Back to all blog posts

Who knows privacy?

Recently I was invited to participate in a panel hosted by the World Bank during Data Privacy Week. In reflecting on the discussion, I began thinking about how people, including children, hear about protecting personal information and how that impacts an organization and its data subjects. 

How do we learn about privacy?

For most people, the thought of taking a privacy class ranks right up there with a dental visit. Generally, data subjects assume that laws and regulations will protect their personal information and these rules are being enforced. Privacy notices, the primary transparency vehicle, are often very long, not in “plain language,” and used to protect the organization posting the notice.

So data subjects tend to gain privacy knowledge through their own experiences, from their friends, or as my father use to say, on the street. This often leads to oversimplification of complex concepts and requirements. In the end a data subject may throw up their hands and scream “just protect my privacy!”

My father was right

My father was right about learning on the streets.  Our privacy perspectives come from the culture in which we are immersed. Compare the data protection expectations of an EU citizen with that of a US citizen or someone from China or Cuba. These individuals think differently about privacy and ultimately, about data protection. (A strange thought here … what would Max Schrems be like if he grew up in New York City or Havana?)

Our personal privacy perspectives are also influenced by our friends, usually from the same generation as us. People who have grown up with social media are more comfortable with sharing personal information than members of older generations. And it seems that retirees today often take the attitude of “take my personal data, I have nothing to hide”. That is until their personal information is made public.

The organizational data protection challenges

Consider the composition of an organization. The staff often consists of people with diverse backgrounds and ages. Each staff member will have their own perspectives on privacy which may not be in line with the organization’s policies. The organization needs to address this. Simply asking the staff to read and sign a privacy policy is a first step, but it is not enough. Organizations need to engage in a change management process to ensure that privacy preserving activities align with their policies.

Establishing training and awareness programs are a next step. An important element is differentiating privacy from security, make them independent topics and independent trainings. Start with your executives. Many of them do not know the difference between privacy and security; and without their understanding and support you will not be able to influence the rest of the staff.

You also need to create a compliance program. Many organizations assume since employees have signed a privacy policy and taken training, the staff will always meet requirements. I suggest that this is not always the case as people, trying to do the right thing, may make mistakes. Also, by monitoring compliance, organizations can see where improvements in privacy programs, policies, and training are needed. Leveraging existing frameworks such as Privacy by Design or creating your own metrics will help achieve this goal.

A second challenge is transparency. You have heard this in relation to communicating with your data subjects through your privacy notice, but this is also true of your internal privacy policy. People, whether customers or employees or others doing business on your behalf, need to understand how personal information is processed. Injecting “legalese” makes the documents hard to understand and confusing In both the internal policy and the external notice, using techniques such as layering, including examples, providing “just in time” information, and using language your target audience can easily understand are all effective approaches.

Who will teach children?

During the World Bank panel, we engaged in a brief discussion around where responsibility lies for teaching children about online privacy. One panelist asserted that this was the parents’ responsibility. I suggest this is asking too much.

My premise is simple. If adults do not understand the on-line privacy challenges they face and how to protect themselves, how can they teach their children. If children are part of your target audiences, consider how to communicate privacy practices that they can understand. I have seen videos and comic strips as examples of ways to at least get children to ask questions of their parents or guardians.

Finally, consider providing links with your privacy notice to some basic, educational material for parents to learn about privacy and how to discuss it with their children.