If you take a look at the 10 steps that the Dutch Data Protection Authority has drawn up to help organisations prepare for the GDPR, creating awareness is the number one step. This is understandable, because it is crucial to create awareness among employees if you, as an organisation, want to get a grip on the subject – and not only what this subject encompasses, but also what it means for your organisation. In this blog post, I will explain how you can tackle such an “awareness campaign”!
Now, over a year after May 25, 2018, you can see that many organisations are still struggling to keep the subject of privacy alive within the organisation. In my opinion, this has two main causes:
1. It is difficult to define exactly what privacy means. This is partly because everyone has a different opinion of what it means: one person might have 'nothing to hide', another might have difficulty accepting how data-hungry some organisations are. This also means that employees within an organisation view the subject differently, and this probably translates back to how they deal with privacy-sensitive information within the organisation. From the importance of locking the computer when the workplace is unmanned, to performing a DPIA on a risky process, there will always be employees who think this is just a “hassle”. Therefore, the challenge is to create awareness in a way that appeals to every employee.
2. The organisation does not take sufficiently into account that data protection –just like any other part of the organisation – must be part of the business operations. The organisation underestimates the impact of the implementation of the GDPR and what it requires of the entire organisation. In the run-up to May 25th 2018, the implementation of the GDPR was often seen as something that had to be done quickly, so a few employees were made available for it. After May 25th, it had really only just started, because now organisations are faced with the challenge of being permanently privacy compliant, and this requires the time and effort of just about every employee within the organisation.
So, how do you make sure that you handle this – creating lasting awareness – thoroughly? The Dutch Data Protection Authority provides an important starting point: informing the relevant people in the organisation of the new privacy rules. This was, of course, written in the run-up to May 25th, but that does not alter the fact that this is very important. Certainly, it would be a good idea to have another look now, a year later, to see whether the current working methods meet the needs of the organisation. This not only applies to the organisations that have not yet really invested in privacy, but also for those who have. Has the current method yielded the desired result?
Create feelers within the organisation. For example, set up Privacy Champions or Single Points of Contact, so that a solid foundation is created. This foundation works best when there is a mixed composition of the privacy team. Ensure that “business people” from all departments of the organisation are involved – after all, they are the people who know what the practice looks like. Involve Legal Affairs insofar as the organisation employs lawyers, and also ensure the involvement of the communications department, because they know what the tone of voice is when it comes to communication with customers, as well as with employees. Additionally, make sure the management is committed. If the organisation’s management sees privacy mainly as a cost, it will be a difficult project. In contrast, management that has an intrinsic motivation get privacy in order works very well. It helps the business set up truly privacy-friendly solutions. For the Data Protection Officer – or the person responsible for privacy – this is a welcomed side-effect, because lack of capacity and commitment is a major cause of struggle in remaining compliant with the GDPR.
Hinging this responsibility on a sole person is also an undesirable choice. For one, it puts a lot of pressure on that one person. Additionally, it does not achieve the level of awareness that the Data Protection Authority is talking about. It is also important to estimate how much time and effort the privacy team will take to get privacy embedded within the organisation – so make sure that those people are free to carry out the task properly. If this does not happen, you will see that the awareness will decline quickly.
So, that's settled. The GDPR project team is secured, and a certain level of awareness has been reached. Now for the other challenge: How do you ensure that all the people in the organisation, including the project team, are aware of what privacy means and what the GDPR entails?
It is important to first establish the organisation’s vision; what do you want the employees to carry with them? How important does the organisation consider the subject to be? What can employees expect from the organisation? And what does the organisation expect from the employees? As mentioned before, assume that employees – from a personal perspective – view the subject of 'privacy' differently. Choose a way of communicating that appeals to the employee. It often works well to illustrate this with a certain situation that is important to the organisation – such as dealing carefully with fraud-sensitive information from customers – in such a way that the importance of it is understood from the employee's own perspective. If, for example, it concerns the copies of a passport, the importance of careful handling can be emphasized. In this way, you can show the employee what the consequences are – also for him or her personally – if this information is misused, for example in the case of identity theft.
In addition, it is important to think carefully about the medium that is used, or better still, which different media are used. A good starting point could be an e-mail from the management in which attention is drawn to the subject. Unfortunately, continuing to communicate by e-mail often does not lead to the desired result, because, after all, we already have so much to read. A poster with some highlights of the GDPR is therefore a good idea. Perhaps the organisation has screens throughout the building on which a fun digital signage about privacy can be shown? Or do you have a “clean your mailbox afternoon” in which employees are given the time to clean up their mailboxes properly? There are many other fun, yet informative, ways to increase awareness among employees.
And don't forget to record the efforts made to raise awareness in a plan of action in the meantime! Demonstrable accountability is one of the GDPR's key factors. And now that we are talking about how to demonstrably raise awareness among employees and how much this is a spearhead: e-learning is extremely helpful in this. For example, an e-learning program immediately records whether an employee has followed through with a privacy-related e-learning session. In this way, you can also prove that you are paying attention to the subject. Of course, you can also organize training days or give awareness lessons. These awareness lessons could, for example, be given by the SPOCs of the departments that are part of the privacy team. After all, they are the first points of contact in the organisation when it comes to privacy-related matters within their department, and they are also the ones who can best translate the subject into what is going on within the department.
In conclusion, the crux is the repetition! Privacy is something that should be a natural part of the organisation. It is relatively easy to get all privacy policies in order, but in my opinion, the real challenge is to change the behavior of the organisation and its employees. Changing behavior takes time and requires effort and commitment. This is not unfeasible or unrealistic: I have seen that if you involve the right people in this, they are able, through each other and their enthusiasm for the subject, to ensure that the organisation is permanently aware of the importance of privacy – and in this way, the organisation is able to keep a grip on privacy.