“Ethics cannot be taught in a business school. It has to be a part of the DNA.”
The above quote came from David Wilson, president and CEO of the Graduate Management Admission Council (GMAC), the organization that owns and administers the GMAT exam that is used globally for entry into graduate business schools. (Disclosure: I’m the CPO of this organization).
Now, let’s take the statement above and exchange the word ‘ethics’ for ‘privacy’, so it now reads ‘Privacy cannot be taught in a business. It has to be part of your organization’s DNA' (OK, I tweaked it a bit to make my point). How much time, effort and resources do we all spend on staff training, and yet, we still see many of the same mistakes get repeated. Not that most people try to be malicious, but most employees are trying to get their jobs efficiently completed, and if our privacy or security controls get in the way and make it more difficult, people will find a way to circumvent our work. Even employees of government agencies holding very confidential and sensitive data are not immune to breaking the rules in the name of efficiency.
So how might we change an organization’s privacy culture and DNA?
Perhaps it’s time that we start looking at our communication to our users with a more critical eye. Is our training more geared towards meeting a corporate metric than it is about really understanding what your users’ needs are, their pain points, and looking for ways to address these? Am I suggesting that we just give up and stop training? Not at all!
In past years, our privacy training talked about the need to protect data, our privacy policy and all sorts of interesting (at least, to us) stuff, but the rate of mistakes and questions from users didn’t change much, if at all. We then started taking a very critical eye at every communication that we deliver, from the annual required trainings to our Intranet postings, and made some changes.
First, our training is now shorter in time than in the past. We took out everything other than what we felt were the basics that an employee needs. Then, we created custom modules that we deliver only to those people in specific areas who need to know the additional material. Similar to the CIPP methodology, where everyone takes the foundation exam and then adds a specific module based on their individual needs, we first created a specific section that is only delivered to our technology staff. We then created content specific to the needs of our non-U.S. employees. The Intranet posts now cover both items that matter to protecting the organization’s data as well as topics that might impact individuals in their personal life, as a way to keep the content fresh and relevant and work to make privacy sensitivity part of each person’s DNA.
Are you doing anything in your training that is unique and you can share with others? If so, please show off what you are doing in the comments below.
Comments
If you want to comment on this post, you need to login.