Do workers really take data compliance seriously?

Non-compliant employees are giving IT leaders a headache, and it’s hard to know how best to cure it. How should IT decision-makers (ITDMs) strike the right balance between allowing employees the freedom to choose, or stringently preventing errors?

Getting the balance wrong can be costly. In January, Amazon lost a legal case in France and was fined €32m for “excessively intrusive” monitoring of employees.¹ Even at a less extreme level, regulations can hamper productivity and may actually end up tempting frustrated employees to bypass the rules.

So, how big a problem is this? Canon’s new research, which canvassed the opinions of over 1,700 ITDMs, offers some insights. The IT Transformation Barometer revealed that the security of the organisation’s information keeps IT leaders up at night, never leaving their top three rated most challenging and time-consuming responsibilities over the last five years.

In 2023, this stepped up. When we look at ITDMs’ top-rated challenges, the leading theme is the visibility and control of company information. Information security (33%) was rated as the number one challenge, closely followed by maintaining compliance (25%) and control overshadow IT (25%).

The data suggests hybrid and remote working is adding to the problem. When asked about how they plan to refine their existing set-up, many ITDMs said they wanted more visibility of employee software use (43%), while also increasing control over employee compliance behaviour offsite (42%) and shadow IT (40%).

In a word, yes. Shadow IT is on the rise and, by 2027, it’s predicted that 75% of employees will acquire, modify or create technology outside of IT’s view. This is a huge rise from 41% in 2022².

Gartner puts this down to the fact that many of us have “become technologists”. Employees increasingly have the knowledge and technical capability to sign up and access programmes through the cloud, without needing to involve IT at all.

The result? Compliance can easily be compromised. As CSO magazine reports: “Workers typically don’t know whether or what security layers the applications they’re buying have, or whether anything needs to be added to them to make them secure. Then, to make things worse, they’re often putting sensitive data into these applications to get their work done.”³

The reasons given for not complying with company security regulations are varied. In many instances, employees simply don’t know what the correct protocols are. Information management requirements are complicated, and some employees may not realise how they tangibly apply to their day-to-day work.

In other cases, the processes or tools they have to use are just too complicated to follow. A Harvard study⁴ found that 5% of tasks were deliberately completed in a non-compliant way. The top three reasons for offending were: ‘to better accomplish tasks for my job,’ ‘to get something I needed,’ and ‘to help others get their work done.’ These three responses accounted for 85% of cases. Breaking the rules was not malicious for the vast majority but motivated by a straightforward desire to get the job done.

Striking the right balance between responsible management and excessive interference is a major challenge for today’s IT leaders. Given the evidence, ITDMs are right to be concerned about employee behaviour, particularly outside of the office walls.

The ultimate goal should be to make managing information and data compliantly feel unobtrusive. In the first instance, this is about truly understanding employees’ requirements – something which is dramatically impacted by the industry and the role of each individual. ITDMs can reduce the likelihood of employees circumventing the company policies by speaking to lines of business about their workflows and understanding what policies are truly a necessity, and which create more trouble than they’re worth.

However, it’s also about creating an environment with more visibility and control. Interestingly, visibility of even common aspects of information management was a problem, according to the research. Only around half of IT leaders said they had capabilities in place to track how documents were being managed for audit purposes. For example, only 53% of IT leaders said they were able to track how documents had been shared. Without this visibility, it’s challenging for IT leaders to truly know whether employees are behaving compliantly.

The research reveals that many IT leaders are taking action. Respondents reported that they were beginning to implement digital document management to enforce automate best practice by automating how company information is managed. At a basic level, that includes implementing automatic access rights and automatic deletion of sensitive documents after a set period. For more digitally advanced organisations, that might be introducing workflow automation to ensure a full business process - such as invoice processing - has automation built into it, ensuring the process is controlled according to a set of pre-approved of steps.

But, there are also a large portion of ITDMs who admitted they haven’t yet introduced some of these more entry-level capabilities. In fact, even the most common functionality – automatic access rights to control who can access documents and locations – had only been adopted by 51% of those surveyed.

Secure, compliant management of business information is a top concern for every IT leader. But ensuring compliance is ultimately a challenge that centres around human behaviour. To set successful policies, IT leaders need to ensure they are neither obstructing employees, nor allowing them free reign to select how they manage information.

ITDMs should start by reviewing whether they have the right tools when it comes to visibility and control of how information is being used. With these in place, it removes the pressure on IT leaders to have eyes everywhere in an environment where manual tracking just isn’t feasible. Starting to build a more human-centred approach to compliance will help to avoid both accidental breaches and deliberate cases of non-compliance caused by labyrinthine measures. They’ll also help IT leaders to get a better night’s sleep.

Explore the IT Transformation Barometer here to get more insights on IT leaders' experience, from future procurement priorities to how they really feel about their role.

Download Report