Training modules are a critical part of any compliance program, but they’re not the only lever we have. When it comes to building a culture of privacy, managers are one of our most powerful (and underused) resources.
Think about it: employees spend far more time interacting directly with their managers than with compliance. And while most privacy missteps aren’t malicious, they often stem from routine tasks or habits—rushed emails and file shares, casual chat messages, forgotten file clean-up. These behaviors don’t necessarily rise to the level of policy violations, but they can still expose the organization to risk.
That’s where managers come in. A quick conversation, tip, or reminder in a team meeting can normalize the kinds of privacy habits that protect data day in and day out.
Below are five common behaviors that either help or hurt—and how compliance teams can support managers in reinforcing the right ones. (Want to build a full scenario for discussion? Check out the sample AI prompt in this article.)
Sharing screens without checking what’s visible
🧠 The risk: Accidentally displaying tabs, documents, or notifications that should have stayed private.
💬 What managers can say: “Before screen sharing, close unrelated tabs and use ‘window share’ instead of full screen. Let’s avoid those ‘oops’ moments.”
🔧 How compliance can help: Create short checklists or visual reminders managers can share before recurring team calls.
Treating instant message platforms like a private chat
🧠 The risk: Posting sensitive info—like HR updates, health information, or customer details—without realizing how many people can see it (or that it’s retained as a business record).
💬 What managers can say: “If you wouldn’t say it on speakerphone or post it on the internet, think twice before posting it in a chat.”
🔧 How compliance can help: Deploy guidance on using instant messaging platforms compliant, recommend default privacy settings for common channels, and work with IT personnel to make sure there are keyword alerts set up to catch risky terms.
Rushing to send an email or share a file
🧠 The risk: Autofilling the wrong name. Using the “to” field instead of BCCing a large distribution list. Sending a sensitive attachment to the wrong person.
💬 What managers can say: “Let’s all get in the habit of pausing before we hit send and share—especially when external contacts or attachments are involved.”
🔧 How compliance can help: Offer talking points, sharing or email settings (like prompts for external recipients—Google Workspace already does this well, see below), or real-life examples from past incidents (anonymized, of course).
Saving files locally “just for now”
🧠 The risk: Sensitive documents piling up on desktops, personal folders, or unencrypted drives.
💬 What managers can say: “Let’s use the shared drive or cloud folder so nothing gets stuck on a local machine.”
🔧 How compliance can help: Set default save locations and automate clean-up where possible. Offer friendly, repeatable reminders.
Holding onto data that’s no longer needed
🧠 The risk: Retaining old reports, lists, or notes that serve no legal or business purpose can lead to unnecessary exposure in the event of an incident or investigation.
💬 What managers can say: “If we don’t need it anymore and there's no legal hold or other reason it needs to be saved, let’s delete it. Holding onto old data creates more risk than value—and we should always follow our record retention policy.”
🔧 How compliance can help: Make sure managers understand what the record retention policy requires and when it applies. Provide clear guidance and reinforce it with reminders during project closeouts, system cleanups, or offboarding.
Make space for the conversation
Empowering managers doesn’t mean handing them a privacy manual; it means making it easy for them to talk about privacy in ways that feel natural, low-stakes, and relevant to the way people interact with data every day. A few simple prompts and clear examples can go a long way.
By combining formal training with everyday conversations, we can help employees build privacy into their daily workflow—without overwhelming them.
.png?width=200&height=200&name=Deborah%20Mercier%20(1).png)
Deborah Mercier, Senior Compliance Counsel, is a licensed attorney with over 13 years of experience in the compliance field, spanning a diverse range of sectors. She is deeply committed to developing engaging and effective ethics and compliance training programs and helping organizations align their business objectives with legal and regulatory requirements.
