101 Ways to Engage Your Colleagues in Data Protection

Embedding data protection best practice in the workplace culture isn’t easy.

We’ve therefore put together 101 ways to engage your workforce in data protection. It’ll help them remember key information, such as how to spot and report a breach.

We’ve sorted our tips into sections:

• Remote working
• Office working
• Internal communication
• Training
• Engaging senior stakeholders
• Engaging middle management
• Engaging junior team members
• Liven things up
• Onboarding
• External communication

Remote working

1. Host an online quiz: Put a meeting in for 4:30 pm on a Friday and host a trivia quiz with the odd compliance-related news story thrown in.
2. Share the news: Make a concerted effort to share any relevant news stories with your entire workforce.
3. Share the story, protect the person: Contained an incident last week? Share the story with your colleagues, without naming names.
4. Celebrate your wins: If you’re working with an individual or a team that might see data protection as a blocker, encourage proactive individuals to spread the news about embedding compliance and celebrate those successes.
5. Train remote workers: Provide staff with a short training course on specific data protection requirements involved in remote working, e.g. avoiding use of public Wi-Fi, using screen protectors, etc.
6. Perform phishing exercises: After training staff on security, arrange for dummy phishing emails to be sent to staff to see if staff report them to IT Security.
7. Conduct self-assessments: We all know good habits can slip over time. Send out questionnaires asking staff to review their workspace and assure themselves that they are still working securely.
8. Hold virtual coffee breaks: Host regular, informal meetings where data privacy topics are discussed over a virtual coffee, for example a virtual book club focused on reading and discussing privacy policies and their implications.
9. Send data protection ‘escape’ emails: These should include a hidden privacy tip or fact that employees need to find and respond to.
10. Set up an advocate programme: Encourage employees to become privacy advocates within their teams, providing them with special training and recognition.
11. Create data protection challenges: These monthly challenges should have specific privacy goals, such as cleaning up data or updating permissions – and make sure you reward the winners.
12. Send privacy policy refreshers: Email bite-sized, easy-to-understand refreshers on different sections of the privacy policy throughout the year.

Office working

13. Put posters where people least expect them. Awareness posters get ignored eventually. Shake things up by moving them around the office once a month, preferably in unusual places. How about business-card-sized posters left on desks?
14. Hold a monthly group circle: Gather your colleagues for a rundown of the latest news or team updates.
15. Walk around to spot issues: Let staff know you’ll regularly tour the office on the lookout for data protection issues.
16. Install an honesty box: Ensure you’re always in the know by letting colleagues anonymously alert you to issues.
17. Conduct surprise data drills: Unannounced drills will test how employees protect sensitive information in real-life scenarios.
18. Hold a data protection challenge month: Have a month dedicated to data protection challenges, where employees can engage in privacy-related tasks and receive rewards.
19. Create a data protection escape room: Install a physical or virtual escape room centred around solving data protection puzzles.
20. Use data protection awareness screensavers: These screensavers on office computers can display privacy reminders and tips.

Internal communication

21. Make yourself famous: Become a compliance influencer – be the spokesperson for your organisation and make sure everyone knows you.
22. Share your strategy: Auditing your suppliers this month? Engage your workforce in your data protection strategies so they know ‘what you do all day’.
23. Put on a show: Your role may be seen as boring to colleagues – try to make any communication upbeat or comical to keep their attention.
24. Hold a ‘lunch and learn’: Book a meeting room and put together an engaging talk on the key points of privacy. Throw in some free sandwiches and activities from our ‘Liven things up’ section below.
25. Learn your organisation’s risk language and use it: Data protection law is risk-based. If you can articulate the risks in your organisation’s own language, your message will be more accessible.
26. Use internal systems: Intranets or similar internal systems are a great way of communicating with engaged staff members.
27. Be a salesperson: Adopt the mindset that your job is to sell data protection as an essential factor in everything your organisation does.
28. Befriend HR: Foster a positive relationship with members of the HR team to encourage honest and positive communication when issues arise.
29. Attend other teams’ meetings: Encourage other business areas to invite you to their regular meetings so that you – and they – can get to know each other better. This will help them better understand how data protection can support them and encourage them to come to you at the outset of projects or issues.
30. Establish regular communication, organisation wide: This could be a newsletter, stand-up meeting or bite-sized lunchtime training session covering hot topics. Make sure they’re organisation-wide.
31. Use free resources: Organisations such as the ICO (Information Commissioner’s Office) produce free awareness-raising materials you can use in your business.
32. Explain how it benefits people: Be sure to show how data protection compliance is in the interest of staff, e.g. following best practice also ensures their employee data is protected.
33. Know your rights: Engage staff by informing them of their rights as data subjects, both as employees and as customers of other organisations.
34. Communicate across different channels: You could produce short videos or a short podcast series explaining key privacy points.
35. Launch a ‘Hero of the month’ competition: Highlight an employee each month who has gone above and beyond in protecting data privacy.
36. Have a suggestion box: A digital suggestion box will let employees propose improvements to privacy practices.
37. Use infographics: Design and distribute infographics that simplify complex privacy concepts.
38. Send out quick tips: Communicate weekly privacy tips via email or internal messaging systems.

