Recently I was invited to participate in a panel hosted by the World Bank during Data Privacy Week. In reflecting on the discussion, I began thinking about how people, including children, hear about protecting personal information and how that impacts an organization and its data subjects.
How do we learn about privacy?
For most people, the thought of taking a privacy class ranks right up there with a dental visit. Generally, data subjects assume that laws and regulations will protect their personal information and these rules are being enforced. Privacy notices, the primary transparency vehicle, are often very long, not in “plain language,” and used to protect the organization posting the notice.
So data subjects tend to gain privacy knowledge through their own experiences, from their friends, or as my father use to say, on the street. This often leads to oversimplification of complex concepts and requirements. In the end a data subject may throw up their hands and scream “just protect my privacy!”
My father was right
My father was right about learning on the streets. Our privacy perspectives come from the culture in which we are immersed. Compare the data protection expectations of an EU citizen with that of a US citizen or someone from China or Cuba. These individuals think differently about privacy and ultimately, about data protection. (A strange thought here … what would Max Schrems be like if he grew up in New York City or Havana?)
Our personal privacy perspectives are also influenced by our friends, usually from the same generation as us. People who have grown up with social media are more comfortable with sharing personal information than members of older generations. And it seems that retirees today often take the attitude of “take my personal data, I have nothing to hide”. That is until their personal information is made public.
The organizational data protection challenges
Establishing training and awareness programs are a next step. An important element is differentiating privacy from security, make them independent topics and independent trainings. Start with your executives. Many of them do not know the difference between privacy and security; and without their understanding and support you will not be able to influence the rest of the staff.
Who will teach children?
During the World Bank panel, we engaged in a brief discussion around where responsibility lies for teaching children about online privacy. One panelist asserted that this was the parents’ responsibility. I suggest this is asking too much.
My premise is simple. If adults do not understand the on-line privacy challenges they face and how to protect themselves, how can they teach their children. If children are part of your target audiences, consider how to communicate privacy practices that they can understand. I have seen videos and comic strips as examples of ways to at least get children to ask questions of their parents or guardians.
Finally, consider providing links with your privacy notice to some basic, educational material for parents to learn about privacy and how to discuss it with their children.