This month we are updating the privacy awareness module for delivery in November, with a particular focus on GDPR just six months away.
By the time it comes into force in May 2018, compliance with the EU General Data Protection Regulation will be a strategic objective for most organizations, thanks to the potential for massive fines and adverse publicity for any who are caught in contravention. Provided they are aware of it, we believe managers will welcome assurance either that everything is on track to make the organization compliant by the deadline, or that GDPR is definitely not applicable to them.
Our job is to make managers aware of GDPR, emphasizing the governance and compliance plus information risk and security management aspects - updating corporate privacy policies for example, and ensuring that suppliers and business partners are on-track as well as the organization itself. If cloud service providers were struggling to meet the compliance deadline, for instance, there would be implications for their customers - another thing for management to consider. A GDPR compliance checklist would therefore be a worthwhile and timely addition to the NoticeBored materials.
The task of achieving GDPR compliance largely falls to IT and compliance specialists. Our awareness objectives for that audience are more tactical in nature, relating to project management, technical challenges and change management. The compliance checklist may help them consider the compliance project status from management's perspective, perhaps re-prioritizing and re-energizing the remaining activities.
For the general worker awareness audience, we plan to tackle the personal angle, addressing rhetorical questions such as "What's all the fuss?", "What's GDPR?" and "What's in it for me?" ... suggesting three awareness posters similar to the one above. We'll be developing those and other ideas into a brief for the graphics team this weekend.
GDPR and privacy are already making appearances in the professional media and will increasingly hit the general news outlets in the run-up to May - albeit mostly as fillers for slow news days. The first major organizations to be fined for GDPR non-compliance will surely be headline fodder, for a few days at least. Our customers' employees will have had the background hopefully to notice privacy-related news and appreciate what's behind the headlines, linking the general media with the corporate awareness programs. There's a broad educational purpose to November's module, in addition to the more direct awareness role.