I’ve been working with an organization these past few months that has asked me to do some serious looking under the hood. We are evaluating the overall effectiveness of their privacy management program, and we’re using a combination of a custom-made audit tool and CICA’s tool based on their Generally Accepted Privacy Practices.
So far, the exercise has been insightful for the organization, and they are clearly going to be able to bring their program to the next maturity level, having identified where they need to improve.
One thing that pops up all the time when performing these exercises is the degree to which an organization can deploy adequate privacy training for their employees. For sure, any organization that deals with personal information is obliged in Canada to have adequately trained employees. But what does that mean, exactly? What is an "adequately" trained employee?
And, while many organizations are starting to see the value in training employees, there is also a recognition that there are already myriad topics that employees need to learn about. Privacy is still the new kid on the block. I guess that is why there is still some reluctance among organizations to invest properly in privacy training, despite the fact that I see it referenced over and over again in regulator decisions and recommendations. I think some business and government leaders are still unsure as to whether or not this privacy thing is a fad, versus a new reality that needs to be built into training programs if it isn’t already.
How about you? Does your organization pay enough attention to training its employees about data protection? If not, what is stopping them? I’d love to hear your thoughts on this.
Have a great weekend.
If you want to comment on this post, you need to login.