Engaging employees with data protection

Anyone working within regulation or compliance will be all too familiar with the challenge of engaging employees with a seemingly endless stream of policies and procedures – all designed to protect but often seen as a blocker.  Data protection in particular is often (incorrectly) viewed as a bar to innovation, or a tick box exercise, and convincing people otherwise can be difficult.

Why engage employees?

Employees are having to comply with data protection legislation whenever they access or use personal data on behalf of their employers.  Often they will do this without giving the legislation a second thought – which is how it should be.  Whilst, as a data protection lawyer, I would be entirely on board with considering whether you have a lawful basis every time you send an email, in reality, that just isn’t practical!

Organisations need to therefore design policies and procedures to ensure compliance, whilst also allowing day to day work to be carried out.  An example of this might be considering all the possible ways in which employees are likely to use personal data in the course of their day to day business, and making sure that a lawful basis for each purpose has been identified and noted.  An individual employee does not need to know that this has been done, but it does mean that they don’t need to think before sending that email.

There will inevitably be situations where an employee needs to use personal data in a way that hasn’t been envisaged.  A request for disclosure of records by the police, for example, or a request to share information about attendees at a conference with a supplier.  Both of these can be legitimate uses of personal data, but they may require some additional thought before the use or disclosure is lawful.  You may have an excellent policy that sets out when personal data uses are permitted, and when they should be referred to the information governance team, but unless employees engage with that policy and understand it, mistakes can be made.

So the answer to the question of “why engage employees” is because if you don’t, they could make a mistake that costs you time and resources to put right.

How to engage employees

This is less simple to answer, and will depend a lot on the existing culture of your organisation, the sector you work in and the consequences of getting this wrong. In a small grant giving charity, which holds very limited personal data, the risks and therefore need for extensive policies and procedures will be low.  A much larger organisation that deals with sensitive personal data and carries out a lot of direct marketing to individuals has a much higher risk of complaints and/or fines, and therefore will need more assurances around employees understanding of what they can do, and when to seek advice. 

Have the policies in place

The starting point is (or could be) making sure that you have the right policies and procedures in place.  This will help you understand what it is you want employees to do on a day to day basis, and where the risks are. 

Training

Training is a key element of engaging employees, and protecting the organisation by making expectations clear.  Effective training can bring the risks to life and explain to individuals why they are having to do what you are asking.

Training also protects the organisation if you can show that adequate training has been given, and mistakes are still made – the human factor can’t be ruled out, but you will have taken steps to mitigate that.

Test

Testing compliance – much like many organisations do with cyber security – is another way of mitigating risks, and potentially engaging employees.  Whether this is through requiring policies to be signed to say they have been read, testing knowledge from training or spot checks – all of these can be valuable tools.

Culture

Perhaps the most difficult area to give practical advice on, but senior leadership buy in can help promote a culture where compliance is seen as something important to maintain, rather than an afterthought.  

Tips and hints

I recently facilitated a workshop on this very topic at PDP’s 25th Annual Data Protection Conference, and a part of that, I asked the audience to give some tips and tricks for engaging employees that have worked in their organisations, as well as providing some interesting/unusual suggestions from around the web.  Below are a selection of my favourites:

• Using photographs of dogs on the compliance newsletter to increase the chances of the email being opened.  (This would definitely work on me!)
• Having an FAQs document to cover some of the recurring questions – especially those that employees might feel embarrassed about asking 
• Having a link to the FAQs page in your email signature
• Having a privacy notice book club – meeting once a month to read and discuss privacy notices
• Inviting employees to a quiz on data protection at 4:30 pm on a Friday (prizes optional, but suggested!)
• Producing short videos explaining key procedures for those who prefer visual learning over reading
• Not allowing an employee to click to confirm that they have read a policy without passing a short multiple choice quiz first
• Using pop ups to notify employees of important developments, and not allowing these to be removed without clicking on the link
• Sharing wins and near misses to encourage people to come forward

Conclusions

Having worked in the information law space for more years that I care to count, I have seen first hand how difficult it can be to get people to understand why data protection is important.  Sometimes it takes something to go horribly wrong before people understand the reasons behind policies and procedures that can be seen as obstructive and unnecessary.  Hopefully some of the above tips will help you avoid the catastrophe – or at least mitigate its impact  - and get more employees to engage with their information governance teams.

If you have any questions (or want to share your own tips and hints) please contact Vicki Bowles, head of Information Law and Privacy at Bevan Brittan.