As organisations move to the future, technology systems will undoubtedly be a cornerstone of their infrastructure. The systems will process increasingly vast datasets, many of which incorporate personal data relating to many thousands of individuals across the globe. This sheer scale and expanse merit the need for new technologies focused purely on handling personal data and privacy, more typically known as privacy tech.
The business case for implementing new technologies in an organisation is invariably driven by a series of promises of new capabilities, enhanced productivity and greater profitability, as well as greater control over risk. This is no less true for privacy tech as it is for technologies in other parts of the organisation. With the future predicting ever greater regulatory oversight over complex new technologies (such as AI) and exponentially increasing caches of personal data, organisations are naturally looking at ways to manage privacy and personal data to greater advantage.
Firms such as OneTrust, Nymity, NAVEX and ServiceNow have emerged as significant players in the privacy tech space, with several smaller niche players also making inroads. Clearly these privacy technologies have strong benefits, however organisations (and their privacy teams) implementing these technologies all share the same challenge as teams implementing technologies in other business functions; namely getting people to actually use the technologies, once implemented.
The problem is that the transition to new tech can be extremely complex, typically affecting company-wide processes. If tech adoption is not effectively managed, not only are the benefits that were initially anticipated in the business case not delivered, the situation can be made worse by creating significant problems for internal processes and staff morale.
Business leaders cite several challenges, and although there these are wide ranging, a number of themes start to emerge.
1. Comprehending the technology
As the processing of personal data and nature of organisations has become more complex, so too has the privacy tech. Consequently, the technology on offer has evolved to provide greater functionality, however, stakeholders are not necessarily familiar with this extra functionality. Stakeholders simply will not or cannot not use what they do not understand.
2. Poor User Experience
The lack of usability with new privacy tech can be intimidating, particularly given the potential legal ramifications. Users are fearful of making mistakes that could attract lawsuits or fines.
Complaints about a system’s lack of user friendliness are common, including: ‘It’s confusing’, ‘I can’t find anything’, ‘I’m forced to work how the system wants me to rather than in my own way’, or ‘there is too much terminology that I don’t understand’.
If an inordinate amount of training is required to cater for the nuances of the system, adoption will be low. And stakeholders are less likely to take on frustrating processes or tasks that they feel are best undertaken by specialist privacy teams.
3. Lack of bandwidth
Privacy work for organisations has exploded over the last 3 to 4 years, yet there is a distinct shortage of professionals and skillsets. Over-stretched teams struggle to keep abreast of privacy requirements, and they may have little time to spare for onboarding and familiarisation of (yet another) new privacy tech. Any new technology will require and initial effort to launch and embed the system in the organisation.
4. Surprise additional overheads
Although vendors may stress the cutting-edge capability their technology will bring, organisations and their privacy teams often fail to consider the additional resources required to keep the contents of the system up to date. The benefits of the extra capabilities of the privacy tech are lost if the content data becomes inaccurate and ultimately unusable or unreliable.
5. Lack of Flexibility
Organisations evolve to meet the demands of the future. Privacy tech needs to change with them.
Privacy tech needs to be designed and implemented to cater for both current and future use cases, by featuring high levels of adaptability. Inflexible systems invariably lead to quicker obsolescence and hence lower adoption rates.
How to get tech adoption right in organisations
In recognising the need to implement privacy tech, it’s tempting for organisations to reach for the low-hanging fruit first, implementing privacy tech under the misapprehension that it will magically solve all privacy issues, without taking into account how the privacy tech will be embedded and adopted throughout the organisation. To make it work, organisations need to consider several practical steps:
6. Align with the corporate vision.
Each large organisation goes to great lengths to define its corporate vision for the future. This vision then feeds objectives, priorities, goals and strategy of its senior executives and cascades down through the workforce.
Crucially, this should include how the new technology helps its people in terms of their roles and objectives. People are more likely to be receptive to change if it is clear what the benefits the privacy tech will bring to their specific role. Anything that looks to add to their workload but with little benefit or relevance will meet with resistance.
7. Procure sponsorship at senior levels
Technology governance, cyber-security or legal are typical sponsors of privacy tech. This can lead to the perception that the technology is for use solely by these groups, rather than benefitting the entire organisation. In order to carry out privacy risk assessments, cyber incident management or data subject access requests, business users are key contributors and will need to interact with the system. Active engagement with the business therefore becomes critical.
Organisations should implement a governance structure encompassing both senior sponsors and operational stakeholders. Providing people with the opportunity to voice opinions will boost adoption and minimise resistance to change.
