Make it fun and memorable
The intricacies of privacy regulation can be confusing, involve a lot of jargon and be full of misconceptions. But the GDPR is a good thing! The most effective sessions will be fun, scenario-based, up to date and cover the repercussions of getting it wrong. Think outside the box about activities – you might try card-type games, scavenger hunts, or departmental competitions. Bringing in an outside trainer who is well versed at running these sessions can also be a wise move.
Make it relevant and relatable
The more context employees have, the better they will be at correctly determining how data should be dealt with. Focus on what staff really need to know about the GDPR in their day to day work and use that to tailor each session accordingly – you may find it easier and more effective to train each department separately. Boost empathy by reinforcing the point that each line on a spreadsheet is a real person, and carelessness around handling that data has real consequences.
Make it easy to understand
Avoid overly technical language and consider which medium would work best, whether that’s remote classroom training, or using bite-size videos on demand (although it’s important to give opportunities for staff to ask follow up questions). Encourage small changes such as locking screens, clearing work stations at the end of the day, good password security and minimising the amount of data that is used or transferred. Allow extra time for training around other responsibilities, and make use of regular reminders as everyone adjusts to a new way of working.
Make it communal
Everyone helps protect personal information. This isn’t just an IT project – marketing, for example, needs to know when they have the legal right to send emails to customers (and when they don’t); HR needs to safeguard personal information about current employees and job applicants; and the product development team must consider privacy requirements right at the start of every product’s lifecycle. Getting senior leaders involved and passionate about this subject will encourage others to follow suit.
Make it frequent and easy to access
Companies that have a culture of ongoing privacy compliance regularly train all of their staff. That spans from the onboarding of new employees, to annual refresher sessions for long-standing members of the team. Make sure your appointed Data Protection Officer (if you have one) is available to answer questions when they arise and don’t be afraid to send reminders after an incident (or attempted attack). Staff training is one step towards demonstrating compliance with the GDPR so if you do have an issue, a training record can be used as part of your evidence to show you’ve done all you could to prevent a data breach.
Make it easy to comply
To translate training into everyday practice, you need to break old habits and make it easy to form new ones. It’s human nature to follow the path of least resistance, so consider implementing tools that make it hard to share information accidentally, and review access controls. You may find employees take the issue of data security less seriously if they’re working from home. Reiterate the threat of phishing and the importance of installing updates as soon as they become available.
Make it OK to report
It’s important that staff feel comfortable with reporting anything they feel compromises the privacy and security of customers, clients or employees. Your workforce should know who to report an incident or attempted incident to, and not fear personal repercussions if they do so. Organisations in the UK have a responsibility to report a breach to the Information Commissioner’s Office within 72 hours before being subject to fines.
Make staff feel empowered
Data can be an organisation’s most valuable asset and it’s important staff feel empowered to handle it appropriately. Make privacy compliance familiar – find opportunities to talk about data privacy as much as possible, and monitor and reward good behaviour. Appoint privacy champions for each department and/or office and invite feedback so staff genuinely feel supported and part of the process.
A culture of continuous privacy compliance
At the Privacy Compliance Hub, we make compliance easy for everyone to understand, care about and commit to. We call it a culture of continuous privacy compliance. Our platform, created by two ex-Google lawyers, provides a structured programme to follow, with a suite of engaging, relatable training videos and powerful reporting tools, giving you the confidence you’re keeping your customers, investors and the regulators happy.