Serving compliance on a silver platter

Education prevails over force

Setting up the SPA team and laying down the shared responsibilities is just the beginning. If compliance is to become part of your company’s culture, you must realize that:

  • Compliance must be agile. It must evolve with your business; setting up the structure is just the beginning.
  • Compliance must be deep-rooted. Every employee must embrace it and make it an ongoing part of their work.

This is why forcing compliance will not work in the long run. At some point you may have to sacrifice compliance to meet your business goals, only to have this decision affect you at a later stage.

Becoming compliant does require you to introduce some rules. Educating your employees on why these rules make sense is far more important than simply trying to enforce them.

Subtle marketing

Marketing is about letting people know that you can solve their problems. You must go to the place where the people you are interested in reaching are talking and speak more eloquently than them so that they listen. And better does not necessarily mean louder.

Marketing an idea like compliance to those who don’t like rules is not an easy task. That is why you must carefully handle the three main components of subtle internal marketing:

You must identify these crucial players in your organization and ensure that they understand why they must embrace compliance and how they can do it. The SPA team is well-suited to bring crucial players on board. Then, these players must take it upon themselves to ensure that every person they talk to talks about compliance.

The medium is the arena where group conversations happen. It could be a chat group, email alias, internal social media, a project management space, and any other collaborative space. You must identify each of these mediums and ask your marketers to use them all.

Materials are what deliver the message. It could be a simple email, a presentation, an e-book, the minutes of a meeting, or a top-quality video. It all comes down to what your SPA team can manage and what works best for your audience (employees).

These three aspects of marketing must function in unison:

  • A product team has a chat group (medium) that discusses new features they are planning. The product manager (marketer) can share security guidelines (material) for creating a new feature prepared by the SPA team.
  • A support team has a forum (medium) to discuss challenging issues they face. The support head (marketer) can share a presentation or an e-book (material) that discusses privacy guidelines while troubleshooting critical issues.
  • The legal team wants to give a presentation (medium) to operations teams on the procedural challenges involved in shifting to a new building. The presenter (marketer) can include screenshots (material) of the change management controls mentioned in ISO 27001 in the presentation.

Once you’ve used all the M's of marketing effectively and efficiently over an extended period of time, the idea of compliance will become second nature to your workforce.

ZOHO STORY

GDPR-ing Zoho: Zoho's SPA team faced its biggest challenge yet with the GDPR. Although there was so much talk about the GDPR, no organization could figure out how to be 100-percent ready for such a paradigm shift. Zoho's SPA team took up this challenge and started with research to get a complete understanding of the GDPR’s requirements and how the regulation would change Zoho’s way of working. Once that process got underway, the three M's of marketing had to come into play

Zoho has a horizontal structure where each product team has its own method of working. The SPA team first targeted all internal communication channels that involved staff in leadership positions; they were our first group of marketers. To teach these marketers what compliance really was and how to go about it, the SPA team reached out to them through our favorite mediums:

  • Presentations: These were delivered on a large scale, sometimes three times a week, and targeted at different product managers.
  • Campaigns: This included an awareness campaign and a campaign to launch documentation initiatives.
  • Social media: Our internal social media portal built on Zoho Connect was our way to reach each and every employee. We created awareness with engaging posts, polls, short discussions, and even memes and invited employees to participate.
  • Audits: As our SPA team is in charge of security, privacy, and compliance audits for every product feature, they used those audits as an opportunity for education. They gave short presentations to make multiple teams realize the implications audits had on their particular function.
  • Culture and events: We used local festivities, like Pongal in our India offices, and international occasions, like Data Privacy Day, to invite more participation. Posters, competitions, and giveaways helped us get everyone's attention.

Above all, the crucial element to getting Zoho ready for the GDPR was consistent effort over a period of time.

Get fresh content in your inbox

By clicking 'keep me in the loop', you agree to processing of personal data according to the Privacy Policy.