Sustaining a culture of compliance beyond the GDPR kick‑off date through employee engagement

By Paul Griffin

The General Data Protection Regulation (GDPR), which will pass into EU law at the end of this week on May 25th, heralds the most significant development in data protection rules ever seen in Europe.  At its most basic level, the regulation requires companies to understand what information they hold, who has access to it and where the information resides.

All companies holding data on EU citizens, whether they reside in Europe or not, must comply, irrespective of size or sector.

The potential impact of getting this game-changing regulation wrong is immense. For certain offences, the maximum penalty can be €20million or 4 per cent of global turnover – whichever is greater. Additionally, failure to comply can significantly damage a company’s reputation, either through the consequences of a significant data breach, or a total loss in confidence from its customers.

The regulation also gives people greater control over how companies use their data. Under the regulation, customers can request a copy of their data, and also request that a company delete all traces of their personal information from their systems. This signals a dramatic shift towards data transparency and customer empowerment when it comes to their data.

Additionally, in the event of a data breach, it is now mandatory that a company notifies both the data protection authority and the impacted customer within 72 hours. The GDPR therefore extends beyond systems and IT security; it indicates a cultural shift for many organisations, one that everyone needs to get behind.

Empowering employees to take data handling seriously 

The prevention of damaging fines and penalties is dependent on companies maintaining robust and mature data governance and enhancing their entire data process management approach in order to become compliant, thereby mitigating reputational and financial risk.

In the lead up to this significant milestone, companies have been looking at how they can effectively communicate internally a regulation that is deemed complex, in its simplest form, to ensure that employees understand their roles when it comes to handling data and customer information, and the severity of getting it wrong.

The primary challenge businesses have faced when approaching the internal communication of this elaborate regulation is balancing the ownership aspect of the regulation directly with employees, while at the same time ensuring that full compliance is practiced.

Information is key to ensuring that all employees know their roles when it comes to meeting the GDPR requirements. Developing compelling messaging and narrative on the GDPR and its importance to the business is crucial, as is directly engaging employee representative bodies and individual employees on the GDPR principles and rules.  It’s also important to encourage employees to openly engage with management and each other on the GDPR, and also to highlight the urgency of reacting appropriately in the event of a potential breach.

A culture of compliance and advocacy

Embedding this culture of compliance involves a long-term strategic approach that will extend beyond this week’s GDPR deadline. You can help to generate buy-in, energy and enthusiasm for best practice across the business by identifying key milestones and celebrating successes.

Preparation and purpose is key to embedding behaviours. Be clear about your goal and the point of your campaign when communicating internally. Some steps to ensure employees buy in to this new culture include:

  • Understand what your audience expectations are, and adapt your message to their needs. You might want to tailor your messaging depending on the department you are speaking to i.e. sales versus IT.    
  • Build alignment and rapport. Ensure you are on the same wavelength as the people you are communicating with. Invest time in getting to know your audience, make them feel involved, organise interactive workshops. 
  •  Building trust is also key. Employees will respond to someone they trust, and most importantly, someone who understands them. Look at how the GDPR fits into their agenda and how they operate. Then, find something which makes sense for them to agree to, or which they can feel personally engaged in and passionate about. This may be something which benefits the organisation or makes them look good personally.

It’s easy to view new legislations such as the GDPR as another corporate chore, but when treated as an opportunity to empower employees and bolster your company’s reputation as a leader in data protection, legislation such as the GDPR has the potential to become a key differentiator for both internal and external communications strategies. 

To opt-in and receive ReputationInc’s newsletters, blogs and exclusive event invitations straight to your inbox, please email

For more information on our thinking about GDPR, click here

We Create the





To Build Your Reputation