Beyond legal #10: The battle for minds - why your data protection training needs an advertising makeover

In this tenth post of my "beyond legal" series, I'm addressing what might be the most overlooked competency in data protection leadership. It’s the ability to change people's behaviour and not just inform them about policies. As a data protection leader, you’re building and refining your governance framework (post #6), integrated with SDLC processes (post #9), and hired that data protection engineer (post #8). But none of it matters if your workforce still logs personal data in plain text, unlawfully deploys tracking pixels, or writes your privacy notices in legalese.

Traditional data protection training is broken.

It’s generic, expensive and treats engagement as an information transfer issue when it's actually a behavioural change challenge. And the evidence is everywhere. Completion rates that look impressive on dashboards, and everyone seems to display certification post-nominals on their LInkedin profiles, yet real-world violations continue.

The root causes are multiple. Generic e-learning modules that people click through whilst checking emails, the same tired PowerPoints that put people to sleep, conference rooms bursting at the seams with people struggling to pay attention, or lazy trainers simply reading from their speaker notes.

I've always believed we need to learn from sectors that excel at capturing attention and driving behaviour change. That's why for years, I've looked to advertising - an industry that's mastered the art of cutting through noise, creating memorable messages, and most importantly, getting people to act.

The attention economy reality
In corporate environments, you need to realise what you're up against. Your carefully crafted data protection training is competing for attention with:

• IT security awareness (e.g. phishing simulations, password policies, social engineering training)

• HR initiatives (e.g. DEI training, performance management, wellness programmes)

• Business updates (e.g. quarterly results, strategy changes, new product launches)

• Operational training (e.g. new tools, process changes, compliance requirements)

• Personal distractions (e.g. social media, family concerns, career development)

Unfortunately, most of your colleagues have already been conditioned to view "compliance training" as something to endure, not engage with. They've learned to hack the system: click through slides, pass the quiz on the second attempt, get the certificate, move on.

The advertising industry solved this exact problem decades ago. They learned that in an attention-saturated environment, you need to be different, memorable, and focused on genuine value exchange. They learned that changing behaviour requires understanding psychology rather just presenting information.

Learning from the masters: what advertising gets right
Dave Trott, one of Britain's most influential advertising strategists for many years, has written many books about creative thinking. On Youtube, you'll find many videos of his lectures and presentations.

He has a great way to illustrate how we compete for attention, and the need to be different. In the image below, the zeros ('0's) represent messages, communications - it could be a training session, a town hall, or just an email. In the 'current' column. which one is your data protection message? And that's the problem, employees struggle to remember because everything looks the same. So you need to ensure that the 'X' is your message, every time.

Your message has got to stand out, be memorable, be unmissable, and you need to make this happen sooner rather than later, otherwise your messages will never be different from the rest.

Dave Trott also developed a simple but powerful engagement model: Impact, Communicate, Persuade. I've been applying this framework to data protection training for years, and I like to think the results speak for themselves in the work I do working with corporate clients.

Impact: Cut through the noise with something unexpected. Advertising creative directors know that if your message looks and feels like everything else, it becomes invisible. The same principle applies to data protection training. If your GDPR awareness session looks identical to every other compliance module, people switch off.

I once worked with a financial services client who replaced their annual "Data Protection Refresher" with something called "The Privacy Escape Room." Teams had to solve real data protection scenarios to unlock each stage. Participation went from reluctant compliance to genuine enthusiasm, and more importantly, after the event, people began to take responsibility themselves rather than simply forwarding anything that was “data protection” to the central team

Communicate: Deliver one clear, memorable message per interaction. Advertisers learned long ago that trying to say everything says nothing. Yet most data protection training tries to cover retention policies, international transfers, consent management, and incident reporting in a single session.

Instead, focus on one key behaviour change. "This week, we're learning about the EU Charter of Fundamental Rights in the context of DPIAs." That's it. Master that topic, then move to the next one.

Persuade: Design for behaviour change, not knowledge transfer. The goal isn't to educate people about GDPR articles so they can master the language of your data protection world. It's to change what they do on Tuesday morning at 0930 when facing a real decision about personal data.

The CREATE method: understanding your audience first
I'm also a big fan of Ilse Crawford's design approach. Ilse Crawford is a British design leader who's transformed everything from luxury hotels to healthcare spaces by starting with deep human understanding rather than assumptions. Inspired by her design approach, I developed my own approach fo data protection called CREATE. Here’s a brief explanation, which I constantly refine and update myself:

Collaborate: Get out of your office and actually talk to the people you're trying to influence. I'm constantly amazed by how many data protection leaders design training programmes without ever having a proper conversation with a front-line developer, customer service rep, or marketing coordinator.

