Companies increasingly have a need to train their employees in data protection and privacy. But there aren’t steadfast rules on how companies should ensure compliance with local, regional or national laws or their own policies. Chief privacy officers are tasked with educating employees in order to protect consumer privacy and their brands.
Yoshio Araki, chief privacy officer at IBM Japan, says understanding data privacy and how to manage sensitive information is essential to IBM employees, and helping them become aware of the expectations helps to build a company culture that values personal information. For a company that handles a significant amount of personal information daily, an important responsibility rests on employees’ shoulders.
“’Privacy smart’ employees are essential to effectively managing the organization’s personal information assets,” Araki says.
As such, the corporation created an online course designed to teach the basics of data privacy and IBM Japan provides specific content in order to comply with local regulatory requirements, says Araki. In addition, each IBM employee must complete a similar course about the company’s “Business Conduct Guidelines.”
Privacy education is logged and tracked electronically, and employees receive a certificate upon completing the process.
Nadya Aswad, who recently left her post as Fannie Mae’s chief privacy officer to take a position with another company, says the most important aspect to ensuring good training and education for employees is having senior and executive management support and communicating effectively with those groups.
“It’s key to have a communication plan in conjunction with the training program, and part of that communication plan is to have senior executive management communicate to the company the importance of privacy training, to show they support the privacy program,” Aswad says. “That’s sort of where the training and the communication begins.”
That top-down approach differs from that of Jim Adler, chief privacy officer at Intelius, a company that provides background checks and public records services. Adler’s position is unique in that his background is in engineering. Aside from his CPO title, Adler is also the general manager of the company’s data systems teams. He says such a position allows him to steer product engineering toward privacy in the very design stage.
“We are doing a lot around privacy by design, maybe in a less formal but more effective way because we do it from the bottom up,” Adler says.
Adler ensures his employees—engineer designers, data engineers, Big Data engineers and scientists—are privacy-savvy by coupling in-house design discussions with “privacy talks” that serve as an employee orientation about data use; what is and is not appropriate from a design-stage perspective, where the company sits in the regulatory environment, and why privacy is important to the company for more than just legal purposes.
Adler has also published a framework called “Places, Players Perils,” which aims to give his designers a way to think about privacy.
“Most designers don’t know or care about privacy,” Adler says. “So this gives them a framework that says, ‘Are you dealing with a piece that the expectation of privacy is high? What can go wrong? How can this data or experience be exploited?’ If you start to think about things in those terms, at least you give engineers and product designers something to hold on to, rather then telling them there’s all these laws about privacy, and ‘don’t violate them.’ I don’t think that really moves the needle with most technologists.”
Being chief privacy officer and a part of the design teams allows Adler to be accessible and always asking questions.
“I think someone has to be in the trenches talking and thinking about privacy in a very open way,” Adler says. “And I think what often happens is that a lot of companies deal with privacy in a sort of don’t-ask-don’t-tell kind of way, where they let lawyers deal with it.”
Meanwhile, Aswad says it’s important that minimum requirements on privacy are established, generally in the form of privacy principles and that employees are trained. Those basics can be built upon later with role- or business unit-specific training for example, she says, adding that it’s essential for in-person privacy training to be reinforced through messaging and frequent reminders using the corporate intranet and e-mail..
Nelson Akinrinade is general counsel and chief privacy officer at Crown Relocations, a moving company and relocation service with offices in 57 countries—including several within the EU. His staff is trained on privacy using three courses, which he developed, ranging from introductory to detailed. The first course describes the basics of privacy, and the second describes what Akinrinade calls “more of a nuts-and-bolts approach” into practical privacy and the hierarchal levels of personally identifiable information, as well as consent and onward transfer. The third focuses on Binding Corporate Rules. The courses are administered online and a pass/fail test follows. If an employee fails a question, they’re required to take the course again. Tests must be taken annually.
Akinrinade also created a privacy advisory committee comprised of senior managers drawn globally from the company. The committee conducts regular meetings to discuss prevalent issues and establish focus points.
“Because these are senior managers in all of the regions, they are able to cascade this information to their subordinates who are also in manager positions,” Akinrinade says. “We also try to ensure that each time there’s a departmental meeting, privacy is always one of the topics to be discussed, so, we try and keep privacy in front of everybody at all times.”
Aswad adds she’s aware of organizations that have turned privacy education into a festive day for employees, allowing them to wear jeans to work, clear out any PII that may be lingering around and conduct games around data privacy concepts.
In terms of methods beyond testing, a company can use to measure the efficacy of employee training, Aswad says doing so by looking at the number of questions about privacy or reports of potential incidents or mishaps a group has after training was delivered can be misleading.
“Often times right after training is delivered, the number of calls to the privacy office go up because people’s awareness was raised,” she says.
Akinrinade takes a hands-on approach to measuring privacy education and training by making unannounced on-site visits toting a camera and a notepad.
“I call it reality therapy, actually,” Akinrinade says. “Once I show up and I’m walking around and taking pictures, I know the usual areas to look out for; I’m looking at how many files are on their desk; if someone has gone to lunch, if they have files on their desk.”
Following the check-in, Akinrinade gives a PowerPoint presentation using the pictures he’s taken.
“That’s been very effective, because sometimes you think, ‘I’m compliant with everything,’ but suddenly you see a picture of your desk and you notice that’s something that shouldn’t be there,” he says.
