The EU Data Protection Regulation states that you must train your employees in handling - and securing - personal data. However, it doesn't say anything about how you should train your employees in handling personal data.
"That part is open to interpretation, so you have to get creative," says Lone Forland, our product specialist who also works with information security campaigns.
Information security campaigns - or awareness campaigns - are a way for organisations to implement their information security policy through education and tips for compliance.
Lone Forland's first advice for creating awareness about something as comprehensive and important as the upcoming GDPR is to explain why the GDPR has such stringent rules when it comes to the processing of personal data.
"Humans are hardwired in such a way that if we understand why we need to do something differently, we're more likely to actually do it. It's about wanting to, and understanding why we should create change," says Lone Forland, and emphasises that there are valid reasons behind the new Data Protection Regulation, so getting employees to understand the initiative shouldn't be too hard.
Secondly - and Lone Forland is especially passionate about this one - you should make it simple and easy to do the right thing. Most people don't actually want to compromise an organisation's safety, but if the correct procedure is long and complicated, people often end up doing the wrong thing.
There are, for example, organisations that demand that all paper containing personal data be shredded when it's no longer in use. However, employees often don't shred them because there's only one shredder in the entire building, and it's on another floor. Consequently, documents containing sensitive data often end up lying in desk drawers or cabinets where they're not protected.
"Instead of banging your head against the wall, perhaps it might be worth investing in a few more paper shredders? And maybe even placing them outside the most frequently used meeting rooms? You can achieve a lot by making information security easier for your employees."
One of the best information security awareness campaigns Lone Forland has seen was where an organisation combined a series of initiatives in a coordinated effort.
The organisation started the campaign by placing little locks with question marks on each employee's desk. This got the employees curious and talking together. Afterwards, an email was sent out explaining the campaign. The director then held a short meeting explaining the background for the campaign. Lastly, they hosted a short quiz where different departments competed against each other to win a symbolic prize.
"They reached a lot of people in the campaign because it involved so many different efforts," explains Lone Forland. "Everyone is different, so it will differ from person to person, what actually has the greatest effect. The best advice is to be creative, involve the management, and make it just a little bit fun so that information security doesn't become a boring chore."