Hon. Director General, European Data Protection Supervisor
Member, Guernsey Data Protection Authority
Advisory Board Member, European Centre on Privacy and Cybersecurity (ECPC) at Maastricht University
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
Whilst staff have a key role, they tend to be addressed under the rubrics of “training and education” (per the second “common element of accountability” identified by the Galway Project in 2009). Along the same lines, global regulators resolved at the 2019 Conference to address the role of human error in personal data breaches and committed themselves to “building workplace cultures where privacy and personal data security are organisational priorities, including through the periodic implementation of training, education and awareness programs for employees.”
The Guernsey ODPA has launched a wholly new approach aimed at promoting cultural shift by individuals themselves. Project Bijou addresses individuals across the whole of Guernsey, whatever their function or status, as persons who are themselves affected by good or bad data processing. It is a social initiative that encourages its participants to positively influence outcomes in how personal data are treated.
The method is quite unique - people telling stories. Participants are encouraged to talk about their personal experiences inside their organisations, about the benefits of getting data protection right, or the risks and harms of getting it wrong. The first stories were heard and seen in the videos and blogs produced for the project launch in May 2021. Why stories? First, because humans respond to stories, which connect us to each other in ways that data, information and other delivery methods do not. And second, because of the powerful “ripple’ effect of trusted human-to-human contact, which can engage our emotions and drive positive behavioural change. If someone we know and trust tells us something, we are very likely to listen, to trust them, and to think about following the same course.
The Bijou project turns the conversation to the human, encouraging a sharing of information, support and advice, and a consequent mainstreaming of good data governance. The culture shifts as participants connect with their colleagues and share their values and behaviours. Stories that resonate with people can illuminate the fundamental principles of fair and lawful data processing, in a way that laws, policies and strategies - no matter how carefully crafted - cannot. The aim is to normalise privacy, data protection and ethics within the culture of the organisation.
The project particularly contemplates people who are dis-engaged from data protection. We know that many data breaches are accidentally caused by such persons and can be avoided by simple changes in approach. Similarly, many external hacks can be avoided by basic data hygiene inside the organisation. The people involved are not wilfully negligent but are unaware of the values at the heart of data protection, to protect the dignity of the individual and to prevent them suffering harms. Project Bijou empowers individuals to give their fellows the opportunity to understand what happens to personal data, and how their decisions and their practices can have an impact, not just on themselves but on others too.
Guernsey is a small community, where word of mouth can often have more of an impact than any marketing campaign, and is thus an ideal place to initiate the Bijou project. But it is none the less a test bed for a radical new tool in the accountability toolbox. It is a true accountability initiative, aimed at proactively changing the culture by influencing individual behaviour, rather than by simply enforcing compliance. It sends an original and powerful message to the global privacy community that education and training are not the only paths to accountability in the workplace.
See Bijou for yourself, together with the stories by local and international contributors at: https://www.odpa.gg/project-bijou/