GDPR: Getting the Board on Board
As is the case with many cybersecurity projects, getting senior-level support for GDPR compliance efforts requires effective communication. Here are some tips for getting the board on board with GDPR.
In my last article for Digital Guardian, I discussed the incoming General Data Protection Regulation (GDPR). I looked at what it is, why it matters and some of the key issues with regards to building compliance. I acknowledged that, as highlighted by (ISC)2, one of the biggest challenges is securing senior-level support (and the budget that goes with it) for GDPR projects.
In this article, I will address some of the reasons why getting the board to engage with GDPR might be proving difficult and what you can do to communicate more effectively with the senior level. Although focused primarily on securing more engagement with GDPR, these issues are psychological, sociological, organisational and cultural. This is not about legal or technical factors; this is about communication.
References to GDPR are everywhere at the moment. So much that you could be forgiven for thinking it would be impossible for senior executives to bury their heads in the data protection sand. Unfortunately, it’s more likely that the opposite is true. Much was said last year about security fatigue and the fact that many people were growing weary of hearing about the latest cyber attack and endless advice to change passwords. We see this sort of communication fatigue in many areas of people’s lives, in response to health campaigns, electioneering and, in general, in relation to an ‘always on’ culture of email and social media. The same applies to GDPR communications. When we overwhelm people with messaging, we run the risk of becoming yet more noise in an already-overflowing inbox.
The first step in getting the board to engage with your GDPR project is to think strategically. They are probably being invited to countless GDPR briefings, conferences and webinars and their LinkedIn feed may well be as full of GDPR posts as yours. With this in mind, consider the channel by which you approach them. If you can get face-to-face time, this will likely be much more effective than an email or paper report. If you get that face-to-face time, be sure to make the most of it.
The core messages you need to communicate are why your project needs doing, how you will complete it and what you need to make it happen. Be as positive, engaging and solution-focused as you can. Do not look to the board to fix your problems, instead tell them how you are going to tackle issues before they become a problem, and the support you need from them to do so. It is essential that you express this is a business benefit, which will safeguard and strengthen your organisation’s reputation. Avoid legal, technical and theoretical language and remember to focus on what matters most to the board.
You may be tempted to whip up some fear, uncertainty and doubt (FUD) to scare the seniors into listening to you. This approach is prevalent across the cybersecurity and data privacy industries, despite the fact that it so rarely works. Fear appeals (attempting to motivate people to behave in a certain way by arousing fear) have been used for decades and research shows that unless they are handled very carefully, a campaign to change behaviour based on fear can massively backfire. Appealing to people’s emotions as a way of changing behaviour can too often lead to your audience engaging only with their emotions, rather than engaging with the actual danger you are trying to communicate. This means that instead of taking rational action, people will go into denial or avoidance as a sub-conscious means of trying to alleviate their emotional response to your fear appeal. I frequently see this with people who have been subject to cybersecurity FUD: it is often what lurks underneath the ideas that “hackers would not want my data” (denial) or “the internet is like the wild west so I won’t use it” (avoidance).
So, when talking about the big scary fines associated with a breach of GDPR, be sure to focus on relevance and efficacy. To get the board on board, you will need to clearly communicate what GDPR means to your organisation, why they should care about it, what the organisation needs to do to respond to it and what you need from them. In this way, you are breaking down the threats associated with non-compliance to enable them to understand how the broad threat is relevant to them, and you are strengthening their belief that the organisation can deal with the GDPR requirements and that they can support this endeavour.
Senior executives operate at a strategic level and, if you want their support and engagement, you need to think strategically, too. Senior executives are also human and subject to the same psychological impulses and social norms as the rest of us. Remembering that how you communicate is as important as what you communicate is crucial.