Introducing our privacy comms commandments

January 28th, Privacy Day. 

Not many celebrated it, but it’s of utmost importance to those of us in the wild west of virtual slip-ups and cybercrime. 

Let me paint a scene: In a busy London office, Ruth from accounts has just posted a seemingly innocent photo on LinkedIn. In the background is a Microsoft Whiteboard displaying client names, projects and timelines. Within hours, a competitor has screenshotted it. The damage is already done … yikes. 

Ruth’s pulled a howler, and her line manager is deciding just how ruthless to be. Let’s rewind and think about how this could have been avoided with the right support. 

As HR, IC and InfoSec professionals, you might’ve heard the statistic that 95 per cent of data breaches involve human error. So you’ve sent out the annual privacy training reminder, updated the policies and appointed the Data Protection Officer (DPO), but there’s an uncomfortable truth. Your people probably want to do the right thing with data, but they’re not sure what that means. Or why it matters. Or what to do if they’re unsure. Or why Ruth from accounts is posting selfies on LinkedIn. 

That’s where smart communications can step up to protect your organisation. It’s time to unite HR, IC and InfoSec. 

So for Privacy Day, we’re sharing our commandments to turn your privacy compliance into a privacy culture – and why privacy communication matters more than ever. 

Foundation fumbles 

The basics matter, and privacy communications can’t just be a policy doc gathering dust on the intranet. If your last privacy campaign was “Because GDPR said so,” it’s time to think deeper. 

Thou shalt not confuse a policy with a communication 

A 47-page Data Protection Policy isn’t communication. It’s a legal safety net, and no one’s reading it. Translate policy into principles by creating pocket guides, visual aids and one-sentence clarifications. 

Your policy might say, “Process data in accordance with Article 5(1)(c).” Your communication should say, “Only access the customer data you actually need.” One’s compliance, the other’s culture. 

Repeat after me: information alone is NOT communication. 

Thou shalt not lead with fear 

Saying, “If you breach privacy, you’ll be fined millions” creates paralysis – not protection. When people are terrified of mistakes, they stop reporting concerns. They hide small issues, which then become catastrophic problems. 

Frame communications around trust and empowerment, not punishment. Show what good privacy practices can do, not just what bad practices prevent. Make it safe to speak up. 

Thou shalt not treat “because regulation” as motivation 

GDPR doesn’t inspire anyone. People don’t change their behaviour because of regulations; they change when they can see the human impact. 

The data your team handles isn’t “records”. It’s someone’s financial security, their medical history, their identity. Connect every privacy requirement to real people. Ask your employees, “Would you want your data handled this way?” That’s when behaviour changes.  

Message mistakes 

Getting the words right matters more than you think. Privacy communications that confuse, bore or alienate people are worse than no communication at all. 

Thou shalt not assume they know what you mean 

“Don’t share confidential information” is vague to the point of being useless. What counts as confidential? Which data is personal? What does “share” mean in practice? Get specific. 

Use real scenarios from your organisation. Instead of “protect personal data,” try, “Before forwarding that email with customer names and order values to your teammate, ask does said teammate need this specific information to do their specific job right now?” 

Thou shalt not speak legal when you need human 

“Data subjects retain the right to request rectification pursuant to Article 16 …” eyes … glazing … over … 

If your communications aren’t specifically for compliance teams, then translate legal requirements into plain language; write for the people who are actually reading them. 

Test your communications with your employees. If they don’t understand it without a glossary, rewrite it. Privacy is too important to hide behind jargon. 

Thou shalt not ignore the digital footprint 

“It’s just social media” isn’t true – and never has been. That conference photo has your client’s address hidden in the metadata. That celebratory post reveals an unannounced partnership. And that LinkedIn update with a Microsoft Whiteboard in the background makes your IP visible to competitors. 

It’s scary stuff, so show people their actual digital footprint. Make it eye-opening, not preachy. When employees see how far content travels and what metadata reveals, that’s when they start thinking twice before posting. 

Delivery disasters 

How and when you communicate about privacy can undermine even the best message. Timing, frequency and the channel matter more than you may realise. 

Thou shalt not make it a once-a-year event 

Annual privacy training. Privacy Month campaign. Tick, tick … then silence until something goes wrong. Privacy isn’t an event; it’s an ongoing conversation. 

Share near-misses, celebrate wins and keep it visible – without overwhelming people. Think of privacy like health and safety, woven into everyday work, not an annual checkbox. Make privacy part of project planning, team meetings and regular touchpoints. Culture isn’t built in a day. 

Cyber Safety Days 

Global Safety Days are common in high-risk organisations, but Global Cyber Safety Days don’t seem to exist. This feels like a worldwide oversight. Get ahead of the curve and show your people that their privacy, their safety and that of your communities and clients, is of the utmost importance. 

Thou shalt not make compliance harder than workarounds 

Your privacy requirements can create friction at every turn, eg three systems to log, two forms to fill and then approval that takes days. If this is the case, people will find shortcuts. They break the rules “just this once” to get work done. 

Good privacy practices shouldn’t feel like punishment. When the answer is “not like that,” immediately show the easy way to do it safely. Make the right thing the easy thing, or people will find another way (behavioural science 101: people always choose the path of least resistance). 

Engagement errors 

The best privacy communications are conversations, not announcements. Organisations that only broadcast and never listen are missing half the picture. 

Thou shalt not assume silence means understanding 

So you’ve sent the policy update, the training reminder, the privacy tip. You measure open rates and completion rates, but you never hear anything about what people are confused about, struggling with or working around. 

Create channels for questions and feedback. When someone asks, “Can I do this?” that’s insight into where your communications aren’t clear. 

Listen as much as you broadcast. The questions reveal where you need to improve. 

What now? 

At scarlettabbott, we help organisations move from privacy compliance to privacy culture. We’ve seen what works, what doesn’t and what makes the difference between messages that get ignored and communications that genuinely change behaviour. 

If you’re thinking, “We could do this better”, that’s the first step. And we’d be happy to help you on this journey. 

Want to talk about how your privacy communications can actually change behaviour? Get in touch.