Desk covered with paperwork showing policies and procedures for privacy and security

Policies and Procedures as Privacy and Security Controls: Why It Is Time They Are Replaced by Something Live and Interactive

Policies and procedures have been with us as long as privacy and security or arguably even much longer. From US to EU, from Australia and Singapore to Canada, whenever privacy and security is discussed and needs to be implemented they are always mentioned as the most basic and the most prominent controls. Almost every framework or guideline, be it from US National Institute of Standards  and Technology (NIST), EU European Data Protection Board (EDPB) or European Union Agency for Cybersecurity (ENISA), inevitably mentions policies and procedures as being necessary to implement a desired privacy and security program and to successfully put it into motion.

What all these frameworks and guidelines are usually rather silent about is how these policies and procedures are to be drafted, implemented and integrated into the living and constantly changing structures of companies, as well as in what way we should measure this integration. This assertion may not be entirely correct as training, informing and supervising employees contractors, and increasingly supply chain companies, as well as sanctioning non-compliance, are often times described as measures to implement policies and procedures.

All in all, this is what companies are usually doing. Policies and procedures are drafted, and updated as needed, employees, contractors and, to some extent, external parties are informed and trained about the contents. Then, as per roles and responsibilities described in such documents, some employees are appointed with such new roles and others receive simply additional responsibilities as part of their existing roles. From time to time internal meetings are held to discuss the situation, presentations are created, and agreed upon metrics displayed. Of course, any cases of non-compliance are thoroughly investigated and relevant sanctions applied. Such sanctions may, for example, include a termination of employment.

While all this seems pretty familiar, and well conforming with the known and proven corporate ways of working, it is difficult not to observe at the same time that it hardly keeps pace with the innovative and omnipresent technology, software and business processes, which are evolving at an increasing speed. This is, however, much more than just the look and feel. It takes much more time to update the policies and procedures, which is usually a formalistic process requiring many approvals and consultations, and then to inform the relevant stakeholders, than to react and adapt to new market strategies, technology innovations and business needs. In addition to that, organizational changes happen quickly and without considering roles and responsibilities defined in such documents, as they are sometimes necessary to adapt and to react, as well as to get best opportunities and profit from them. Such changes also result from the fact that people change jobs much often than before and the present job market and employee expectations result in a much agile and rapidly changing structures than before. Policies and procedures struggle to keep pace with such changes but it is hardly possible. Not only that. Employees working daily with apps, software and sophisticated tools, but also in their private lives, being used to technology, innovation and interactive contents, are much less inclined to read lengthy, and, most often than not, outdated, written documents.

While all this may sound a bit mundane, in fact we are at the stage where the most fundamental and basic controls on which all privacy and security programs rest to some extent, are at a risk of becoming illusory, outdated, not read and used by a great majority of relevant stakeholders. The consequences for the said privacy and security programs might be obviously very serious, as they are at a peril of grave failures. Many companies are well aware of that, and they respond by finding ways to train employees in more engaging ways, simplifying their documents to a great degree, as well as, at the same time, developing and expanding ways to monitor and enforce compliance by employees and external parties. This, however, may not be sufficient, or, even if it seems sufficient, there might be more innovative ways to reach the desired objectives. It is not the tools we are lacking, but rather awareness that existing tools and methods can and should be applied to transform such procedures and policies into something live and interactive.

So what are the possible avenues to change the existing policies and procedures for which we can apply more sophisticated approach and tools quite easily. First of all, the documents should stop being traditional documents, that is texts written in natural language only, and become interactive instead. This can be enhanced with the AI capabilities but it does not have to be. The majority of information should be displayed with the help of clickable icons and live dashboards supplemented by videos and brief written explanations in a clear and plain language. Of course this should not result in a notion that such information is less binding than traditional written documents, but this requires some change in attitude and perspective.

New live documents should evolve and adapt with the minimal involvement of its original authors limited just to supervision. This includes having automatic and just-in-time updates related to new regulatory developments, organizational changes, new tools and business processes, new products or services, as well as adapting to the changing risk landscape and consumer feedback.

Employees and external parties should be at first presented with only the information they need, while being entitled to go deeper, if they wish to. It is obvious that such next generation documents should be machine-readable and possible to implement on the software, network and more generally technology side and level.

Live and interactive documents, if they still would be called and treated as documents, would much better reflect and resemble the living body of the modern organization. People, technology and business processes work in combination creating new values and ways of working. This way processes, as well as corresponding documents are in fact created on the go, constantly changing and evolving, rather than being drafted and then implemented in a specific point in time. Risk management and security controls, the same as privacy controls, need to be very much intertwined into all this process and working in close combination and alignment. Such controls would not be policies and procedures as such but rather controls at the same time of technological and human management nature, actively benefiting and contributing into how such live and interactive documents evolve in a safe and controlled manner. Such controls should be also based on specific desired functions and outcomes, like safeguarding well-defined individual rights when privacy is at play, or specific security functions, with regard to information security and cybersecurity. Every privacy and security framework would still be underpinned by a set of guiding principles, which should be preferably not longer than one page long, and supplemented by interactive content, if they are still to be engaging and interesting for a modern, technology-oriented person.

While all this might sound a bit unrealistic at first, it is in fact very little and something not at all highly sophisticated when we take into consideration that our world is soon to be driven and developed with the help of artificial intelligence which will make many old habits and ways of working absolutely, immediately and inevitably obsolete.