All forms of government intervention, such as legislation and regulation, are driven by the need to manage risk, and, where possible, leverage opportunity, for the perceived benefit of the state and its citizens. The European Union’s General Data Protection Regulation (GDPR) is no different. But is there a deeper link between a regulation like GDPR and security culture in general?

The link between Legislation and Cultural Norms

Legislation and regulation define and expresse society’s expectations of what is normal and acceptable in how we all interact, do business or even, in the case of GDPR, gather and process information and data. These expectations are often based on the values, attitudes and beliefs which dominate a given society, industry and profession.

As such, laws and regulations are arguably tools for communicating culture and cultural norms.

The GDPR is designed to build on the European Community’s existing Data Protection laws, which were first made enforceable in 1998. So important are the values, attitudes and beliefs associated with data protection that the European Union has decided to strengthen the European citizens’ rights and expectation with regards this to re-balance the perceived control, from organisations that hold personal data back to the data subject themselves and then provide greater means to enforce such regulations.

GDPR and Security Culture in Europe will become Interwoven

If the regulation is implemented and enforced effectively, it will, over a period of time, become the expected way that things are done. It will become what 510 million Europeans, all around the world, will come to expect when it comes to the way in which organisations, who hold and process their data, behave. And GDPR will lay down for those 510 million Europeans their rights to enforce these expectations through regulators and the courts when it comes to data protection and security. GDPR and Security culture in Europe will, therefore, become interwoven.

In effect, the GDPR is an expression of values, attitudes and beliefs around what should be the societal norm when it comes to data protection and what individual European citizens can expect from those that gather and process their data.

Why does GDPR not Mention Culture Explicitly?

Unlike ‘awareness and education’ there is no specific mention of a legal requirement for those responsible for ensuring an organisation is compliant to consider GDPR and security culture as a whole.

However, culture will have a significant impact on the effectiveness of your efforts to raise awareness –  which is a legal requirement under GDPR. It will also influence behaviour to achieve compliance with your organisational policies.

In GDPR Article 39 which governs ‘tasks for the data protection officer’ and Article 47 which covers ‘binding corporate rules’ there is an explicit requirement for organisations and their data protection officers to ensure they deliver awareness raising and training with regards to GDPR and the organisation’s GDPR related policies, processes, procedures and standards.

Article 39 1

b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

Article 47

n) the appropriate data protection training to personnel having permanent or regular access to personal data ‘

Failure to do so is, by definition, a breach of the GDPR regulations and a breach can incur significant penalties.

The Requirement to Deliver Programmes that impact Security Culture

The principle behind these clauses is that for GDPR, or any other piece of legislation, to deliver its intended benefit to society, organisations will need more than a range of well-documented GDPR compliant policies, processes, procedures and standards to be in existence. To have these alone will only amount to a ‘tick box’ approach to compliance and that is not what the European Union was looking for when it approved this regulation. You will need to ensure that all the relevant personnel, are aware of their roles and responsibilities, competent to fulfil them and, most importantly, you need to influence behaviours where existing ones are not compliant with GDPR and your organisation’s policies. GDPR and security culture therefore must be considered together for changes required to comply to have a real impact.

Culture, both organisational and national, has routinely been proven to influence behaviour. Sometimes in line with an organisations expectations of personnel when it comes to data protection, and sometimes not.

To find out more about how Marmalade Box can assist you in developing programmes that can help you re-think the human factor in your security training programmes why not join our webinar or contact us for more information.