Training teams on data privacy best practices
| One of the major risks facing our projects today is data – and all the problems that can arise when the wrong data falls into the wrong hands. Even if nothing malicious happens with the data, the fact there was a breach can lead to reputational damage and fines. And no project manager wants their project to be the one where data leaked out. So we work on making sure data privacy best practices are built into the way projects are delivered. Mostly, data privacy regulations are baked into internal processes and policies, but it never hurts to have a reminder. Here are some things you can do to foster a culture of data privacy awareness in the team, so they automatically (hopefully) consider data privacy when they are working out work packages and activities.
Start with cultureBuild a culture of data privacy. Lead from the top and make it expected that privacy is just ‘how things work around here.’ Make data privacy a part of the team’s daily routine by integrating best practices into everyday project management tasks, such as reviewing documents, storing information, and sharing data. For example, think through who has access to what data, and who gets permission to delete it. I had an interesting discussion with some German colleagues recently who shared that the data privacy laws there are so strict that you can’t ask employees for some information, which must make some aspects of performance reviews, feedback, celebrating birthdays and employee satisfaction surveys really difficult! (If you’re based in Germany, let us know your thoughts in the comments below, or if your country has similar restrictions, tell us about them!) Offer formal trainingIf your company offers mandatory data privacy and security training programs for all team members (and they probably do) make sure everyone does the modules. It’s usually e-learning and not onerous, but that also means that people have a tendency to skip to the test or assessment part without actually paying that much attention to the training. However, it’s the minimum people need to do. This training will most likely cover topics like identifying sensitive data, safe data handling practices, and understanding legal requirements – all things you need to have top of mind for projects. Work through examplesUse your team meetings to work through practical scenarios. Use real-world examples or case studies, for example, internal projects or projects in the media in your industry, to illustrate the importance of data privacy and the consequences of non-compliance. Ask the risk management team if they could write some scenarios for you to discuss and add them to your team meetings a way of upskilling. Set clear data handling guidelinesYour company might already have overarching data handling guidelines, so you can lean into those, or set specific ones for your project if it’s data heavy. Guidelines should cover data collection, storage, sharing, and disposal. When you kick off a new project, ensure that every team member understands the policies and any other applicable laws. Stay on top of changesOne thing I’ve noticed in the 20+ years I’ve been managing projects is how often things change. Privacy law and data laws are changing all the time as technical advancements introduce different types of data and ways that it needs to be managed (AI and deep fakes being cases in point at the moment). Don’t assume nothing has changed since you last did a project with a big data element. Talk to your legal team and get the latest. Talk about the implications of non-complianceMake sure people are aware that it’s not a small problem if there is a data breach or non-compliant situation. Your company could risk:
And sometimes the individual might be liable as well as the organisation… so know what you are getting yourself into! |
Data privacy for projects
| I don’t know about your projects, but the role of data privacy and information governance has certainly expanded since I started managing projects. Data privacy has become a critical concern for organisations globally, and you only have to look at high-profile cases in the media about ransomware attacks, data leaks and breaches to realise that we’re all only one potential hack away from a major problem. Is that on your risk register? It could be. Projects use or create a lot of sensitive data, depending on what industry you are in. Even if you aren’t dealing with medical records, your project probably includes some confidential company information for you or your clients. Even operational data could be sensitive if a competitor got it. Therefore, project management processes have to take into account data privacy standards. Meeting those are the basics. You have to maintain trust in your organisation and avoid exposing the business to significant legal and financial consequences. Non-compliance can result in fines and reputational damage, and there are plenty of cases in the UK, for example, where GDPR breaches have been heavily fined. In this article, we will discuss the key data privacy regulations that impact project management, how to assess your project management tools for compliance, and steps you can take to ensure your team handles project data securely.
Data privacy regulationsI know that readers come from all around the world, and privacy laws differ, so I’m not going to try to list all the relevant global legislation. Suffice to say that in the UK where I am based, GDPR is a key regulation. Where you are will no doubt have similar regulations on how personal data is collected, processed, and stored. The laws that I am aware of generally all have similar aims: to ensure data is collected for the right reasons, stored securely and disposed of appropriately, and that data subjects know what is being done with their personal information. Key principles of data privacyProjects should take into account how data privacy is going to affect the work of the project and deliverables. Generally (although I’m not a legal expert in your country’s regulations, so take advice from your information governance team), what you are looking for are the following. Data minimisationCollect only the data necessary for the project’s purpose. Don’t collect extra things because they would be nice to have or would help a future project. Work out what data is required for the purpose of this project, and that’s all you can have. Purpose limitationThis principle says that you have to ensure that data is used only for the purpose for which it was collected. In other words, if your project is collecting data for the purpose of processing a customer order, you can’t then use it for something else. Consent managementPeople need to know what they are consenting to and what you are going to do with their data. this is all about transparency. If your project is collecting data from people that you didn’t have before, obtain explicit consent for that. Mostly this will be covered off by any privacy notice you have on the site, or in your terms and conditions – so you must make sure your project links in with any existing consent management systems (or builds a new one if needed) Data securityNot surprising – if you need to build measures to protect data from unauthorised access, breaches, and leaks, do that, or tap into what already exists. This goes for user access too, so make sure only the right people in your company have access to data. Transparency and accountabilityKeep clear records of data handling practices and be transparent with customers about how their data is used. You may find this is already covered in existing terms and conditions or privacy notices, but always take advice from your legal or information governance team, or data protection officer to make sure your project isn’t introducing anything that would diminish existing processes or require new ones. |
