In this blog piece, our commissioner Emma Martins explains her position on ‘enlightened compliance’:
“‘Enlightened compliance’ is a term I have used a lot in the context of data protection. I want to explain what I mean by this and how best we can encourage it.
From the moment we wake up each day we are surrounded by rules we are expected to follow. For example, how fast we can drive; how much tax we pay; where we can get medical advice.
The existence of these rules is referred to, in moral and political philosophy, as the ‘social contract’. It is a theory that originated during the Age of Enlightenment and mostly considers the legitimacy of the state over the individual, and the sense that we all agree to giving up some of our freedoms, submitting to the authority of the state, in return for protection of certain rights and the maintenance of social order.
Those of us working in regulation and compliance, in whatever form (and there are many), rarely allow ourselves the time and space to reflect on what the social contract in our own world looks like, is seeking to achieve and – importantly – whether we are actively contributing to the meaningful and successful delivery of good outcomes. Too often we simply set our noses to the grindstone and press ahead with working through our ever-expanding to-do list. Invariably, that to-do list is based on what previous regimes and personnel have determined as the priority for your organisation or role.
Maslow’s 4 stages of Learning
But it is more important than ever for us all to think about what compliance means to us and to our community more widely, as well as what we can do to encourage better engagement and outcomes. So, thinking about some of the rules we are surrounded by and our attitudes to them, I am drawn to the ‘conscious competence’ model of learning –
This model assists in explaining the stages by which we learn across many areas, and can be summarised as follows –
- Unconscious incompetence – we are initially unaware of how little we know.
- Conscious incompetence – we start to recognise our lack of awareness/knowledge.
- Conscious competence – we understand or know how to do something, but it still requires effort or concentration.
- Unconscious competence – we know what to do and it has become ‘second nature’, requiring little effort or concentration.
Whilst this model considers stage #4 (unconscious competence) as the objective of learning, in the context of the regulatory environment we can perhaps think a little differently.
The past: unconscious incompetence
For much of its history there has been a significant amount of ‘unconscious incompetence’ around protection of personal data. The introduction of the General Data Protection Regulation (GDPR) served to move many into stage 2 (conscious incompetence). It is certainly the case, at the ODPA, we had a sense of people within our regulated community appreciating that there was much that needed to be done, but at the same time they were struggling for clarity about exactly what that needed to look like.
The present: conscious competence
Since that time, we have worked hard with the resources available to us to help improve both awareness and understanding of what the law is designed to achieve and how best we can work together to achieve it. So, I am optimistic that, although there is undoubtedly still much to do, we are moving into stage 3 (conscious competence). That is, we know what we need to do, and we have the information, time, support and resources to do it. Importantly too, we are working hard at this office to present data protection compliance as more than a tick box exercise, encouraging a better understanding of how fundamental it has become to us all living just and fulfilled lives in the digital era.
The future? Unconscious competence
The question of whether we need aspire to stage 4 (unconscious competence) is interesting. Whilst there are important elements of data protection compliance that need to be embedded into business-as-usual (the unconscious), the environment is changing too fast for us to be anything but constantly vigilant and being vigilant requires conscious effort.
A way forward together
Both the regulated community and the ODPA need to face this harsh reality: sustained, conscious effort in an ever-changing environment is hard. It’s not possible to always get it right, but that doesn’t mean we don’t try.
For our part of this attempt to get things right: at the ODPA, on a daily basis, we are actively, deliberately, engaging with our regulated community so that we can face the challenges that exist, and find answers together. All the while keeping focused on protecting the rights of the human beings in our jurisdiction who are relying on us to get this right. How do we do this? We run our own events; we put out blog pieces like this one that you are reading; we engage with businesses large and small; our doors are open every fortnight for organisations to ask us (pretty much) anything; we produce our own podcasts; we seek to elevate the public conversation through speaking (and listening) at external events, in schools, and pushing out content via our newsletter and LinkedIn presence – all of this activity creates opportunities for the regulated community and the ODPA to communicate. To learn. To improve. To innovate. It often feels like there are no easy answers in this space, but together we have a chance of unearthing them.
We have considered our role carefully. Whilst our processes are necessary and our timescales mandatory, how we organise ourselves and devise our responses is ours to determine. We want to do so in an enlightened way and the above learning model applies to us as much as it does to everyone else. We are aware of our responsibilities and we invest all we can into achieving them in ways that go beyond ticking a row of boxes.
The challenge for us all is to think about the steps we can take to encourage interest and engagement, because even the smallest of steps can bring about big changes.”