GDPR compliance

5 behavioural change stages to reach perfect GDPR compliance

With 25 May 2018 fast approaching, the pressure to get your GDPR compliance training in place is mounting. But, for once, Google isn’t much help. A simple search for ‘GDPR training’ yields nearly 3 million results in less than a third of a second. Narrowing the search down to ‘GDPR training London’ only halves that number of results, still leaving us with 1.5 million options to wade through. How do you know where to begin?

At least the top five are probably at the top because they’re really popular and therefore trustworthy, right? That’s how Google works, isn’t it?

Your office’s resident tech geek, head in hands, shouts: “No, that is not how Google works!”


Well, let’s start with what you do know. You know you need to support your staff in managing and processing personal data in a way that’s secure, ethical and legal, as outlined by the new GDPR and the 1998 Data Protection Act.

But you don’t just want to support them so you can tick the GDPR compliance box on this year’s to do list. You want to go further than that and ensure your staff actually manage data appropriately and have the behavioural habits in place to do that consistently. So, how can we change behaviour?

The Stages of Change model

At Saffron, we know how to target the intrinsic motivators that generate real behavioural change. We’ve been doing it in practice for years. One of the theories that helps to explain the transformative results a real understanding of behavioural science can bring is the Stages of Change model, otherwise known as the Transtheoretical model.

The model was first developed by Prochaska and DiClemente of the University of Rhode Island to break down the behavioural change patterns of people trying to quit smoking, emphasising its potency. If it can help people kick such a notorious habit, imagine the positive behaviours it can foster. You’re unlikely to have too many employees that are physically addicted to data mismanagement (we hope)!

There are five key stages to the Stages of Change model. Let’s look at how you can help your learners along the way to changing their behaviour at each one.

1) Pre-contemplation

At this stage, a person hasn’t thought about changing their behaviour, at least not seriously. With the hype that’s surrounded the incoming GDPR for the last few months, and the recent scandals, it’s extremely unlikely that your employees have never thought about improving their own data privacy vigilance. It’s reasonably likely though, that many of them have never given it much serious consideration in relation to how they use data at work. You need to start a dialogue in your organisation about good data practice, what it means according to the new regulations, but also what it means to you, your organisation and how you operate.

There are lots of things you can do to get people thinking seriously about changing their data processing habits: there’s the classic poster campaign around your office; you could create and share a short video; or you could change all your employees’ screensavers to a GDPR communication piece one night so that it can’t fail to catch their attention when they come in the next morning. Just make sure it’s personalised to your employees and your organisation.

2) Contemplation

So, our employee has begun to seriously consider changing their behaviour. It’s at this stage that their contemplation begins to develop into resolve via a serious investigation and weighing up of the pros and cons.

An effective way to persuade people to do something is to utilise nudge theory. Positive reinforcement in the form of subtle ‘nudges’ can have a significant impact on people’s decision making. For example, David Cameron’s 2010 government set up a Nudge Unit which amended the wording in tax reminder letters to:

‘Nine out of ten people pay their tax on time. You are currently in the small minority of people who have not paid their taxes on time.’

This yielded a 15% increase in tax payments within 23 days. Just from a simple wording change that capitalised on the social aspect of human nature which causes us to feel a sense of duty to one another.

This can easily be applied to data privacy vigilance. After all, data privacy laws exist to protect the personal data of people just like you, me, your employees and their friends and families. Give this fact centre stage in your communications and training and you’ll activate that innate sense of social responsibility.

3) Determination and preparation

Your employees have committed to changing their data management behaviour… fantastic! At this stage, people make the practical changes that facilitate the actual change in behaviour: they sign up to a gym so they can start exercising, they throw out their cigarettes so they can stop smoking or they take your GDPR training so they can start processing data appropriately.

You need to ensure your staff have everything they need to properly prepare. If employees are going to change their behaviour to manage data securely, ethically and legally, they need to know what that means and how to do it.

One of the most effective ways to do this is to use a framing narrative. We all know the power of a good story to make people care. When we talk to people about our courses from the past, it’s the story that they remember – and the embedded knowledge. Harness that indelible power to improve both your employees’ initial engagement with the training and their recall of it afterwards.

Ideally, you should use a story which simulates relatable modern real-life situations. Things like people signing up to apps and websites for the sake of convenience without a second thought. In a recent data protection course that included GDPR compliance requirements, we created a spookily prophetic narrative in which a fictitious ride-sharing app suffers a data security breach.

This fictitious app, unbeknown to the learner, shared data with a fictional third-party fitness company which used social media apps to track users and provide geo-targeted advertising. When that data surfaces unexpectedly, it memorably provokes learners into realising the very real consequences of poor data management.

4) Action

Your employees have made the decision to change their behaviour, they’ve made the practical changes to facilitate this and they’re processing data safely, ethically and legally. Well done! You’ve got a brief moment to rest and feel pleased with yourself before your learners hit the next stage (probably sooner rather than later).

5) Maintenance

Success! Your employees have changed their behaviour and are applying all of the data privacy best practices you taught them in your training. But how long will they sustain it? The trickiest part of it all is delivering lasting behavioural change. Lots of us get to the stage of going for a run or not smoking for a few days, but then we realise that it’s not enough to just do it once – we have to keep doing it! It’s easy to give up hope at this stage where the thought of sustaining the effort you’re already making indefinitely just seems too much.

That’s when you need to create a routine – a habit. It’s crucial that you support your employees at this stage, ensuring they maintain their new behaviour until they reach the termination stage at which the new behaviour is no longer new; it’s become a habit which the person carries out without significant thought or effort. In other words, it’s automatic.

This means developing a sustained program, not just initial communications and training. Create content to follow up with a few months later, and on a regular subsequent basis. If you used a narrative in your initial training, you can send your employees refresher training units of 5-10 minutes which develop the story. This narrative development means that learners will be reminded of what data privacy best practice is and why it’s worth doing but won’t feel they’re repeating the same material; instead, they’re finding out what happened next and progressing.

There are lots of different ways you can support your staff during the GDPR upheaval, but it’s important to make sure you’re not just doing so in the lead up to GDPR’s enforcement. Safe, ethical and legal data handling only comes from consistent and habitual vigilance and therefore requires regular, continual training and support on all aspects of data privacy, not just the scary new ones. A three-pronged approach of:

  • a communication campaign which opens up a dialogue on data privacy;
  • a formal training course which provides a coherent and consolidated understanding of what best practice is and how to execute it; and
  • follow-up, refresher training content which maintains staff’s interest and commitment to expert data handling

will ensure you catch and spur on employees at every stage of the Stages of Change model.

You can see some of this in action and discover more on how we take on data protection at Saffron here.