social revolution in Japan. He described the revolution as being led by a group of as many as 40 per cent of all Japanese men currently aged between 21 and 34. This new generation believe that life is far more important than work. They don’t accept that their fate is to suffer silently in Japan’s vast corporations and bureaucracies. Work should occupy a discreet rather than overwhelming place in their lives. Family and friends matter far more than shopping or travel. They reject the culture of the macho Japanese salarymen. They do not believe companies will look after them. They do not respect job titles or hierarchies, only those who control resources and produce obvious outputs. They abhor office politics and do not respond to traditional motivational tools such as promotion, pay rises and the promise of job security.

Strong, revolutionary stuff. I reflected on whether many of my friends refuse to dress or behave like older employees in their respective workplaces. I wondered how many of them just believed that at work and in life, doing OK is OK. That there was no need to show everyone how much effort you’re making. Friends who challenged the conventional models of success. Friends who could honestly say “All I want to feel is that my work has a sense of purpose".

And yes, there are a few. And, growing in number.

So, back to the point. Just what role should I play should a data breach occur?

My cunning plan is to ensure that the breach handling process that I should have helped create works just as well in practice as it did in theory. It’s going to be to ensure that those who were responsible share the pain. And it’s going to be to ensure that the pain is sufficiently harsh to encourage effective steps to be put in place to prevent such mishaps occurring in future. My cunning plan is unlikely to include me cancelling any (much needed) holidays, or working 20 hours a day, grabbing a few hours sleep in the hotel nearest to the office, grazing on pizzas and peanuts, or living on my nerves until all the fuss has completely died down. My cunning plan is to design a breach handling process that engages all the relevant people in the business, not to adopt a set of behaviours which signify a personal infatuation and obsession about me, to the exclusion of everyone else. My cunning plan ought not reflect the ruthless pursuit of my own gratification, dominance and ambition.

Yes, it’s going to be a bit of “tough love”. Some people may see it as an uncaring approach. But that’s not the case. If I am not personally accountable for the business process that have failed, then it’s not necessarily going to be “my” mess. And I don’t want to develop a reputation as someone who simply sorts out other people’s mess. Instead, I want to be seen as someone who helps them put their own house back in order. That way, they may feel grateful for my support, but also quietly glad that they were empowered to resolve the situation for themselves.

I hope that I’ll always be on hand to assist with the external PR work, to throw myself at the mercy of the Commissioner’s confessional chamber, and to let all those affected know that we’ll be treating any incident with the utmost gravity. And I hope that I’ll try and stop the greedy few from demanding compensation for innocent mistakes that have not caused them any real harm, perhaps by ensuring they know that those responsible will be making charitable donations to atone for their actions.

But above all else, I expect that I’ll want my colleagues to share the full horror of the incident - because if they don’t, then they may never appreciate just how personally betrayed an innocent victim of a data breach might actually feel.