Training

44. Use company-wide awareness training: Typically completed online, awareness elearning courses are available for most governance topics including data protection. Speak to lots of suppliers before choosing an option that suits your organisation’s culture and brand.
45. Make it role specific: For roles handling sensitive data or someone who has caused an incident, training with role-specific examples would be beneficial:
    • Management: Those in senior roles should have training that encompasses the responsibilities that come with managing a team.
    • Marketing: Marketers communicate with customer and prospect databases and often purchase data – there are specific laws they should be aware of to carry out their role.
    • Sales: As with marketers, salespeople process lots of data on a day-to-day basis and should understand how to do this in compliance with data protection law.
    • IT: IT is likely to be involved in data security and therefore needs training on the relevant legislation to carry out this duty properly.
    • Fulfilment: These staff members usually handle large amounts of personal data when fulfilling orders and should learn how to protect it.
46. Deploy just-in-time training: Develop shorter training solutions that can be provided to staff when they need to perform a certain task.
47. Adapt to different learning styles: Provide training that appeals to a range of different learning styles. This can involve text, videos, interactive exercises or forum boards where staff can share their observations.
48. Provide pathways to career development: If you have staff who will be taking on data protection responsibilities in their departments, e.g. data protection champions, consider funding certification courses for them as an extra incentive for these employees to work closely with you.
49. Role-play scenarios: Use role-play to simulate data privacy scenarios so employees can explore different viewpoints and solutions.
50. Organise privacy policy hackathons: Get employees working together to find potential improvements to privacy policies and processes.
51. Offer peer-to-peer data protection training: Pair employees to teach and learn from each other about data privacy best practices.

Engaging senior stakeholders

47. Crash board meetings: Ensure data protection is regularly on the agenda for stakeholder meetings – don’t wait to be invited.
48. Share relevant news: If a competitor suffers a breach that hits the news, share this with stakeholders to either positively showcase your team or request investment in new projects.
49. Communicate issues and solutions: If you’re facing a challenge, involve stakeholders to ensure you get their backing when you have a solution lined up.
50. Share relevant results: Let stakeholders know when things go right, too.
51. Introduce third parties: Stakeholders can be wary of loosening the purse strings. Introduce them to your essential providers so they can prove their worth.
52. Engage influential people: Do your research on who in senior management is well respected and well known. Engage these people one-on-one where possible so your mission is on their mind.
53. Be knowledgeable: Be a leader in the latest data protection updates so you have the answers when asked.
54. Don’t be afraid to say you don’t know the answer: Data protection can be complicated, and you’re not supposed to know all the answers, all the time. The key is earning trust and always committing to finding the right answer.
55. Empower others: Depending on your role in data protection, it may not be possible for you to make decisions, or you may be acting in an advisory capacity only. This means you will likely find yourself needing to coach others, empowering them to understand the legal concepts and make the risk-based decisions for themselves.
56. Provide risk reports: Show senior stakeholders where the key data protection risks are and what decisions are required from them to manage these risks.
57. Bring in guest speakers: Do you have any connections in the privacy world with a story to tell? People who’ve held senior roles who can share their wisdom? Perhaps even a mate in the ICO? Bring them along to reinforce your message.
58. Devise a data protection dashboard: Create a real-time dashboard showcasing key privacy metrics and share access with senior stakeholders.
59. Hold executive data protection briefings: Offer regular briefings to executives on the state of data privacy in the organisation and the industry.
60. Establish data protection impact awards: These can reward initiatives or actions that have significantly improved data privacy. Be sure to include senior stakeholders in the nomination process.
61. Provide a data privacy scorecard: Show stakeholders the organisation’s privacy performance against industry benchmarks.

Engaging middle management

62. Share strategies and results: Regularly let middle managers know how you’re improving or maintaining data protection standards, including individual team issues.
63. Escalate risks: Competitor been issued a fine? Use it. Share it with the team and let them know how to prevent the same happening to your organisation.
64. Lead by example: Make yourself known as a positive leader to encourage people to share issues with you.
65. Get involved: Invite yourself to be part of crucial internal project teams, such as new product development and procurement, to ensure privacy is considered at the outset of every project.
66. Resist saying ‘no’: Data protection can often be seen as a blocker, particularly to colleagues at an operational level. So, rephrase your advice. Say something like, ‘I wouldn’t advise you do that, but have you thought about X or Y instead?’.
67. Ensure there is senior-level visibility: Have a senior member of staff act as an advocate within the organisation for data privacy. Ensure the rest of the senior leadership team are seen to follow rules.
68. Appoint data protection champions: Appointing individuals around the business to be your eyes and ears can be a great way to work more closely with everyone. Ideally, these will be people who are senior enough that their voices carry clout, while also having the time and resources to take on the role.

