Governance, Risk Management, and Compliance blog

GDPR: Make It Easy to Do It Right

[fa icon="calendar"] Tuesday, 21 November 2017 / by Jakob Holm Hansen

The EU Data Protection Regulation states that you must train your employees in handling - and securing - personal data. However, it doesn't say anything about how you should train your employees in handling personal data.

"That part is open to interpretation, so you have to get creative," says Lone Forland, our product specialist who also works with information security campaigns.

Information security campaigns - or awareness campaigns - are a way for organisations to implement their information security policy through education and tips for compliance.

Why Before How When Implementing Change

Lone Forland's first advice for creating awareness about something as comprehensive and important as the upcoming GDPR, is to explain why the GDPR ha such stringent rules when it comes to the processing of personal data.

"Humans are hardwired in such a way that if we understand why we need to do something differently, we're more likely to actually do it. It's about wanting to, and understanding why we should create change," says Lone Forland and emphasizes that there are valid reasons behind the new Data Protection Regulation, so getting employees to understand the initiative shouldn't be too hard.

Information Security Should Be Simple

Secondly - and Lone Forland is especially passionate about this one - you should make it simple and easy to do the right thing. Most people don't actually want to compromise an organisation's safety, but if the correct procedure is long and complicated, people often end up doing the wrong thing.

There are, for example, organisations which demand all paper containing personal data to be shredded when they're no longer in use. However, employees often don't shred them because there's only one shredder in the entire building, and it's on another floor. Consequently, documents containing sensitive data often end up lying in desk drawers or cabinets where they're not protected.

"Instead of banging your head against the wall, perhaps it might be worth investing in a few more paper shredders? And maybe even placing them outside the most frequently used meeting rooms? You can achieve a lot by making information security easier for your employees."

Security Should Be Fun

One of the best information security awareness campaigns Lone Forland has seen, was where an organisation combined a series of initiatives in a coordinated effort.

The organisation started the campaign by placing little locks with question marks on each employee's desk. This got the employees curious and talking together. Afterwards,  an email was sent out explaining the campaign. The director then held a short meeting explaining the background for the campaign. Lastly, they hosted a short quiz where different departments competed against each other to win a symbolic prize.

"They reached a lot of people in the campaign because it involved so many different efforts," explains Lone Forland. "Everyone is different, so it will differ from person to person, what actually has the greatest effect. The best advice is to be creative, involve the management, and make it just a little bit fun so that information security doesn't become a boring chore."

4 Tips to Create GDPR Awareness

  1. Get the management's support. Something close to magic happens when messages come from the director and not the IT department.
  2. Use a combination of different methods to create awareness - for example little gimmicks, posters, emails, meetings, and educational quizzes.
  3. Play up the element of competition. Most people enjoy setting a good example, especially when competing against their colleagues.
  4. Get professional communication skills. It pays off to communicate in a language that your employees understand. It could involve text, video, or graphics, and it doesn't have to be expensive.

Information Security Awareness Training

With our GDPR compliance tool, you can easily and efficiently train your employees in information security.  Use educational quizzes and videos to reach all your employees in your awareness campaigns. Read more about our Quiz Module here. 

Emner: eu general data protection regulation, GDPR, awareness

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts