We Are Not There Yet: The Implications of Insufficient Knowledge Management for Organisational Compliance

TL;DR

This paper explores how insufficient knowledge management hampers organizational compliance with data protection regulations, highlighting issues faced by privacy professionals and suggesting the need for better tools and automation solutions.

Contribution

It provides qualitative insights into knowledge management challenges in privacy compliance and discusses potential automation solutions to improve organizational practices.

Findings

Knowledge management issues are core to compliance challenges.

Participants see a disconnect between regulation and practice.

Existing tools are underutilized.

Abstract

Since GDPR went into effect in 2018, many other data protection and privacy regulations have been released. With the new regulation, there has been an associated increase in industry professionals focused on data protection and privacy. Building on related work showing the potential benefits of knowledge management in organisational compliance and privacy engineering, this paper presents the findings of an exploratory qualitative study with data protection officers and other privacy professionals. We found issues with knowledge management to be the underlying challenge of our participants' feedback. Our participants noted four categories of feedback: (1) a perceived disconnect between regulation and practice, (2) a general lack of clear job description, (3) the need for data protection and privacy to be involved at every level of an organisation, (4) knowledge management tools exist but are not used effectively. This paper questions what knowledge management or automation solutions may prove to be effective in establishing better computer-supported work environments.