Engaging junior team members

69. Know your audience: Consider that junior team members way be younger and factor in current trends accordingly.
70. Be approachable: People need to feel they can be honest with you and approach you with any questions or issues without being lectured or shut down. Ensure you’re seen as an approachable team member if you want to be first in the know when issues arise.
71. Give shout-outs: Offer public praise for engagement from members of the team.
72. Treat others as you’d like to be treated: All of your staff will be the data subjects of hundreds of other organisations. Ask them whether they are treating your organisation’s personal data in the way they would like to see their own data treated.
73. People are not a threat: One of the worst lines that can be used when communicating with staff is to suggest that they and their actions are the biggest threat to data security (we’ve seen it said in companies before). Avoid this attitude – it antagonises staff who are mostly trying to do a good job.
74. Encourage staff to be partners in privacy: Remind staff that data protection is the responsibility of everybody in the organisation and show them where their role fits in. For example, what kind of breaches is a call centre operator most likely to see, and what action should they take?
75. Create cheat sheets: Data protection is just one of many areas of compliance that junior staff have to handle. Do what you can to make it easier, e.g. flow charts for identifying and alerting incidents or data subject requests.
76. Hold data protection awareness days: Host special days focused on awareness, with activities, talks and quizzes.
77. Devise a data protection mentorship scheme: Pair junior team members with more experienced professionals for mentorship.
78. Design awareness postcards: Send out postcards with privacy facts and tips to employees’ homes or email inboxes.
79. Set up Q&A panels: Organise Q&A panels with data protection experts that junior team members can attend to ask questions and learn.

Liven things up

80. Organise a treasure hunt: Leave intentional (falsified) issues around the office and offer prizes for those who spot them.
81. Play the higher or lower game: Pick recent case studies from other organisations that have resulted in fines, explain the scenario to colleagues, and ask them to guess if the fine was higher or lower than the previous one.
82. Hold case study workshops: Review recent cases where organisations have been investigated by a regulator. Ask the group ‘What has gone wrong?’, ‘What can the organisation do to manage the incident?’ and ‘What can be implemented to make a similar incident less likely in the future?’
83. Devise data breach scenarios: Unleash your inner role-playing gamemaster. Give colleagues a role to play in a live data breach scenario. Ask them to discuss and decide on actions as your scenario unfolds, and adapt the situation based on their responses.
84. Play stupid games, win stupid prizes: Do something different by creating a data protection-focused game with silly prizes to win.
85. Memes: Seriously though, adding imagery and privacy takes on memes will liven up the walls of text you occasionally need to share.
86. Create data protection-themed comics: Share comic strips that humorously address data privacy topics.
87. Share a data protection joke of the day: Keep what can be a dry topic light-hearted and engaging.

Onboarding

88. Update the company handbook: Ensure essential data protection information is included in the company handbook.
89. Meet all new recruits: If possible, have a meeting with all new starters within their first two weeks to ensure they know who you are and what you’re responsible for, and so they can learn about data protection from different departments’ perspectives.
90. Employee privacy notice: Draw new starters’ attention to the employee privacy notice, and explain what their rights are and how they can exercise them.
91. Provide induction training: Ensure privacy training is included as part of mandatory induction training for new starters.
92. Develop a data protection onboarding game: Use an interactive game to teach new hires about the organisation’s privacy practices.
93. Create a data protection pledge: Have new employees sign a pledge during their onboarding to emphasise the importance of data protection from day one.
94. Organise a privacy policy scavenger hunt: Create a scavenger hunt for new hires to find and understand key points in the privacy policy.

External communication

95. Understand what’s been promised to customers: What has the organisation shared externally regarding its data protection compliance? Is it still true? Ensure colleagues are aware of what’s been promised to customers to ensure it is upheld.
96. Survey your customers:Ask your customers for feedback on how your organisation engaged with them regarding their personal data. What do they think of your privacy policy? Do they feel their marketing preferences were respected? Do they trust your organisation to securely handle their information? Highlighting responses to your colleagues can help them see you’re not hassling them about compliance for kicks.
97. Draw attention to your privacy notice: Include links to your privacy notice in communications to external parties. Make the notice easily accessible from the homepage of the website.
98. Prepare an incident communications plan: Nobody wants to try to develop comms mid-incident. Consider who will be the spokesperson for the organisation in the event of a major incident. Prepare draft communications that can be used to inform external parties of an incident.
99. Host customer data protection webinars: Educate customers on how their data is being protected.
100. Produce transparency reports: Regularly publish transparency reports detailing how customer data is used and protected.
101. Run data protection awareness campaigns: Show customers how seriously the organisation takes their data privacy.