Frustrated man

Employee engagement

Top 3 data protection program issues and how to start resolving them: #28

‍Engaging with your employees gives you the opportunity to elevate awareness of data protection, embed responsibilities, and provide them with the skills they need, typically through education and training.

Yet in many companies it’s a tick-box exercise with minimal investment.

Data protection leaders often prioritise funds in technology and documentation exercises.

How you engage with employees is critical and you may also be familiar with the following top 3 issues we encounter.

#1 No cadence, no dancing to your data protection tunes

No matter your taste in music, if you hear a rhythm you may notice your feet tapping and occasionally we need a beat to get something done.

In employee engagement terms, employees need a cadence of varied activities throughout the year to re-enforce your key messages.

In the following film (an old one from 1991) equate ‘brand’ to be your data protection programme of work:

In your employee-facing data protection work, you need to get your ball bouncing and keep it bouncing!

In many companies, engagement activities comprise solitary experiences - the end of year elearning push, or a data protection day event and very little else.

It’s not a question of being an irritation - too much of the same thing may need to annoyance among employees so using your imagination with a varied set of activities is critical.

Engagement roadmap: a cadence of varied activities to elevate employee engagement
Engagement roadmap: a cadence of varied activities to elevate employee engagement

It's also an opportunity to demonstrate accountability through the evidence you'll generate:

  • Analysis of audiences
  • Audience needs (awareness, education and training)
  • Execution of activities
  • Participation/attendance metrics
  • Engagement metrics
  • Scores supporting the notion of employee understanding (test, exam, quiz answers, etc)

You may even consider establishing a ROEA - no, that's not a spelling error. I don't mean ROPA!

ROEA are Records of Engagement Activities - this is your combined Employee Engagement Plan and the aftermath - updated with the results of the activities.

Records of engagement activities
ROEA (not ROPA!)

#2 Same old, same old

You may think you know what employees need so you impose materials on them.

You may produce the materials yourself or use an external consultancy to provide them.

It could be ways of working/procedures, or educational material.

Employees need to see what's in it for them, in their context.

Imposition may lead to resistance, so employee involvement is essential.

Simply asking employees about current practices, or past material may reveal some valuable input, especially when you want to elevate engagement.

As Einstein supposedly said, "Insanity is doing the same thing over and over and expecting different results."

Incidentally, many doubt Einstein actually said that!

The voice of employees
The voice of the employee - engage and listen rather than impose

Recognising the varying needs of employees by conducting training needs analysis will ultimately result in reducing risk and greater levels of sustainability.

Involving employees in understanding and mapping their ways of working involving data protection may take longer than imposing some generic material on them.

By providing some basic data protection education, you can then work with them to develop their own materials.

Contextual education
Empowerment builds trust and breeds ownership

You need employees to take responsibility take ownership.

That will also reduce the burden and dependency on you as the data protection leader.

#3 Competing for employee attention

Nowadays, employees are subject to endless messaging through multiple channels:

  • Work email
  • Work sms
  • Intranet
  • Endless meetings
  • Presentations
  • Town halls
  • Informal chats over lunch, etc

And then there's all the messages outside of work that may creep into the workplace.

It's no wonder employees struggle to remember everything, or even have time to absorb all the messages.

In the workplace, you compete for the attention of employees.

You can compete with your peers - could be from HR, Finance, Internal Comms, the CEO, etc. etc.

Your messages may equate to the zeros on the left in the following overview - they are indistinguishable from all the others.

The need to stand out
The need to stand out

You need to get your messages to stand out.

They need to be the 'X' on the right in the diagram.

How do you do that?

You need to use some imagination and a dose of creativity and use this model:

  1. IMPACT - get attention. Your message needs to be unmissable, unavoidable, be different from the rest
  2. COMMUNICATE - your message needs to be clear and understandable
  3. PERSUADE - outline clearing what employees should do (WIIFM)
The 3-step model

Most people focus on step 2.

They put a vast amount of effort crafting the message but in many cases if employees don't see it because it's mixed in with all other messages, or it just looks the same as the others, it can be the biggest waste of time!

Think about step 1, put effort into that too.

Re-frame your messaging around data protection.

Here's an example: which "GDPR brochure" is most likely to get employee attention if you left a pile of them in the company reception, or in the kitchen spaces in your workplace?

Framing data protection with employee interests
Framing data protection with employee interests

At Purpose and Means, we do things differently.

The data protection experience for employees and management is what we focus on.

We build passion and interest in data protection through highly visual, creative approaches.

Data protection is complex, and to bring it alive, make it actionable from top to bottom requires an approach your average copy/paste consultancy doesn’t provide.

Purpose and Means help Data Protection Leaders refresh their work focusing on business alignment and orchestration.

We’re based in Denmark, but operate globally.

If this issue resonates, book a call to discuss your requirements!

Petruta Pirvan
Tim Clements
May 9, 2023


Other posts

June 2, 2023
Disseminating policies
Tim Clements
May 27, 2023
Ineffective controls
Tim Clements
May 26, 2023
DPIA on a page
Tim Clements
May 25, 2023
GDPR on a page
Tim Clements
May 22, 2023
GDPR 5 years old - is it really?
Tim Clements
May 9, 2023
Employee engagement
Tim Clements
May 2, 2023
Managing risk
Tim Clements
April 13, 2023
Copy/paste consultancies
Tim Clements
April 6, 2023
Controller/Processor life-cycle
Tim Clements
March 30, 2023
Responding to an audit
Tim Clements
March 23, 2023
Data protection templates
Tim Clements
March 11, 2023
Data protection program control
Tim Clements
March 6, 2023
Reporting data protection status
Tim Clements
March 2, 2023
The lone data protection army
Tim Clements