So, in your company’s efforts to comply with the General Data Protection Regulation, you have updated your privacy policy, and written some new internal procedures around data handling. With all that paperwork done, you must be ready now, right?

Actually, probably not. Though having good written policies and procedures are a crucial step, there’s more work that needs to be done to make this plan a success and ensure GDPR effectiveness. I’m talking about work behind the scenes: inside your company. Let’s look at a few important things you can do internally to strengthen your privacy program.

Internal Communication

Having complete and detailed policies might look good on paper, but they don’t mean a thing unless your staff actually uses them. And your staff can’t use them if they don’t know they exist. An internal communication plan is an important way to spread the message about changes to internal practices, and the existence of new privacy controls. You want to make sure everyone knows these things exist, and that they understand how important they are to the company’s operations.


Once people know about your procedures, you need to follow up with effective training to make sure everyone understands what they need to do, and how to actually do it. Simply asking people to read a policy and comply won’t work, because people will be overloaded with information, and have no idea what is important for them and their work. An effective training plan will incorporate both general information about privacy at large (awareness training), as well as job-specific procedure implementation and best practices. While awareness training can be the same for everyone, more specific policy-related training should be broken down by department or division, based on the kind of work that is done. This ensures that everyone gets the information that is most important for their work.

Think about the different training methods that may be available to you: instructor-led training, off-site sessions, eLearning courses, seminars, one-to-one mentoring, etc. Consider which of these methods might be most effective for your situation, given the size or composition of your company, and the kind of work you do. You may end up using a couple of different methods.

Promote a Positive Privacy Culture

Once your staff has been trained in privacy practices, your job doesn’t end there. People need a reminder that privacy is important and that it always needs to be considered. Keeping the privacy message fresh and on everyone’s minds will help your company as a whole to keep privacy a priority.

You also don’t want privacy in your company to become entirely about compliance. While you do want everyone to comply with your policies and the law in general, good data privacy is about more than that. It’s about treating your customers fairly and ethically, and building trust. Thinking about privacy in this way shifts your motivation for following privacy law: you are no longer following these rules just to comply with a policy, you are doing a service for your customers.

To actually promote this kind of positive culture around privacy, you can get creative and fun, with everything from a bulletin board or posters, to a privacy newsletter, to even a trivia contest or small-scale awareness event.


Though it would be nice to assume that once your staff reads and trains with the new privacy procedures, that they will follow them fully, no questions asked. In reality, we do need to ask questions, and check on everyone’s performance with these sorts of policies. This isn’t to say that people will be actively trying to break the law, but mistakes may be made due to misinformation, incomplete training, or simple miscommunication. Monitoring everyone’s compliance will iron out any issues that come up, and ensure that the procedures are being followed as intended.

This doesn’t mean you have to hire an expensive third-party auditor to look at your processes. You can audit your privacy system internally. An internal audit can take the form of an interview, where the auditor (maybe your privacy officer, or operations manager) develops a set of open-ended questions for employees to answer. You want the questions to be open-ended, so the person being audited can come up with their own answer, and not be lead to a “correct” answer. The results of these audits can inform your ongoing training program, and will quickly identify any areas of the privacy plan that need work.

Luke Henderson is privacy officer at Velsoft Training Materials.