top of page

Use the power of checklists to build a culture of privacy

Part of my job as a data privacy professional is to keep myself educated. In a lot of readings I’ve done, as well as some talks I’ve attended, I’ve heard a lot of experts say that data privacy compliance is more than just ticking boxes off a checklist.

I get what they mean. Sure, data privacy IS more than just the superficial meeting of formal requirements. An honest-to-goodness data privacy compliance program means that data privacy becomes embedded in the DNA of the organization.

So how do organizations go about doing this?

It may seem counterintuitive but I submit that having a checklist would be an affordable and accessible solution.

Atul Gawande’s book, The Checklist Manifesto, made me a believer in checklists. In example after example, Dr. Gawande showed how checklists were instrumental in ensuring that the task was clear to the team and that all necessary steps were taken (no shortcuts!) to complete the project and achieve the objective.

Dr. Gawande lays the rationale for checklists:

“Here, then, is our situation at the start of the twenty-first century: We have accumulated stupendous know-how. We have put it in the hands of some of the most highly trained, highly skilled, and hardworking people in our society. And, with it, they have indeed accomplished extraordinary things. Nonetheless, that know-how is often unmanageable. Avoidable failures are common and persistent, not to mention demoralizing and frustrating, across many fields—from medicine to finance, business to government. And the reason is increasingly evident: the volume and complexity of what we know has exceeded our individual ability to deliver its benefits correctly, safely, or reliably. Knowledge has both saved us and burdened us. That means we need a different strategy for overcoming failure, one that builds on experience and takes advantage of the knowledge people have but somehow also makes up for our inevitable human inadequacies. And there is such a strategy—though it will seem almost ridiculous in its simplicity, maybe even crazy to those of us who have spent years carefully developing ever more advanced skills and technologies. It is a checklist.”

Can we reduce the many moving parts of data privacy compliance to checklists, you might ask. I certainly think so. In fact, the steps of the privacy impact assessment can be considered as a long and detailed checklist which allows organizations to check how a project measures up to data privacy compliance requirements.

Checklists can also be used in the day-to-day personal data processing that each organization does. These would also be great when drafting consent forms, reviewing data sharing agreements, preparing privacy notices. The medical, construction, and airline industries have shown that consistent use of checklists eventually make adherence to processes and requirements second-nature to the people in the organization. A data protection checklist would likely lead to building a culture of data protection in the organization as well.

Checklists also help in devolving decision-making for data privacy issues in the organization.

“The philosophy is that you push the power of decision making out to the periphery and away from the center. You give people the room to adapt, based on their experience and expertise. All you ask is that they talk to one another and take responsibility. That is what works.”

In data privacy training sessions that I’ve conducted, I emphasized the importance of classifying personal information into key categories, and for the organization to have a checklist on how to approach data protection for each category. Since how to deal with categories of personal information is already clear, the staff can make decisions on how to handle the personal information without waiting for instructions from Management or the Data Protection Officer. They do this often enough and the organization begins to build a culture of privacy, where data protection becomes second nature.

The best use of a checklist when it comes to data privacy compliance may be in dealing with personal data breaches. In a situation where crucial decisions have to be made and fast, having a checklist would ensure that important decisions do not fall through the cracks. As Dr. Gawande notes:

"The checklist doesn’t tell him what to do, he explained. It is not a formula. But the checklist helps him be as smart as possible every step of the way, ensuring that he’s got the critical information he needs when he needs it, that he’s systematic about decision making, that he’s talked to everyone he should. With a good checklist in hand, he was convinced he and his partners could make decisions as well as human beings are able."

A breach response checklist would be akin to the decision checklists that airline pilots adhere to when they encounter flight problems. Given the dire consequences that personal data breaches have brought about, the analogy is not far-fetched.

Remember that the National Privacy Commission requires reporting on the personal data breach within 72 hours from the knowledge thereof. When you need to make crucial decisions within this small window of time, a checklist would ensure that your team is able to make all the critical decisions.

Have I convinced you yet? Perhaps Dr. Gawande will be able to:

“We don’t study routine failures in teaching, in law, in government programs, in the financial industry, or elsewhere. We don’t look for the patterns of our recurrent mistakes or devise and refine potential solutions for them. But we could, and that is the ultimate point. We are all plagued by failures—by missed subtleties, overlooked knowledge, and outright errors. For the most part, we have imagined that little can be done beyond working harder and harder to catch the problems and clean up after them. We are not in the habit of thinking the way the army pilots did as they looked upon their shiny new Model 299 bomber—a machine so complex no one was sure human beings could fly it. They too could have decided just to “try harder” or to dismiss a crash as the failings of a “weak” pilot. Instead they chose to accept their fallibilities. They recognized the simplicity and power of using a checklist. And so can we. Indeed, against the complexity of the world, we must. There is no other choice. When we look closely, we recognize the same balls being dropped over and over, even by those of great ability and determination. We know the patterns. We see the costs. It’s time to try something else. Try a checklist.”

#checklist #compliance


I am Cecilia Soria, a Privacy Attorney. This blog is where I share news and insights as I continue to learn more about privacy.


bottom of page