From the harmless office gists about what services clients need to leaving confidential documents containing clients' personal data open at the reception desk, data protection violation manifest in subtle ways. However, their impact may be very damning. The increasing demand to maintain privacy within organisations require that not only the Data Protection Officer (DPO) understands what data protection entails. All employees and departments must be on board. Figuring how to build a sustainable data protection culture can be difficult to manage and sustain. Not to worry, we are here for you. In this article, we provide practical tips on how you can build a culture of data protection in your organisation. Sit back, grab your popcorn, it's about to get insightful.

1. Get your policies and procedures in order: You remember that day when HR said no employee should not drink water at 12:15pm and the intern asked which company policy states that? Well, the same applies when you need to build a data protection culture. You must have your policies and procedures clearly stating the Dos and Don'ts within the organisation. The culture should first be documented before you start the sermon.
2. Make the policies accessible to employees: If you are serious about building a culture of data protection, you cannot hoard updates. Employees need to have full access to the policies and procedures. If not, the effectiveness of your policies will be dependent on how well your employees can remember the policies they read during onboarding. That is risky. They don't even remember to bring their laptop chargers on some days.
3. Make data protection relatable: Employees rarely absorb lengthy policies, but they remember stories and things they can relate to. You can explain data protection concepts using movies and trends. Your Gen Z social media manager is more likely to listen if the discussion is about how "To Kill A Monkey" teaches about data protection, but watch her roll her eyes if you start the conversation with "today we will talk about maintaining confidentiality". Sounds stale, but they will rather have it hot and fresh.
4. Spread responsibility with privacy champions : See privacy champions as the data protection enforcers across departments. They can help keep other employees in check and ease the burden on the DPO. When an employee is violating a data protection requirement, they do the "chakam" but first to correct. Where the issue needs to be addressed on a larger scale, they can escalate to the DPO.
5. Introduce a reward system: Sanctions are good to keep employees in check, but it is even better if you can reward employees that comply with data protection requirements. Introduce a reward system that gives incentives to employees when they comply with data protection standards. It can be "monetary", or even a badge of honour.
6. Train employees regularly: Ideally, you should train employees on data protection at least once in six months. The training should touch on best practices and address privacy trends in your organisation. Beyond the slides, consider making it more fun and gamified. That way, employees don't think they are just attending a training; they are excited to participate.
7. Engage every department: Ronaldo or Messi may be your goat, but you cannot deny the fact that they both need their teams to perform well. Similarly, when it comes to data protection, you cannot leave it to the DPO alone. Every department must understand how it affects them and how they should contribute. For instance, the legal team needs to understand why contracts should contain data protection clauses, HR needs to include data protection in onboarding session, IT needs to always remember to implement access management mechanisms when providing digital tools, and even the procurement team needs to know why data protection should be part of third party due diligence. All of these ensures that you get a good grip of data protection as an organisation.

Conclusion

You cannot build a culture of data protection if only the DPO and a few employees understand what you are trying to achieve. So, carry everyone along like a band. Don't forget "one band, one sound".

‍