Be aware that technology and legal teams may not be empowered to push the technology throughout the organisation. For example, CISOs will be responsible for incident management, while CTOs/business leaders will need to drive risk assessments of products and services. CIOs will need to drive data flows as part of tech governance, and CMOs will need to adopt cookie solutions. A successful adoption involves a range of teams, so it is essential they are kept informed and provided with a platform to communicate any concerns throughout the process.
Ensure the right decision makers and drivers are onboard. Reach and influence will be key in driving adoption throughout the organisation.
8. Get the basics right
Privacy teams have deep knowledge of privacy law and compliance, but this does not mean they are the right people to drive tech adoption. Instead, organisations should look to leverage project teams with dedicated change managers or bring in business analysts and project managers with experience of privacy technologies.
Build an implementation plan including roadmap, sequencing and timelines plus a list of approvers and contributors.
A change management plan is critical to ensure there is an approach and a team to handle objections, resistance, changes and any issues that arise.
9. Build adoption in the business case.
No large organisation implements new technology without first building a business case. Indeed, this will be required to secure project funding in the first place.
In the interests of getting a business case approved with minimum resistance, the cost of adoption is often underestimated or of left out altogether. The risk with this approach is that the benefits initially envisaged will not be realised, because the technology has not been adopted throughout the entire organisation.
Therefore, organisations should ensure the cost of adoption is factored into the business case or accounted for in OPEX budgets.
10. Get the right people in the right place
Operational teams tend to be focused on the day-to-day running of the organisation. They rarely have sufficient additional bandwidth for large special projects, and their skillsets tend to be tailored to keeping operations running smoothly.
Therefore, it is critical to mobilise dedicated resources for adoption rather than attempting to leverage current resources, that may be ill skilled for the work at hand.
11. Probe touchpoints and integrations
Global organisations have complex networks of systems and deal with an enormous movement of personal data.
The privacy technology should be capable of talking to other systems. This integration will maximise functionality and capability. For example:
- Cookie management systems should be able to link in with the websites and portals.
- Breach notification systems will need to dovetail into cyber security incident management systems.
- Data flow technologies should link to an IT asset management system
The advantages here are clear. If the systems talk to each other, the requirement for human intervention is minimised, avoiding manual tasks like extracting data, cleaning, formatting and loading it into the privacy technology.
Identifying these compatibility and interoperability dependencies early can alleviate frustrations when organisations later realise their systems do not communicate, not to mention the risk of wasted implementation costs.
12. Reflect the company culture
The culture in an organisation varies significantly depending on the industry, country, sector or internal politics of the organisation itself. Factors that reflect in adoption planning and training include:
- Whether an organisation is process driven or entrepreneurial
- Whether it operates in silos or top down
- Whether its people are resistant to change
- Whether it’s focused on revenue generation or altruistic principles
- Whether the pace at which it moves is fast or slow
- Whether the organisation has a track record of adopting to new technologies
Factor in the culture of the organisation and reflect that in the adoption planning and training.
13. Communication expansively
Good communication with stakeholders, sponsors or users is a fundamental part of successfully adopting new tech. Understand the parts of the organisation that will be particularly affected. Record the use cases of the privacy technology for those parts and adapt the communications and messaging to resonate with the right people.
Allocate advocates and champions. Advocacy will be a cornerstone of preaching the benefits and driving enthusiasm and adoption.
14. Shape the training
Identify any training requirements at the start of the process. All tech vendors will offer some training; however it tends to be largely generic. So it is important to customise this for the organisation, its priorities, processes and culture. Bear in mind the following to ensure training fits your specific needs:
- Aim for practical training that involves workshops. Actual usage of the system is far more engaging than a PowerPoint presentation
- Tailor the training to stakeholder “use cases” to ensure relevancy
- Offer rewards for adoption and recognise those that adopted the technology
- Implement a network of trainers to spread the workload. Scale the network to the size of the organisation
15. Adopt a monitoring cadence
Large corporations employ thousands of people, often spread across multiple business units around the globe. This scale and expanse addition additional dimension to the complexity of rolling out adoption initiatives.
To mitigate this, monitor progress and disruption and refine the adoption plan for both success and progress. And be sure to implement a helpdesk to help minimise disruption.
Build KPIs to help measure adoption, using them to identify areas where usage is less than target. Capture the failure points, determine their root cause and implement steps to solve them. And finally, adoption and implementation are a continuous process, so push for ongoing refinement.