You might have heard of the “fixed mindset vs. growth mindset” psychology concept that helps students overcome failure and make progress in areas of weakness. I’m borrowing the concept and extending it here into the world of privacy because I can see it creating a more positive and safe space for growth and overcoming obstacles.
What are fixed and growth mindsets?
A fixed mindset is limited to the way things are or the areas where you’re already gifted. It says I’ll only ever be good at the things I am naturally good at, so I won’t try to get better at anything I’m bad at. It only wants to appear smart and sees messing up as weakness. A fixed mindset will lead someone to avoid challenges, give up when things are hard, feel threatened by the success of others, or ignore negative feedback entirely.
A growth mindset says that intelligence and skill can be developed. It’s not just being positive or open-minded; it’s rewarding effort and learning and embracing processes to do that. Some ways of learning and growth might include asking for help, trying new things, and moving forward after setbacks. A growth mindset helps remove the shame and hurt of failure to make room for progress.
What do these have to do with privacy?
A fixed mindset in privacy could manifest in functioning as if the state of your privacy program is unchangeable or the laws and regulations to follow are insurmountable. Instead of working to regain customer trust after an incident, you might just change the name of your business and hope customers don’t notice that nothing in your policies has changed.
A privacy growth mindset would encourage any effort and risks that may lead to progress. It should welcome review from outside, even when the results indicate what is missing or being done wrong, because these are opportunities for growth. It’s never too late to implement or improve a privacy program, especially since laws and regulations are constantly evolving.
Moving from a fixed to a growth mindset
People have been saying that Facebook changing its name to ‘Meta’ is a rebrand to escape the backlash of the report that the company knew their algorithms harmed people and spread misinformation but didn’t do anything about it. If so, this would be textbook fixed mindset: throwing out the name associated with users’ harm and starting over.
A key to the growth mindset is being able to persist and keep growing despite setbacks. While Facebook’s situation may be serious, it’s certainly not the first company to rebrand to create distance from a toxic reputation. Publicly committing to growth and doing better with algorithms to protect the vulnerable could do wonders for gaining back customer trust. A violation of the law will call attention to an area of privacy that needs more focus and lead to better practices once rectified.
Microsoft and Yahoo Inc. are two companies in the news recently that separated or cut off services for China due to the complexity of complying with Chinese regulations. Individualizing privacy approaches to each country or law, or dropping out of that country entirely, while a widely accepted privacy practice, could be considered operating with a fixed mindset. It inherently states that the regulations are easier to follow when separated instead of having a universal approach to comply with all the laws out there. Lifting all countries’ services to a single approach would take effort and resources that a company may not have or be willing to spend.
While regulations and laws are becoming more prescriptive, it may help to view these efforts from the perspective of customer benefits. Safe, transparent uses of data are going to make customers more comfortable sharing their data. In that way, it projects care for the customer’s privacy when more regulations are followed, even taking privacy to more prescriptive levels than necessary. This could look like taking a universal approach to comply with GDPR even though some of your operations are in the U.S., which doesn’t have a federal privacy law. The effort and resources required will be worth it either from customer trust or from laws moving in that direction eventually.
In another Privacy Ref blog post, Ben Siegel wrote about the Epik data breach and response. To sum it up, they first claimed not to know about the data breach, and later the president of the company conceded and called the stolen information “cursed to burst into flame.” This goes beyond just ignoring what the data breach exposed about Epik’s encryption and security program (or lack thereof); the company pretended that nothing was wrong and then proceeded to undermine the value of the data.
Instead of refusal to acknowledge or feigned ignorance of data breaches, a growth mindset focuses on what can be learned from them. Had Epik been able to acknowledge what led to the data breach, they could have put the right mitigations in place to address the exposure and prevent it from happening again. Not to mention that they’re also legally required to stop the information leak.