As we know, The EU’s GDPR (General Data Protection Regulation) comes into force on 28th May 2018, an unprecedented regulatory move which will affect every business to some extent. The UK Information Commissioner Christopher Graham has called GDPR “the biggest shake up for consumers’ data protection rights for three decades” and it has been well reported in the media how unprepared UK firms are for this change.
Organisations should resist viewing GDPR simply as a box-ticking exercise for the regulators and auditors; it is not just about compliance. Instead, it presents an opportunity for businesses to address data protection within their organisation and allows them to re-evaluate and strengthen their overall business model and strategy. GDPR can encourage a dialogue about the importance of data privacy and protection within an organisation, not just at the executive levels, but so that it is viewed as a matter of collective responsibility.
By changing day to day behaviours and driving a cultural change, organisations can proactively manage compliance and reduce the risk of data breaches. There are three steps to achieving this: first you need to raise awareness throughout your organisation, secondly you need to educate the people that process and store personal data and third you need to engage your executive team.
If you want people to change their behaviour, you need to motivate them to want to do so; they need to understand why it is important. It is therefore key to diversify the way you present this message by using highly visible, consistent and engaging communications.
One of our clients is a fast-moving company, with multiple change programmes and different messages being cascaded. In this situation, people can have short attention spans. Success in this environment means motivating people to start changing their behaviour. To do this, we related the importance of protecting personal data back to the organisation’s customer-centric values. We used relatable real-life examples and created an engaging awareness campaign using a multi-media and multi-channel communication approach. As well as putting senior executives in charge of cascading company-wide communications, we created an engaging online employee hub with videos, links to real news stories and examples of how other companies are approaching GDPR. This helped to keep it relevant and generate some discussion on the topic.
Educate your staff
After people understand the importance of changing behaviour, and are willing to do so, the next step is to educate them on how to behave. This change is challenging if they can’t connect data privacy risks to their own roles and private lives. Tailored training to roles or personas and the use of relevant examples is therefore good practice.
To effectively educate your staff, work closely and connect with internal teams – people like HR, L&D and internal communications teams. They understand your staff and can support you in developing training that works for them. Collaborating with them can also prevent them from becoming blockers and feeling bypassed.
With our client mentioned above, we worked closely with the learning and development department to understand how the organisation’s employees prefer to learn. In this case, the majority of the workforce were millennials, who favour working digitally and tend to like learning on the job. Therefore, we opted for a micro learning approach which meant creating short, focused modules on specific topics. The tools used to do this were interactive, multi-media and engaging (e.g. click throughs, video, and quizzes). This blended approach gave us flexibility and ensured we could target specific training ‘mini modules’ to different roles.
Engage your Execs
GDPR readiness is enabled by an effectively engaged executive group. As discussed, the benefits of investing in GDPR go beyond the avoidance of large fines; highlighting these to your senior stakeholders can help you achieve investment in internal and external privacy awareness initiatives.
At one of our clients, we found the most effective approach to gain executive buy-in was to relate the objectives of the programme back to the organisation’s core customer centric values. We used creative and diverse ways to regularly engage and update them – creating short snappy updates via a newsletter, using videos and sharing relevant news articles to generate discussion. By successfully and consistently engaging the senior leadership team, we were able to cascade some of our privacy awareness messages into their regular communications and gain approval for further phases of the programme.
Executive-level buy-in enables a “lead by example” approach and helps to embed the data privacy culture – staff look to leaders within their workplace. Endorsement at an executive level enables sustainable change by making data privacy part of the corporate culture.
With GDPR introducing serious consequences for data-breaches, ensuring organisational awareness of cybersecurity practices is essential. Executives are also at risk and are attractive targets for cybercriminals; the number of attacks at c-suite level has significantly increased. They have the high levels of access within organisations, but are usually too busy (or disengaged) to partake in security training. By working closely with the cybersecurity team, we were able to plan tailored training sessions targeted specifically for the senior leadership team.
Now that you’ve built your data privacy culture, you need to embed it and sustain it
To do this, you will need to:
It is clear that GDPR is not just about technical compliance – it’s also about organisational compliance and the changing the culture of the organisation. By focusing on awareness, education and engagement early and often, you are more likely to create the culture needed to successfully make GDPR part of your business as usual.
Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses
By Rob Hoyle, Transformation Lead at North Highland UK.
COMPLIANCE BRIEFING: LONDON
12 OCTOBER 2017
COUNTY HALL, LONDON