The EU’s GDPR (General Data Protection Regulation) takes effect on May 28, 2018. It’s a key regulatory change that will directly affect businesses operating in, or serving European citizens. This has major global implications – any company collecting or processing an EU citizen’s personal data will be impacted regardless of location. And why’s this important? The maximum fines have been set at 4% of worldwide turnover. It’s no surprise that former U.K. Information Commissioner Christopher Graham has called GDPR “the biggest shake up for consumers’ data protection rights for three decades.”
What exactly is involved in this fundamental shift in data privacy regulation? According to the EU’s GDPR portal, the policy aims to “harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy.”
Organizations should avoid viewing GDPR as a simple “check the box” exercise for regulators and auditors. Instead, it’s through compliance that there’s an opportunity for businesses to address data protection within their organization, re-evaluate their organizations’ security culture, and strengthen overall business model and strategy.
By changing day-to-day behaviors and fostering a cultural shift, organizations can proactively manage compliance and reduce the risk of data breaches—a strategic imperative in a time when global cybercrime costs are estimated to double from 2015-2021. Global organizations – regardless of whether they fall directly within the GDPR’s scope – can benefit from establishing a culture of security.
Are you ready to get started? There are three steps to building a data privacy culture:
- Drive awareness
- Educate employees in your organization that process and store personal data
- Engage executive leadership
If you want people to change their behavior, you need to motivate them to want to do so; they need to understand why it’s important. It is therefore key to diversify the way you present this message by using highly visible, consistent, and engaging communications.
For example, consider using relatable, real-life examples and create engaging awareness campaigns with multimedia and multi-channel communications. In our work, we helped a client stand up an engaging online employee hub with videos, links to real news stories, and examples of how other companies are approaching GDPR. This helped to keep it relevant and encourage discussion on the topic throughout the organization.
After your people understand the importance of changing behavior, and are willing to do so, the next step is to educate them on new ways of working. For this shift to be successful, it’s key to help employees connect data privacy risks to their own roles and personal lives. Tailored training to roles or personas and the use of relevant examples are all best practices in this effort.
To effectively educate your staff, work closely and connect with internal teams – such as HR, learning and development, and internal communications teams. They understand your staff and can offer additional perspective and support in developing training that works for your employee base.
In the example shared above, we worked closely with the learning and development department to understand employee learning preferences. In this case, many employees were millennials, who seek digital ways of working and on-the-job learning opportunities. With this in mind, we developed a micro-learning approach involving short, focused sessions on specific topics that were interactive, dynamic, and engaging (e.g. click throughs, videos, and quizzes).
Engage Executive Leadership
Finally, an engaged executive group is key to GDPR readiness. In our experience, we’ve received executives buy-in by relating the program’s objectives back to the organization’s customer-centric values. We used creative and diverse ways to regularly engage and update them – creating short snappy updates via a newsletter, using videos, and sharing relevant news articles to generate discussion and garner executive approval to move further with the GDPR program. Knowing that staff look to leaders within their workplace, executive level buy-in creates a “lead by example” approach that helps to embed and sustain a data privacy culture.
Now that you’ve built your data privacy culture, you need to make it a lasting capability. To do this, you will need to:
- Define clear project owners: determine ownership of training and related data security deliverables once the program ends
- Create periodic campaigns: continue the discussion around data privacy in your organization
- Build privacy awareness into new joiner inductions: sustain a culture of security as new employees join the organization
GDPR is not just about technical compliance – it’s also about organizational compliance and a fundamental change in mindset across employees. By focusing on awareness, education, and engagement early and often, you’ll be well on your way to building a culture where GDPR is second nature. Most importantly, proactive GDPR efforts help to ensure that your organization is resilient in the face of inevitable cybersecurity threats that lie ahead.