Ask them questions: When do you make decisions about personal data? What stops you from following our procedures? What would actually be helpful versus what we think you need? Where do you see the key risks in your work?

Research: Understand the real barriers to behaviour change in your specific context. Is it lack of knowledge, competing priorities, unclear procedures, or something else? You can't design effective interventions without diagnosing the actual problem, and the root cause of that problem.

One client discovered that their marketing team wasn't ignoring data protection requirements out of defiance. It was a question of they couldn't find the DP review process in their project management tool. The solution wasn't more training about data protection principles. We ended up refining how this was embedded in their operational procedures, and the tool itself.

Explore: This is where creativity becomes essential, especially when budgets are tight. Look beyond your industry for inspiration. How do retailers train staff? How do airlines ensure safety compliance? How do restaurants maintain food hygiene standards? An area where employee behaviour is almost second nature, and it's all around us, is health and safety. Your H&S colleagues worked hard for years to embed their practices into the fabric of your company. How did they do that? Talk to them and get inspired.

I've also borrowed techniques from cooking shows (step-by-step demonstrations), sports coaching (practice scenarios with immediate feedback), and, a personal favourite, children's television (repetition, visual cues, memorable characters).

Activate: Start small and test different approaches. Just like advertisers A/B test creative concepts, you should pilot different training formats with specific teams before rolling out company-wide.

Transform: Create systems that reinforce new behaviours beyond the initial training moment. This might include peer networks, visual reminders in workflows, or integration into existing performance management processes.

Evolve: Continuously adapt based on what actually works, not what you think should work.

SFIA competencies you need (or need access to)
As with previous posts, I want to anchor this in measurable competencies and I’m still using the SFIA skills framework. The skills required for effective employee engagement certainly go well beyond traditional legal or compliance expertise:

Learning design and development (TMCR): Adult learning principles, instructional design, and understanding how people actually absorb and retain new behaviours. This isn't about presenting information, it's all about facilitating genuine behaviour change.

Organisational change management (CIPM) and Organisational change enablement (OCEN): Psychology of behaviour change, resistance management, and understanding how new practices become embedded in organisational culture.

User experience analysis (UNAN) : Designing experiences that people actually want to engage with rather than endure. This includes understanding journey mapping, pain points, and motivation triggers.

Also, while not explicitly in SFIA, you also need access to creative and design thinking competencies, as well as communication for message crafting, storytelling, and understanding how to cut through noise in over-communicated environments. You need to compete with every other corporate message for attention and win. Whether that's internal marketing teams, external agencies, or developing these skills yourself.

Low-budget, high-impact approaches
The good thing about applying advertising principles to employee engagement is that creativity often trumps budget. Some of my most successful interventions have cost virtually nothing, here are a few examples:

• Storytelling over bullet points: Replace policy documents with case studies that people can relate to. "Sarah in marketing faced this exact dilemma last week..." is more engaging than "Article 6 requires lawful basis for processing."

• Visual thinking: Create simple infographics, decision trees, or hand-drawn sketches that people can reference quickly. A well-designed one-page visual guide has more impact than a 50-page policy document.

• Peer-to-peer learning: Identify natural champions in each department and train them to cascade learning to their colleagues. People trust their immediate peers more than corporate communications.

• Integration over interruption: Embed data protection considerations into existing meetings, tools, and processes rather than creating separate training events that compete for calendar space.

• Gamification: This doesn't mean building expensive apps. Simple competitions, progress tracking, or team challenges can drive engagement without significant investment.

Measure what matters
Many companies get this spectacularly wrong. They measure training success by completion rates, quiz scores, and certificate distribution. These metrics tell you nothing about whether behaviour has actually changed.

Advertisers measure brand recall, purchase intent, and actual sales conversion. Similarly, you should look to measure:

• Incident reduction: Are people making fewer data protection-related mistakes?

• Process adoption: Are new procedures actually being followed?

• Quality improvement: Are privacy notices getting better? Are DPIAs more thorough?

• Proactive behaviour: Are people asking data protection-related questions before problems occur?

• Peer influence: Are champions spreading good practices without prompting?

Finally, remember that employee engagement is ultimately about narrative. People don't change behaviour for abstract compliance reasons. Change occurs when they understand how it connects to something they care about. This is an area I love. Changing legally-oriented statements to narratives that people embrace and can relate to.

The advertising industry learned long ago that people buy emotionally and justify rationally. The same principle applies to data protection training. People need to feel why data protection matters before they'll consistently act on what they've learned.

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get sense of what we do.

We are experienced in working with data protection leaders and their teams in addressing troubled projects, programmes and functions. Feel free to book a call if you wish to hear more about how we can help you improve your work.