Back to all blog posts

Privacy Training Is (Still) Vitally Important

by Bob Siegel

Several years ago, I wrote a pamphlet for the International Association of Privacy Professionals titled Six Ways Privacy Awareness Training Will Transform Your Staff . The impacts identified in that paper continue to ring true as evidenced by them being described in the current iteration of the IAPP’s Privacy Program Management course.  These impacts include:

  1. Establishing a common understanding of privacy
  2. Reducing human error
  3. Considering privacy up front
  4. Improving customer interactions
  5. Expanding the privacy office’s eyes and ears
  6. Changing conversations

It all boils down to making privacy a priority for an organization. This essentially requires effecting a cultural change.

Since the pamphlet was written, the privacy landscape has significantly changed. For example, people have become more privacy aware. Customers, clients, patients, prospects, employees, and other stakeholders have become sensitized to how organizations are collecting, processing, and sharing their personal information.

Everyone has their own perceptions of whether their personal information is being used for good or evil by an organization. Depending on jurisdiction, there are varying requirements for allowing for the processing of personal information, but the abovementioned perceptions have put organizations on their back foot to determine how their activities are being perceived.

This has translated into a myriad of laws around the world to protect personal data. From GDPR to PIPL to CPPA/CPRA to LGPD (I could keep going), the new statutes being introduced on an annual basis is staggering to keep up with. Even if you just do business in the United States, we are seeing new state-based privacy laws emerging each which, as we see for laws globally, have unique requirements.

As privacy professionals it is vital that we keep the members of our organizations up to date to ensure these emerging laws and regulations are not violated and our stakeholder expectations are met. This is where training and awareness programs shine. Let’s revisit the original six impacts.

Establishing a common understanding of privacy

Since the privacy landscape is rapidly changing, it is vital that staff members have a basic understanding of privacy and how your organization protects personal information. While I never endorse the organizational staff become versed in all the applicable laws, it is critical that the team members are kept up to date on the changing privacy environment’s impact on your program.

Through annual privacy training, be it face-to-face, computer-based, or some more creative method, changes in your organization’s privacy program requirements can be effectively conveyed and understanding tested. Annual training should be supplemented by less formal awareness activities that will help keep privacy top of mind. Creating poster campaigns, leveraging newsletters, celebrating Data Privacy Day on January 28th are all simple examples of how to re-enforce that common understanding.

Reducing human error

A recent Ponemon Institute  report identified that roughly 23% of data breaches were caused by human error. Personally, I have faith that employees are trying to do the “right thing” for your stakeholders and the company. The errors occur, therefore, when a staff member doesn’t know what the “right thing” is so assumptions, and mistakes, are made. Even on a limited financial and resource budget, training and awareness activities may be undertaken that can reduce (eliminate?) that 23% risk.

Considering privacy up front

When products, services, and processes are being created or updated, it is expensive to add new requirements at the end of the development process. I recall seeing studies throughout my career claiming the cost of adding a new requirement increases exponentially the closer you get to project completion. Keeping staff informed of the evolving privacy requirements will increase the likelihood that privacy requirements will be considered as part of base development requirements as opposed to new requirements being tackled at the end of a project. Consider the impact of a marketing project being undertaken without upfront consideration of anti-spam regulations only to have to revamp the program at the last minute?

Improving customer interactions

Stakeholders’ sensitivity to privacy is changing. Some of that is due to personal breach-related experiences or it just be related to the barrage of advertisements to which we are all exposed that use privacy as a product or company differentiator. Training and awareness will sensitize outward- facing staff to stakeholders’ expectations with respect to the processing of personal information.

Expanding the privacy office’s eyes and ears

I worked for one company with over 90,000 employees globally. Our privacy office staff was seven. With these limited resources we could not be everywhere all the time, so we relied on privacy trained and aware staff members to be our “feet on the street”, our “eyes and ears” to keep the privacy office informed about how each individual department was using personal information in both automated and manual processes. To make this successful, these individuals must be kept informed through training and awareness activities.

Changing conversations

Most importantly, training and awareness activities drive changes in topics discussed at all levels of an organization from individual departments up to the C-suite. As the privacy landscape changes causing changes to be made in your privacy program, you must effectively communicate these changes to impact the discussions throughout your organization. People, generally, do not read policies, so you must provide privacy training and awareness activities to keep your team informed.

So how to create effective training and awareness programs?

  • Make the activities fun – if you’re not a “privacy geek”, privacy could easily be a boring subject. Find ways to make the training and awareness activities engaging, relevant, and fun.
    • Keep them meaningful – both training and awareness activities should be role-based so they are meaningful to the recipients.
    • Keep them personal – make the staff think about how the use of personal information they are proposing or undertaking would impact themselves as individuals. If it feels “creepy” to them, why would your stakeholders feel differently?
    • Plan – Provide a steady flow of privacy messaging without becoming intrusive. If the messages become to overwhelming, they will be ignored.
    • Get feedback – Reach out to recipients to see how your training and awareness activities are being received and how they can be improved.
    • Measure – create metrics before you implement your individual training and awareness activities to determine if the changes you were anticipating are, in fact, being achieved.

Reach out to Privacy Ref with all your organizational privacy concerns, email us at info@privacyref.com or call us 1-888-470-1528. If you are looking to master your privacy skills, check out our training schedule, register today and get trained by the top attended IAPP Official Training Partner.