The strikethrough of “training” above in the chapter title is not a typo on my part, but a subtle note to the Chief Privacy Officer that the best way to protect your data is by engaging with employees, not merely telling them what to do, or training them on what to do. Or worse, punishing them when they do something wrong. What I've learned over time is that privacy and security are not sexy topics and they're basically like law enforcement. Nobody ever wants to get in trouble with law enforcement. They don't want to get pulled over for speeding or some other infraction and if they do, they're not happy about it. It's not fun for them.

So, what I've had to learn is to approach staff by explaining that privacy and security are not things that should be feared. They're not in place to make employees' jobs harder, they're an essential part of how we do business that will avoid problems as we scale. Just as privacy by design brings people into the fold at an earlier stage, so does talking to staff early to help bring them into the fold. Engaging with employees helps to get them thinking about their actions as it relates to privacy and security. The way to do that is to integrate the privacy team into what employees are working on and vice versa. You want to create a culture where you can have a two‐way conversation between the privacy team and other employees.

One of the ways that you build that culture is to ask if you can attend weekly ...