Creative, fun and engaging: expert tips on GDPR training with Thorleif Gotved
If you work in compliance, you won’t need us to tell you that GDPR training can be challenging.
While those of us in the industry get excited about the positive impact of specific Articles and the long list of benefits of being a compliant business, it’s safe to say that our non-industry colleagues don’t always share the same level of enthusiasm.
Often, this unmatched interest means that getting people to listen to what we have to say about data protection is no easy feat. For all our good intentions, it’s not uncommon for awareness sessions to produce disengaged or uninterested participants.
If you’ve been struggling to get the response that your training program deserves, we’re delighted to introduce you to a man shaking up the GDPR awareness scene: Thorleif Gotved.
As a renegade in the industry, Thorleif’s fun and engaging approach offers businesses a fresh and effective way of spreading awareness – and making it stick.
Here, he discusses why GDPR training needs to be more creative, the pitfalls of traditional awareness campaigns and his reasons for introducing Barbie and Ken to the world of compliance.
For anyone unfamiliar with your work, could you tell us how you first became interested in GDPR?
“Sure. I think we should start in February 2007 when I made a huge mistake.
At that time, I was working in communications at a trade union and had to email 8,000 members. I sent the email via Outlook but I could only send 2,000 at a time, so four identical emails were sent. Then, I went to lunch, and when I got back, I realised I’d done something really stupid. I forgot the BCC, which meant that not only did it take ages to scroll down to read the email, but people could also see the other 1999 recipients.
Although data laws didn’t exist as they do now (fines were ridiculously small), this was not good – particularly working at a trade union where people aren’t meant to know who else is a member.
What this mistake made me realise is that when you are working with personal data, you have an obligation and a responsibility to take care of it. Just like when you’re handling money or anything valuable, you should take care of it – especially if it’s somebody else’s, and especially personal data. If somebody steals that data, it’s not like money, you can’t replace it if it has been stolen. It can be stolen once, and then it’s too late.
I suddenly became interested in the laws around data protection and started to read a lot about it. I started to see it as a human right to respect someone’s data, which to this day remains very important to me.”
How did this initial interest in personal data develop into a career?
“Some years later, I started working for an IT company, and I hired a lawyer to put together courses for our customers on personal data.
I learnt a lot from these talks, so I began writing articles for the company newsletter about the topic. Whenever I wrote about personal data, I could see it actually interested the people who receive the emails, including members of political parties, unions and NGOs.
I then moved on to a new job doing something completely different. But I was only there for 14 days before I was sacked. This was in December 2017, half a year before GDPR would become a reality, so I thought, “Why not become an independent consultant?”. I had the knowledge, was really interested in it and guessed there would be a demand.
I went on to LinkedIn and wrote a post saying, “This was not the plan. But hey, it’s not that bad because now I have the opportunity to become a freelance GDPR consultant”.
After publishing that post, 15-20 people contacted me asking me for help and around half became my first customers. Today, I use LinkedIn a lot and sometimes receive thousands of likes, but I never received as much business interest as I did from that first announcement.”
In your LinkedIn bio, you mention that “you convey the topic of GDPR in a way people (probably) have not experienced before”. Can you discuss your approach and why you think a new way of teaching GDPR is necessary?
“So most people working in GDPR have studied law or GDPR. They’re great, great people. I love them and have learned a lot from them.
However, when you go to law school, in Denmark at least, you’re very good at the knowledge of all the laws and stuff like that, but not necessarily good at explaining them to people because it is not part of what they learn at law school.
Very often, I’ve seen papers from lawyers where everything they say is correct, but it’s really difficult for normal people to read and understand.
With me, I’m from another planet, so to speak. I went to university to become a high school teacher, so the ability to communicate and try to make people understand stuff is something that I’ve been trained in from early on.
Unlike lawyers who have their reputation or company’s reputation to think about, I can be a little bit bold in how I teach people about GDPR. For example, I sometimes use props like Barbies, Ken dolls, teddy bears etc., to explain some of the basics of processing personal data. Something that could be incredibly boring is suddenly made funny and memorable because you’ve introduced a teddy bear and some dolls. I actually did this once for an article. I made a video using a teddy bear, and my daughter joined in. I got a lot of reactions to that video, and even now when I go into meetings with potential customers, they tell me they loved the video.
