The global privacy legislation landscape is complex and has borne a great deal of risk around how organisations collect, process, handle and store sensitive information. Even during an unprecedented crisis like the COVID-19 pandemic, regulators maintain the authority and resources to enforce data protection laws.

Earlier this year, I contributed to a roundtable discussion on why training and awareness programmes are critical to establishing a strong privacy and compliance culture to support risk management. The implications of the current crisis on the corporate landscape are bringing renewed importance to the topic. Our new normal also begs discussion around how standard best practices should adapt to meet the unique needs of a dispersed workforce, and additional steps organisations should be taking to address the unexpected challenges and risk vectors that have arisen.

Building upon past recommendations, I’ve developed a set of questions leaders should be asking to help nurture and strengthen their organisation’s privacy and compliance culture now and during the impending pandemic recovery.

  • How are people communicating? We can learn a lot from how communications have shifted during remote work and global lockdowns. Employees are juggling the challenge of working in home environments full of distractions, while others who live alone are struggling with isolation and detachment from the things that typically fill their time. Video meetings have become more common, as many people are eager to see their co-workers and feel connected to their teams. Many organisations have encouraged virtual lunches, coffee catch ups and happy hours to substitute in-person team building activities. Internal communications channels have become more active with alerts and updates to ease employee concerns about the many uncertainties we’re all now facing. All of these changes have revealed a lot about how to help employees feel connected, motivated and inspired to commit to the core cultural values. The way an organisation communicates directly impacts engagement with its values—leaders should examine the improvements in how employees are communicating and engaging and leverage those learnings to become more effective at communicating corporate and cultural priorities.
  • What new risks have emerged? From a risk management perspective, the scale at which personal workspaces and devices are now blending is uncharted territory. Employees may be using unauthorised devices, network connections or applications to get their jobs done from home. Many are likely sharing work devices with family members or storing sensitive information on personal laptops and in personal accounts. These activities, however innocuous they may seem to employees, expose significant privacy, compliance and security risks. Organisations must be aware of these risks and determine how to reinforce policies and operating procedures to mitigate them. In many cases, policies may need to be revised to address unexpected BYOD use, password protections for shared devices, disposal of digital and physical files, etc.—and then be widely and clearly communicated to employees.
  • Is our message relatable and engaging? Though these risks are serious, campaigns that make employees aware of them don’t need to be comparably stern or heavy. People are already burdened with tremendous stress and anxiety. A light and fun approach—like a series of comic strips, or video clips of what can go wrong when a neighbour gets hold of a sensitive document left in the bin, or when children use work laptops without password protection—will be far more effective than a traditional company memo at driving adoption of new policies. Take a page from recent viral videos or Saturday Night Live skits about the pitfalls of working from home, and produce campaigns that communicate the core themes, but in a way that makes people feel better, not worse. It’s equally important to make it easy for people to do the right thing—be that setting strong passwords, checking before they ‘reply all’ to an email attaching a spreadsheet with large volumes of personal data or saving a sensitive file to their personal laptop. Keep that in mind when revising policies and expectations around them.
  • Do our employees feel valued? The sudden halt of travel, sporting events, concerts and social gatherings have caused many people to cancel scheduled time off and holidays. Working from home for many people has morphed into working around the clock seven days a week. For employees to feel valued, they need to maintain a reasonable work-life balance and should be encouraged to take personal time even when they are unable to travel. If they don’t, they are less likely to be in the right state of mind to work in a compliant manner, and more likely to take risky shortcuts.

A strong compliance culture reduces the risk of non-compliance and demonstrates to clients and regulators that protecting personal data is a priority. Ultimately, people are what drive culture and values. If employees are made to feel appreciated and engaged, they will respond positively to policy and procedural changes and be willing to continue operating in a compliant manner. Addressing culture proactively, even at a time when teams are dispersed, will mitigate risk and other ripple effects of the COVID-19 pandemic.

The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.