Embedding a Compliance Culture

  • November 08, 2018

Ceridwen Lee offers us tips for embedding a culture of compliance within an organisation from a data protection perspective.


The greatest risk for any organisation is the “human factor”. In 2017 the ICO issued 52 monetary fines, of which only 5% could really be said to have been caused by factors outside of the organisation’s control. The other 95% were a direct result of the actions of an organisation’s employees. And, with the breach reporting requirements of the GDPR, staff both being willing to report incidents to their DPO and acting in line with organisational policy has become even more crucial. Considering all this, embedding a culture of compliance and best practise within an organisation should be a priority for any DPO.

Embedding a compliance culture is primarily an exercise in change management - winning hearts and minds. Unfortunately, the subject of data protection is viewed by most people as “boring” at best, and “red tape” that “gets in the way” of doing their jobs at worst. So how do you promote a culture of compliance when you’re up against those kinds of attitudes? Every DPO has their own tips and tricks. Here are some things I’ve found useful:

Senior Management Buy In

The attitude of senior management to compliance will ultimately filter down through the organisation. If staff can see that data protection compliance is valued by their boss, they will be more willing to accept any changes and take policies seriously. Of course, if an organisation has hired a DPO, they probably already appreciate the importance of compliance. But, if not, you will have to persuade them of the value of compliance. Once you have their support, they will probably be happy to do things like adding their name to an email chain to give a particular project more “clout”, and attending training sessions, alongside staff, to lead by example.


In my opinion, the single most valuable tool in your compliance arsenal is training. Good training does more than make staff aware of what data protection is, and what’s expected of them. It’s an awareness raising and engagement tool. I personally favour face-to-face training sessions where possible. And the more interesting, fun and practical you can make them, the better. Training is an opportunity to sell the value of GDPR, to make it personally relevant to staff, and, yes, to explain the consequences when something goes wrong. If you can make your staff understand data protection law, and, more than that, to see compliance as something other than “boring”, “red tape” and an obstruction in the path of doing their job, they will want to comply. You will find people come to you with questions more often, willingly report incidents, and follow policy with far less grumbling, if you can get them on side. And training, when you have their uninterrupted attention for an hour, is the perfect opportunity to do that.


In order to ensure compliance, you need to check that your policies and processes work in practise. But an audit has a secondary purpose. The results of your audit not only show good practise but demonstrate areas of weakness. People will act in a compliant manner for two reasons: because they have bought into what you’re trying to achieve and see the value in it; or because they don’t want to get caught out. An audit is your opportunity to show that there are immediate consequences for getting it wrong.

In summary, the importance of a compliance culture cannot be overstated. It is the backbone of any data protection regime in any organisation. It is also arguably the most difficult of all compliance tasks to achieve. However, with buy in from senior management, an audit cycle which is communicated to all staff,  and a really good training and awareness raising programme, it is achievable.

Written by Ceridwen Lee

Ceridwen Lee is an Information Governance Professional and Privacy Specialist with over 10-years experience in the public and third sector.

Find Ceridwen on LinkedIn.



£ k