As privacy professionals, we know how important it is to protect personal information and to build and maintain trust with consumers. In fact, if everyone was a privacy pro, business would likely look a lot different.
But let's face it, privacy isn't first and foremost in the minds of many colleagues working on other teams. This is why it's important to conduct privacy training in a way that resonates with each employee and consistently reminds them of their responsibilities related to data stewardship.
A successful privacy training program is essential for maintaining compliance — the California Consumer Privacy Act requires training for some employees — building trust and safeguarding data. And news flash, that once-a-year, 15-minute, out-of-the-box privacy training module — which, let's be honest, is often a security training titled privacy because many training providers don't really understand the difference — just isn't going to cut it.
General privacy training
To start, all employees need some level of privacy training. Even if they don't deal with personal information regularly, it's important that employees know what to do if and when they need to.
To determine what to include in a general privacy training, think about the who, what, why and how.
Who: Who needs to care about privacy and whose privacy do we care about? The answer to the first question, of course, is everybody. And the second … well, also everybody from employees to customers to anyone who visits your company's website.
What: What is privacy and what is personal information? It's important that employees understand privacy and how it differs from, but works with, information security. They also need to understand what it is we're protecting when we talk about privacy protections: personal information. This can be harder than it sounds.
How: Help trainees understand the organization's actions related to protecting privacy and the employee's role in the privacy ecosystem. This should include an overview of the privacy team's responsibilities, information on internal policies and procedures, and examples of when employees should give the privacy team a jingle — or Slack or email.
Why: Connect all the pieces together. Your organization may have ingrained values and ethics or a strong aversion to risk. It may deal with sensitive information that could have significant impact on individuals if misused. Whatever your privacy purpose, you want employees to know about it.
Role-based training
To get engaged learners, ensure the training you provide them is relevant to their regular activities. Not all employees have the same level of interaction with personal information.
For example, a customer support representative lives in your customer relationship management system all day and is constantly handling personal information, while a content writer may have very little interaction with personal data.
Roles may also interact with different categories or sensitivity of personal information. Or they may interact with personal information differently. Training a content team should look a lot different than training customer support.
Privacy by design training
Certain roles will need process-level training on how to implement privacy obligations into workstreams. Privacy teams are notoriously under resourced, so take advantage of any opportunity to distribute privacy work throughout business units — but of course, ensure they can do it right.
These could be employees that develop products, create processes and bring on new vendors. They are going to need to know how to do a privacy assessment and incorporate privacy record-keeping responsibilities, among others, into processes, and they need to use the systems the privacy team has put in place, basically privacy by design.
When an organization is creating an app that, for example, collects personal information, the developers need to consider privacy throughout its life cycle. They need to conduct a privacy impact assessment. They will need to know about the data inventory the privacy team has established so it can be updated with the new processing activities.
If a vendor is involved, they will need to assess that vendor for privacy and security protections and add them to the vendor inventory. And, of course, continue to monitor the vendor to ensure it complies with the contract.
Marketing is another example of a team that needs specific privacy by design training. Marketing collects and uses a lot of personal information to help create effective campaigns — online analytics, purchased lists, social media posts, purchase history, contact information and more.
They use third-party tools and technologies to do a lot of these things. It's important to build privacy into these initiatives from ideation all the way to sunsetting the program, including privacy impact assessments, ensuring opt outs are respected and scrubbing personal information against do-not-call lists. Privacy training can help ensure those things happen.
Delivery
Instead of the once-a-year, 15-minute privacy module, which is sorely inadequate, employees should see regular privacy reminders. Supplement your yearly training with tips and FAQs in the form of posters, contests, lunch and learns, games, short videos from leaders, and more.
Take advantage of opportunities like Data Privacy Day and Cybersecurity Awareness Month to make a big deal of protecting information. And then, on a more consistent basis, meet employees where they are. Do you have a company newsletter? An intranet splash page? Do people convene in the kitchen? Have an elevator? Stick a poster in it. Find ways to inject a little privacy into things employees are already doing and seeing.
Connecting employees' privacy responsibilities to their own personal information can also make a big difference. A tip or two related to how they access or protect their own personal information on personal banking sites and in email systems or how to manage their personal data in apps can help them understand how important their information is and, in turn, why it is so important to uphold their responsibilities over other individuals' information.
When you know better, you do better
The goal of privacy training isn't necessarily to make everyone a privacy expert. The main goal is to raise awareness to a level where employees are better issue spotters. They know what personal information is and that there are rules around it. And they know how to come find you.
Effective privacy training targets the right people with the right information regularly and where they are. If you're one of the lucky ones, whose CEO thinks privacy is as important as you do, leverage that. Employees have a tendency to pay a little more attention, call out questionable practices more often and bring the privacy team into more conversations when they hear the "big boss" cares.
Jodi Daniels, CIPP/US, is the founder and CEO of Red Clover Advisors.
