The other day, I was sitting across from someone at lunch, and without even thinking about it, I flipped my phone face down on the table. Just like that. One motion, completely automatic.
And then I sat there and thought – why did I just do that?
I tend not to want to be distracted by notifications. I definitely didn’t want the person across from me catching a glimpse of my messages. I didn’t want my screen visible to whoever was walking by behind me. What’s interesting to me is that I didn’t make a conscious decision. I didn’t think, “I would like to protect my privacy now.” I just flipped it.
Many people do the same thing with a bathroom door, even when no one is home. No one is coming. There is zero chance anyone is walking in. And it gets closed anyway.
We do this all the time and never notice.
We cover our PIN at the ATM even when the nearest person is halfway across the parking lot. We check who’s in the room before we take a sensitive call. We close 47 browser tabs before handing our laptop to IT. We turn our monitor slightly when someone walks behind our desk, not because we’re doing anything wrong, just because. We whisper in a hospital hallway even though no sign told us to.
Nobody trained us to do any of this. There was no module. No annual reminder. No policy memo. We just felt it and acted on it.
That instinct is privacy.
This got me curious – just how many subconscious decisions are people making daily? While I get they are not all privacy pros, this is a HUGE number and supports the notion that privacy is innately being decided all day long by people..
So, Why Doesn’t This Show Up at Work?
This is the part that keeps me up at night, in the best possible way, because it means there’s something real to work with.
The same person who covers their PIN at the ATM will forward a customer spreadsheet to their personal email to finish working on it at home. The person who angles their laptop on a plane will CC half the company on an email containing someone’s salary. The employee who whispers in a hospital waiting room will post about a client win on LinkedIn with just enough detail to make everyone uncomfortable.
It’s not malicious. It’s not laziness. It’s that the privacy instinct that fires automatically in their personal life hasn’t been connected to their professional one yet.
And that is the actual work of building a privacy program. I’ve always said scaring people with fines isn’t going to significantly shift behavior. It CAN make progress. But it’s often incremental and true to the core fundamental progress that makes privacy second nature.
Think about the last time you wanted to launch a new product, buy software, or do something “big.” You were likely asked how much will it cost (finance), what resources will it take (people), is there a contract involved (legal), and what type of tech is involved (IT). Not often asked is what are the privacy implications? No one ever seems to forget cost, people, and IT. Sometimes legal gets to the table last, but generally, they aren’t totally forgotten. Privacy … they are still struggling to get their invitation.
How to Get People’s Attention
1. Stop leading with rules. Start with recognition.
The next time you run privacy training or just have a meeting, open with the phone flip or the bathroom door scenario. A personal story is always a great way to grab attention. Watch the room shift immediately. People smile. They nod. They recognize themselves. And then when you ask them when they last brought that same instinct to how they handle customer data, you can see them actually thinking about it.
💡 Lightbulb moment perhaps?
That moment of recognition is worth more than an hour of slides about regulatory requirements. People don’t change behavior because they memorized a law. They change behavior because something clicked personally.
Your job is to create the click.
Practically speaking: audit your current training. How many minutes pass before you mention a real human moment versus a compliance requirement? If the answer is never, that’s your starting point.
2. When the instinct kicks in, something has to happen with it.
The phone flip works because the action is immediate. You feel it, you act, done.
Privacy instinct at work is messier. An employee notices that a new vendor seems to be collecting way more data than the project requires. Or a marketing campaign idea lands in their inbox and something feels off, but they can’t quite name it. Or someone asks them to pull a customer list, and they hesitate for half a second before doing it.
What happens with that hesitation?
If there’s no clear answer, one of two things happens. They ignore the feeling and move forward. Or they ask around, get no clear answer, and move forward anyway.
Here’s the reality. Sometimes a privacy review takes time. It needs to. There are legal requirements, compliance steps, and stakeholders who need to weigh in. Explaining WHY time is good and can benefit a project is the teachable moment. Often, privacy is seen as “slowing” things down. Actually flagging an issue first can save a significant amount of time and money, preventing an issue or a delayed launch.
3. Find the people who are already doing this and make them visible.
In every company I’ve worked with, there are people already living this instinct at work. The customer service rep who flags a data request that seems unusual. The developer who stops a sprint to ask whether they actually need to collect a particular field. The HR manager who closes her office door before opening a personnel file or says not to record this call. The marketing analyst who questions sending that cold email to a purchased list of people.
These people are your privacy champions, and they might not even know it. Find them. Name what they’re doing out loud. Tell them specifically: what they just did, that instinct they followed, and that it is privacy by design in action.
Recognition is a multiplier.
When someone hears that, they stand a little taller. They do it again. They mention it to a colleague. And your privacy culture grows in a way that no mandatory training has ever produced.
