GDPR: How to get your team on board
Data protection and information security should lie within all employees’ areas of responsibility.
With the new legislation coming into force shortly, you need to ensure there is a company-wide understanding of the key principles of the GDPR. Crucially, each person in your team needs to understand their role in ensuring data is processed fairly, securely and lawfully.
Whether you work in a large organisation and need to get your department on board, or are part of a smaller business and need to educate all staff members, we’ve put together some ideas to help you engage and educate your colleagues.
- Place internal importance on the legislation (and be positive about it)
Strong data protection processes should already be embedded into your organisation’s DNA – but if they’re not yet, the GDPR provides you with the chance to review and improve your approach.
Whoever is the ‘face’ of GDPR in your organisation, encourage them to promote the new legislation as an opportunity, not a looming storm cloud. If the GDPR is talked about as a chore, it’s unlikely to be perceived positively by your team members. Their enthusiasm for tasks such as data audits (more on that later) may be subsequently limited.
It’s also important that your organisation’s leadership team have a strong understanding of the GDPR and that they reinforce preparation for the legislation a business priority.
- Add GDPR to meeting agendas
Depending on the size of your organisation and your role within it, ensure that GDPR is added to all relevant meeting agendas wherever possible – whether that’s a board meeting or your regular departmental catch-up.
The importance of data protection should not dim after the 25th May.
Your organisation should consider scheduling an annual review of your data processing responsibilities and information security. Meanwhile, it may be sensible for you to continue weaving data protection within regular team meetings throughout the year, to maintain focus and accountability within your company.
- Undertake a data audit
A data audit (also sometimes called a data mapping exercise) is a great first step in your GDPR preparation.
Ask your team members to record what personal data they store, where they store it, the purpose of the retention and the legal basis for processing this.
A simple Excel template should be suitable. You should then use the findings of this data audit to identify where there are gaps or challenges in your current processes, and make an action plan to solve these ahead of the GDPR.
This exercise can also highlight to your team how much personal data they’re holding and reinforce that they are responsible for this information. This again strengthens the importance of fair and lawful data handling processes and security measures.
- Review your employees’ contracts and job descriptions
The GDPR could provide you with an opportunity to review team members’ job descriptions to ensure that data protection is added to their day-to-day duties. You might also choose to update employee contracts with similar clauses.
This is another way to reaffirm each team member’s role in preparing for the GDPR. When you issue the new job descriptions and/or contracts, make sure employees really understand what you’re asking of them before they sign, and use this exchange to assess their awareness and knowledge of the new legislation.
- Communicate regularly with your team members
We’ve already talked about adding the GDPR to your meeting agendas, but you could explore other methods to engage and educate your team.
Perhaps you could have a GDPR knowledge-sharing session, where employees from all departments can drop in to find out more from your GDPR steering group, legal team or Data Protection Officer and ask questions in a relaxed and informal setting.
How about developing some simple e-learning (and perhaps throwing in a competitive element), such a team quiz on the new legislation? You could even create posters around your office space, reminding staff of key messages around information security and responsible data processing.
Remember too to share the wider actions of your organisation with your team. Ensure employees have confidence that your organisation will be fully prepared for the legislation, and encourage cross-departmental updates in preparation.
- Avoid scaremongering
There is no doubt the sanctions and fines laid out by the ICO are alarming, but try not to make these the focus of your communications.
It is essential that everyone understands the gravity of the situation should you be audited or found not to be compliant, but focusing on penalties may lead to fear and negativity.
Instead, focus on the opportunity the GDPR provides to improve the way you collect, store and use personal data, to enhance your reputation and to potentially offer you a competitive advantage over organisations less prepared.
Find out more
GDPR – 3 myths, busted!
5 questions for your ATS provider about the GDPR
GDPR preparation: What should you do first?