TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Are We Really Providing Optimum Privacy Training To Our Employees? Related reading: US state officials urge consideration of privacy risks before AI adoption

rss_feed

""

Over the past few months, I’ve had the opportunity to participate in a number of system and compliance training sessions. Some of these were online, while others were live, from large and small organizations across different industry sectors. In each of one of these, I had no input as to the content or delivery, so it gave me the chance to look at this in a new light: that of one of our users.

I think most in our profession will agree that users are one of the biggest vulnerability. There are so many opportunities to cause a privacy incident—losing a mobile device or storage drive, phishing, downloading malicious code, social engineering—the list goes on. And people, especially our own employees, are both the first line of defense and a captive audience, being required, in many cases, to participate in company-sponsored training sessions.

From my very informal participation, I will say that overall, we are failing our users. Let’s look at some of the major issues.

Timing: Most of the training sessions were 45 minutes or longer. We can talk for days on the subject—and in fact, we will spend three full days at the IAPP Global Privacy Summit on exactly this—but I can tell from my own interest and watching others in live sessions that users are tuned out long before the speaker has stopped.

Regulations: Does a typical user really need to know about specific laws and regulations, like what 95/46 EC means or any particular code number or statute? I don’t think so.

Number of Training Items: I don’t claim to be an expert on educating adults, but asking someone to sit through seven to 10 items might be asking for too much.

Content Delivery: Most of the sessions in which I participated were passive. The users sat and listened to a live person—mostly reading PowerPoint slides—or going through screens full of stuff. Very little interaction was requested.

As a result of my observations, here are some of my recommendations:

Timing: Keep it short! I’m thinking 20- to 30-minute sessions tops, even if it means doing two sessions annually.

Regulations: Give the user context, especially how the impact of a regulation matters to users in their daily jobs and to your organization. Why do we ask for express consent when collecting medical data, for example? Because laws around the world say so, and it might be embarrassing to the individual if this was improperly disclosed. Plus, failing to get express consent could subject your company to fines and other regulatory sanctions. You’re essentially making the same point, but without having to mention specific regulations, i.e., HIPAA.

Number of Training Items: I suggest three training items—four at most. Beyond that, I believe people remember less, not more.

Content Delivery: We live in the Twitter and SMS generation. Anything longer than 140 or so characters gets lost. And with a constant stream of interruptions, can you really expect your users to be tuned in to screens full of text? Make it interesting and interactive, and avoid going more than three- to-five minutes before the user has to participate.

Participating this way was a great experience as it reminded me of what it looks like as a user. Sure, as trainers, we all have loads of information that we can’t wait to tell people, but take a fresh look at your materials and try and see things the way your users might.

Comments

If you want to comment on this post, you need to login.