The need to verify Policy Compliance

Sometimes my mind wanders and I relate what is happening around me to privacy-related situations. Often our team undertakes assessments for our clients privacy programs and we encounter a number of unexpected, and sometimes surprising findings. One situation we often find is that privacy program establishes one or more policies that are not being followed for any number of reasons

For example…

Anyone who has worked with me or taken a class from knows I love anecdotes to reinforce information I am providing. These anecdotes often come from my observations totally unrelated to privacy. For example…

Recently my wife and I went to a wedding for our niece and flew to get there. Like most flights these days, most passengers had carry on bags to save the charges and inconvenience of checking the luggage.

One more mature person brought there carry-on onto the plane, no problem. However, the individual was wearing a wrist brace and could bot pick up the bag to place it in the overhead. The person requested that a flight attendant place the bag in the overhead for them.

The flight attendant politely explained that this was against airline policy. After few uncomfortable minutes and many glances at the wrist brace, the flight attendant relented saying “…but just this one time.” The flight attendant was trying to do the “right thing” for the passenger, by violating policy. It was good customer service after all.

Unexpected consequences

The flight attendant attempted to lift the bag, then quickly backed off as the bag was heavier than the flight attendant expected. A second, “successful” attempt was made to lift the bag and it soon rested in the overhead. The passenger thanked the flight attendant who walked away clutching their back.

Other passengers were boarding asking for similar assistance. The flight attendant declined citing their strained back and the airline policy. Consequence number one: passengers were dissatisfied with the service as one person got help, but no one else did.

As the flight progressed it was obvious the flight attendant was in pain. Eventually, they allowed the other flight attendants on the flight continue service as they took a break. Consequence number two: more dissatisfaction as passengers questioned why one flight attendant was just sitting there.

When the flight arrived the injured attendant went to the airport’s medial facility and was given some pan relievers and a recommendation to get off their feet. Consequence number three: the flight attendant made themselves unavailable for their next flight and the airline had to replace them delaying their next flight.

While I cannot confirm this, I can only assume that additional work was missed by the injured flight attendant and, potentially, medical bills incurred. More consequences.

What does this have to do with privacy?

Take a moment to consider the potential consequences of your various privacy-related policies not being followed. Can this behavior lead to a data breach? A violation of the laws you are required to follow? What will the impact be on your business’s reputation? Will there ultimately a revenue or bottom line impact.

While organizations do a good job of creating policies and training individuals on what they mean. the ball often gets dropped when verifying compliance. I had one corporate counsel tell me that they did not want to verify compliance because if any issues were found, they’d have to do something about it.

If it is worthwhile to create a policy or procedure, it is just as worthwhile to verify it is being followed. If you do not, why have the policy in the first place?