It has been no secret that I am a nerd. One place my inner nerd particularly surfaces is my love of board games. From your most basic game of Scrabble, in depth games of Catan, or diving deep into a euro-game with an encyclopedia sized rulebook, I am ready to go. There is a lot to learn here though and tackling the voluminous rulebook to get going can be intimidating. Ways that good rulebooks manage this learning curve have many similarities to the challenge of getting your employees, or customers, to actually read the privacy policies you just spent 50 or more hours writing.
How long is your privacy policy? Some may have only a few pages, while others have dozens of pages or even multiple documents for different aspects of the program. The size of a policy can make it intimidating to read and might even demoralize your employees to the point that they don’t even try to read it. The truth is that length is one of the least important factors. The issue is how easily can you find what you are looking for in that document. So what can we learn from board games to make this easier?
Most people will at least know that Dungeons and Dragons or tabletop games of its kind exist. Often touted as bastions of complexity and requiring years to understand, these games usually don’t have a board or pieces, but instead a rulebook with all the information needed to play. I have been playing such a game that uses the 2nd edition Pathfinder system for a few years. A 638-page rulebook describes the basic information and core set of rules to play. What makes this manageable is that most players will never need to read the whole thing because it is broken into smaller, easier to manage parts.
Think of it this way. If you want to make a character that doesn’t cast spells in the game, you would never actually need to read about any of that. Why bother reading things that do not apply to you. The same thing should apply to your privacy policy. If employees can quickly and easily find the specific information they need, such as what to do in response to a data subject request, they will be more willing to make that effort. At the very least, they will not be discouraged from reading the policy to find that information. The issue with size of a document is finding what you need, and by providing good document organization and structure, you can focus on providing all necessary content as needed. Notably, a table of contents is integral for establishing early on where specific information can be found.
Another trick is how individual items are referenced throughout that policy. Back in the rulebook, whenever another book contains reference to a rule, let’s say a rule on what dice need to be rolled for a certain situation, a reference provides annotations for which book and page number to look in. Applying this to a privacy policy works equally well. With multiple policies covering retention, destruction, incident response, data subject requests, access, and more, having a quick and easy way to know where to look is priceless. Instead of just starting to look in the corresponding policy, provide the full title, section, or similar information to locate that necessary information easily.
There are certainly more tricks to this. Gaming communities are excellent at both analyzing rules as well as at discussing and optimizing how to describe them. Using these techniques to remove obstacles for individuals enables better knowledge of what policies say, or at least finding the information they need quickly. This will further ease development and acceptance of the privacy program. If everyone can understand the rules, then you can get informed, effective feedback, and begin to build a strong program from there.
Please feel free to reach out to Privacy Ref with all your organizational privacy concerns. You may view our complete event calendar here, which includes our training and webinars.