I used to love the TV show M*A*S*H. I think it’s one of the greatest shows of all time. It was about a mobile army surgical hospital right near the front lines in Korea. When combat heated up, the wounded would come in overwhelming waves, resulting in surgery sessions many hours straight. The whole point of a MASH unit was to get the wounded to care as quickly as possible, which helped increase survival rates. But with too few surgeons and too many wounded, they were forced to triage. Triage is prioritizing — determining who is going to die, who needs help now, who can wait. Ruthless prioritization. Any emergency room does this, and I imagine for the people who make those decisions it is very painful.
They also knew that all they could do was what they called “meatball surgery.” Patch ‘em up, move ‘em out. The complicated cases got sent to the well-equipped hospital in Tokyo for more work.
You might recall the episode when Major Charles Emerson Winchester III joined the unit (season 6, episode 1). He was a brilliant surgeon from “Bahston,” and had trained at “Hahvahd.” He proudly proclaimed, “I do one thing at a time, I do it VERY well, and then I move on.” This ideal collided with reality his first time doing combat surgery. After many hours in surgery, Hawkey, BJ, and Winchester came out dead tired. But Winchester was defeated. He said he couldn’t possibly keep up. Hawkeye had to point out , “We’re not any better than you. It’s just that by sheer repetition, we’ve gotten fast.”
I take this trip into TV history because I think there are lessons for overwhelmed privacy teams. No matter how talented the professionals handling the influx, most teams simply can’t keep up with the workload. This means triage, and saving the hard cases for later. No doubt, they have a rubric for making such decisions, so that the decisions can be made faster. What are the decision criteria that you use for deciding what to focus on that day, or that week, or that quarter? Do you have decision criteria for how you will make the internal policy decisions that will speed the path forward?
The “meatball surgery” is also another way of saying, “Don’t let the perfect be the enemy of the good.” Done, or partly done, is better than nothing.
In my experience, the attempt to increase the maturity of the privacy program can be in tension with the need to ensure basic compliance. It’s more important that compliant behaviors are in place than all the documentation that goes with a mature program. To be sure, that has to be done eventually, but if you’re triaging, what gets left until later? And who does it?
I am fascinated at how medical operations organize themselves to optimize the time of the specialists, and leave as much as possible to other assistants: technicians, administrative assistants, nurses of various kinds, licensed practitioners, etc. The privacy profession is expanding into a wider variety of roles, so this kind of specialization is already underway. What kind of work is planned where you work, and how will you staff it next year and beyond?
A MASH unit has one advantage over a privacy team. It is likely not conflicted about the high priority of saving lives. But in wartime that will create brutal moral issues. Do you triage based only on medical issues, or does the soldier with 8 children take precedence over one who has none? Where do you prioritize civilians, or enemy combatants?
Perhaps the moral issues are less poignant for privacy pros. But have you ever thought you could live with a status less than fully compliant because you figured the regulators were unlikely to find out, or to scrutinize your org? Do you prioritize based on risk, or values?
Internal auditors and the plaintiff’s bar can hold your org to a different standard than the triage choices your team makes. In the end, thinking carefully about prioritization criteria, documenting them, getting buy-in for those criteria, and applying good judgment is work to get done before the next wave of new work comes in.