When people think something is funny or get more curious, they start to open their eyes and ears and listen to you, especially when it comes to something like GDPR, which so many people are obliged to know about.”
What are the most common challenges facing organisations educating staff about GDPR and compliance?
“For most people, it’s boring and difficult to understand.
It’s also my impression, more often than not, at the management and C-suite level, there needs to be more concern about GDPR. I wish that they would not just see it as a cost but actually something they can gain a lot from.
For instance, if they actually start to clean up all the mess, they can make sure that the right people have the right access to information. Or, if an employee leaves a company or joins a competitor, they may leave with that knowledge or still have access to critical information, which can be very harmful.”
Where do you think the lack of concern around GDPR comes from?
“In general, GDPR is still connected with big fines. I think that’s horrible. Because if that’s the reason why you are doing something about GDPR because you’re afraid of fines, you’re coming at it from the wrong place.
I perfectly understand why people are talking about big fines. Still, it means much action is driven by fear rather than the opportunity to take care of something that belongs to other people – their personal data. That alone should be the reason why you take GDPR seriously.
Let’s say that you’re living in an apartment, and you have a loft with a lot of stuff up there. Suddenly, your landlord calls and says if you don’t clean it up within one week, I’ll give you a huge fine. Okay, then you have to do it.
But imagine, if instead you’re told that by cleaning up your loft, you would find a lot of stuff you could throw out, so you have space for more things. Or, you would find things that you thought you had lost that were very valuable to you. Or, you’d just be able to find things very quickly. There are so many reasons why you should do this job instead of just to avoid the fine, right?”
When a company hires an external consultant to help with their awareness efforts, what should they expect?
“The most important thing to know is that they should be doing most of the work themselves. Consultants shouldn’t be doing all the paperwork. This has to be done internally, so businesses understand what they’re doing.
Our job is to explain why they’re doing it and what it’s all about so they’re able to change it later on. I’ve seen so many organisations that did a lot of work regarding GDPR a few years ago, but today, they haven’t done anything. They don’t know what was done or how it was done because someone else took care of it all.
And then there are deadlines. Deadlines are extremely important. Often, people know they need to do something, and they spend time gaining knowledge from webinars and white papers but then don’t do what they should do. That’s because they don’t have deadlines in place.
With deadlines in place, it creates a process to make sure a business goes from A to B, and perhaps a little further.”
What are your go-to formats or techniques for making GDPR education as engaging and exciting as possible?
“It depends on the company size and sector, but when I give a speech or teach a course, I like to use Kahoot! Sometimes, I’ll include a prize to add a bit of gamification.
It’s all about being creative. Once I had a customer who wanted to make sure their entire staff was more aware of GDPR. So I hijacked the CEO’s email account and emailed the whole company who thought there’d been a data breach. Of course, I did so with acceptance from the CEO
That got everyone’s attention much more effectively than simply sending them a manual because they were surprised, and the more you can surprise people, the more they will be affected.”
And lastly, what is your opinion on the GDPR scenario in Denmark at the moment? Do you think the market is mature? Or do you think DPA has some work to do to force businesses to take data compliance more seriously?
“I think some of the decisions made by the Danish DPA lately have been disappointing. Denmark is a very small country, but the trust in Denmark is bigger than in other countries, surveys have shown. We believe in others, which is a beautiful thing, but we live in an international world now. Things are going so fast, especially with the internet and social media, so we should be better at taking care of stuff.
In Germany, they have been way more strict when it comes to GDPR as they have a different history and culture. But the thing is, whatever organisations are doing in Germany or Sweden or Denmark should be all regulated the same. There should be a universal European body that says, “Hey Denmark, you haven’t done this good enough. You have to do better.” We do have the EDPB but I would appreciate it if they were more offensive towards the efforts made by some of the national data authorities
We also have to remember that we have Europe, and then there’s the United States and China. In China, they have very different rules and attitudes to personal data. In the United States, they haven’t really paid that much attention so far, although they’ve started rolling out more laws in some states, such as California.
I think respecting privacy could be something really unique for Europe and European companies. Because we are more aware of respecting privacy, we could share the value of always acting to the highest standard, which would be a great opportunity.”