The data privacy threat landscape is evolving, and quickly.
Privacy professionals of all types must keep a constant vigil as bad actors find new ways to compromise sensitive data, innovative information practices challenge existing policies, and regulations shift and expand (think of the approaching General Data Protection Regulation, or GDPR).
While the stuff of nightmares for hard-working privacy professionals, ever-evolving privacy risks also represent a challenge for those responsible for educating an organization’s employees on sound privacy practices. Employees must be educated on the basic threats to privacy, in addition to being kept abreast of emerging privacy practices and changing regulations.
But how to go about this education? As with most things in life, there are more wrong ways to approach privacy awareness than there are right ways. So in honor of Data Privacy Day on Saturday, Jan. 28, we’re offering some best practices we’ve seen work the best for data privacy awareness programs:
Make it Relevant
Training content is more likely to bounce off a learner if he or she doesn’t see it as relevant to them. Why would an employee who doesn’t handle sensitive records as part of her daily responsibilities care about records management training? Good training exhibits relevance on multiple fronts. Relevance is essential to learner motivation. It touches upon the practical aspects of the learners’ jobs, their perceived needs and goals, the organization’s culture—even the learners’ personal lives.
We call this a “role-based” approach to employee awareness content, and it’s one based on well-established adult learning principles. The benefits are many, including making sure only the most relevant content gets to the right employees and time saved not training employees on topics they don’t need to know. Less time spent training is always good for business!
Relevancy also feeds into the concept of pre-testing employees before they begin training. Pre-testing would remove content that will be boring to employees who already know the material. There’s no point in training someone on something they already know – it’s a waste of their time, and company time.
Make it Interactive
Most people learn best by doing. For privacy awareness, this could mean a number of different things. You can have sections within training that ask learners to complete a specific task, such as selecting which information on the screen is PII. Or, you could ask learners to sort records by dragging-and-dropping icons into the wastebasket or locked file cabinet.
Even if your training itself is not interactive, you can incorporate interactive elements in other ways: Through a knowledge assessment or survey that includes sorting files or selecting correct privacy practices. It may not be part of your training content, but instead more of a test or supplement to the main bulk of your training.
Training reinforcement, such as videos or games deployed after the initial training, is also a great way to incorporate interactive elements. This may be something like a game that helps remind employees about how and why to practice good privacy awareness skills.
Make it Engaging
This means don’t bore your employees! Bored employees aren’t learning much.
One way to do this is with microlearning modules. If possible, consider breaking up training into small bits that can be consumed over time. This is also a great model for reinforcing topics from long-form training that you may give at the beginning of the year, or at new employee orientation.
Using different types of content is another way to keep topics and training from becoming stagnant and uninteresting to learners. And, it allows you to meet learners where they may learn the best, whether in a newsletter article, through a video, or through a game.
This is your chance to have fun with your training and reinforcement. Now not all cultures allow this, but we’ve seen great success with training that references pop culture. For example, we developed a gamified privacy awareness training course that imitated the Amazing Race reality show. Learners moved around a digital board and answered privacy-related questions.
When it comes down to it, an organization’s privacy procedures are only as good as the people that make sure those procedures are carried out. Make sure your employees know their stuff with a privacy awareness program that teaches, engages, and maybe even entertains.
Want to learn more about Data Privacy Day? Check out StaySafeOnline’s site for best practices and tips on safeguarding private data, both at home and at work.