Overcoming the diffusion of responsibility for GDPR


In June 2019 Kendra Kerry produced an article on steps that can be used to encourage actors to take responsible actions. They can also be applied very effectively to data controllers, and demonstrate the role that consultants and data protection professionals have on encouraging behaviour change.

1. Witnessing helpful behaviour

“Sometimes just seeing other people doing something kind or helpful makes us more willing to help others. Imagine that you are walking into a large department store. At the entrance is a bell ringer asking for donations to a charitable organization. You notice that many of the people who walk by are stopping to drop their change into the donation bucket. As a result, you might feel more inspired to stop and donate your own change.”

Often it is easy for companies to exist in silos and not necessarily see where other organisations are taking responsibility. As consultants who work across a wide range of businesses and industries, we are perfectly placed to share stories of best practice and to advise data controllers on how to make compliant decisions whilst limiting any competitive disadvantage.

2. Being observant

“One of the key reasons people often fail to take action when help is needed is that they do not notice what is happening until it is too late. Ambiguous situations can also make it difficult to determine if help is truly needed. In one famous experiment, participants were less likely to respond when smoke began to fill a room when the other people in the room also failed to respond. Since no one else was taking action, people assumed that there must not be an emergency.”

In the context of GDPR, this can be seen in many organisations through a lack of understanding of the key principles of data protection and how to apply them.

Consultant support of the data protection and information management functions can remove ambiguity from situations and help people identify when smoke is metaphorically filling the room. This allows a business to remain alert to the wider data protection environment, rather than relying on the responses of other data controllers. This empowers the organisation to independently decide on how best to react to developments.

3. Being skilled and knowledgeable

“When faced with an emergency situation, knowing what to do greatly increases the likelihood that a person will take action. How can you apply this to your own life? While you certainly cannot be prepared for every possible event that might transpire, taking first aid classes and receiving CPR training could help you feel more competent and prepared to deal with potential emergencies.”

Out in the business, staff will often feel overwhelmed by the requirements of the data protection principles.

Even if somebody identifies something that they think is wrong, they will decide to ignore it as they don’t know how to respond. Training for colleagues from the senior managers down to the shop floor can make staff feel more capable of identifying and responding to situations as they occur.

4. Guilt

“Researchers have found that feelings of guilt can often spur on helping behaviours. So-called "survivor guilt" is just one example. Following the 9/11 terrorist attacks, some people who had survived the event felt driven to help others in the aftermath.”

Witnessing the devastating impact a data breach can have on individual lives, through fraud, identity theft, loss of key services, can encourage data controllers to see their subjects as more than just a number on a screen.

Where people suffer these negative impacts, it is important to highlight them to the business and ask the question “are we doing anything that could cause this harm to come to our data subjects? How do we feel about that?”

5. Having a personal relationship

Researchers have long known that we are more likely to help people that we know personally. In an emergency situation, people in trouble can help cultivate a more personalized response even in strangers by taking a few important steps. If you are in trouble, single out an individual from the crowd, make eye contact, and directly ask for assistance instead of making a general plea to the group.”

A mandatory, but often overlooked part of the DPIA process is consultation with Data Subjects. Where a process involves particularly high-risk data processing, reaching out to Data Subjects beforehand can build up a personal relationship and give the business a moment to pause and consider whether what they are doing is really in the Data Subject’s best interest.

6. Seeing others as deserving of help

“People are also more likely to help others if they think that the person truly deserves it. In one classic study, participants were more likely to give money to a stranger if they believed that the individual's wallet had been stolen rather than that the person had simply spent all his money.”

Following on from the above two points, a Data Controller that sees its Data Subjects as being deserving of protection is more likely to take compliant action.

Data Controllers should be reminded of the rights of Data Subjects and why these are there. When running training in the past I have found it helpful to link data protection into the wider development of human rights over the decades, and how in a data driven society everybody deserves to have their information treated with respect.

7. Feeling good

“Researchers have also found that feeling good about ourselves can contribute to prosocial behaviours. People who feel happy or successful are more likely to lend assistance, and even relatively small events can trigger such feelings. Hearing your favourite song on the radio, enjoying a warm summer day, or successfully completing an important task at work can leave you feeling joyful and competent and more likely to help out another person in need. This is often referred to as the "feel good, do good" effect.”

This point fits into a larger one about corporate culture and is a key component of getting many things right beyond the world of data protection.

Businesses where staff are happy in their day to day work and take pride in what their organisation does are going to be more likely to engage with best practice. Whereas more stressful and unpleasant working environments encourage behaviours where staff will undertake whatever action is required to get an assignment done, without considering the negative outcomes for Data Subjects.

While this may be beyond the scope of a data protection consultant to deal with alone, an open and positive working environment should always be encouraged.