Where’s the next place you can recognize someone? Maybe it’s a shoutout in a team meeting or a note from the privacy team.
4. Use what’s in the news, but ask a question instead of sending a policy reminder.
When a breach makes headlines or a new privacy story goes viral, and they always do, resist the urge to send a reminder to complete training or review the policy. That email gets deleted. Or totally ignored in a meeting.
Instead, ask one question, Did you see this story? What’s your instinct about where things went wrong?
Let people use the gut feeling they already have. Then, in a follow-up, connect it to something specific inside your organization. What would your version of this look like? Where might you be vulnerable to the same thing? What could we do differently?
That conversation will do more for your privacy culture than a policy reminder ever will. And it positions you as someone bringing insight, not compliance pressure.
5. Challenge what you collect before you collect it.
You flip your phone face down because something in you just doesn’t want everything visible to everyone. That same instinct points directly at one of the most powerful privacy operations practices there is: data minimization.
When employees are in product meetings, vendor conversations, or campaign planning sessions, train them to ask one question early: Do we actually need this data?
Not after the form is built. Not after the vendor contract is signed. Before. Because a 25-field intake form that asks for information nobody ever uses isn’t just an operational problem, it’s a privacy one. Every field you collect is data you now have to protect, manage, and eventually delete. Data you didn’t need to collect in the first place is a liability that didn’t have to exist. Not to mention in some jurisdictions you might not be able to use it the way someone intended to!
Build the habit of asking that question early. It’s one of the highest-leverage things a privacy program can do, and it connects directly back to instinct. Because honestly, when someone hands you a form with 25 fields, something already feels like too much. Trust that feeling. Then act on it.
6. Help employees think like a customer, because they might actually be one.
This is the one that tends to land hardest in the rooms I’m in.
The data your company collects doesn’t just sit safely in a database. It gets analyzed, segmented, used to make decisions, accessed by other teams who shouldn’t use it, shared with partners, and sometimes ends up in places customers never anticipated when they handed it over. That’s not always wrong. But it’s worth sitting with.
Privacy is about how data is collected, used, stored, shared (and protected).
Privacy laws require us to actually explain what a company is doing with their data – there should be no element of surprise. Someone who shared their email address to get a receipt didn’t necessarily sign up to be profiled, retargeted, or have their behavior tracked across other platforms.
To really drill home this point, I ask teams: Are you a customer of this company?
Do you shop here, use this app, subscribe to this service?
If yes, your data is in that same system you’re working in right now.
Would you be comfortable with how it’s being used? Not just whether it’s secure. Whether it’s being shared in ways you’d expect. Whether it’s being used to draw conclusions about you that you didn’t anticipate. Whether it ended up somewhere that would genuinely surprise you.
If no, well then I ask them to think of themselves from the customer’s point of view.
That question changes things. Because suddenly it’s not abstract compliance work. It’s personal. And personal is what moves people.
The Bottom Line
I’ve sat in enough executive leadership meetings, training sessions, and client kickoffs to know that leading with regulations doesn’t move people to get privacy into the “fabric of the culture,” as I call it.
It informs them, yes. But it doesn’t change how they show up on a Tuesday afternoon when nobody is watching.
The phone flip does. The bathroom door does.
Your employees already understand the concept of privacy. They feel it every day. They flip the phone. They close the door. They cover the keypad. That instinct is real, and it’s already there.
But understanding the concept and knowing how to apply it at work are two very different things. Privacy laws are real. They are new, they are evolving, and they matter. Employees need to learn them. The nuances of what counts as personal data, when consent is required, how long you can keep something, and who you can share it with – none of that is instinct. That’s the work of building a real privacy program.
What the instinct gives you is the foundation. When employees already understand why privacy matters, they are far more ready to learn the specifics of how to protect it. You’re not convincing a skeptic. You’re teaching someone who already cares. That is a completely different conversation and a much more productive one.
Start with the phone flip. Start with the bathroom door. Then teach them the law.
The more you find your personal story and connection points, the more you will find employees will be engaged and willing to invite you to the table for that next initiative.
In case you’re wondering why stories matter so much – there’s science to it. This headline says it all to me. Our brain acts differently when we hear stories, and to read the super long, older but still relevant, scientific study check it out here:
Connection is powerful. Once you have it, watch your privacy program soar!
Try it out this week in your next meeting. Share a story!
Happy privacy!
Jodi
💡 When you’re ready, here’s how we can help:
⚙ Privacy Advisory & Implementation: We help companies navigate privacy requirements with confidence. Our advisory support covers strategy, operations, and real-world implementation.
⚙ Fractional Privacy Services: We provide fractional privacy leadership tailored to your needs and pace. From program development to day-to-day support, we help you build and sustain a strong privacy program.