The Case for Data Privacy Week 2021: Your Questions Answered
This article is co-published on the blog of the National Cyber Security Alliance.
The writing is on the wall when it comes to data privacy.
More people are paying attention to it. More countries are passing laws to address the concerns of their citizens.
So when it comes to recognizing the importance of data privacy, many experts agree a single day is not enough.
That’s why leaders at the National Cyber Security Alliance (NCSA) and others have started the drumbeat for a full week dedicated to data privacy in 2021.
Toward a Data Privacy Week
Part of this effort is an expert panel discussion co-organized between MediaPRO, the NCSA, and the International Association of Privacy Professionals (IAPP) featuring NCSA Executive Director Kelvin Coleman, Uber Chief Privacy Officer Ruby Zefo, CIPP/US, CIPM, FIP, and MediaPRO Chief Strategist Lisa Plaggemier.
The live panel discussion has come and gone, but we’ve taken some of the best questions the audience had to ask and reproduced them here to keep the Data Privacy Week drumbeat going. Read on for advice on spreading the good word about data privacy, how to tackle a weeklong initiative, and more.
Q: What does it mean to “celebrate” privacy or cybersecurity? How does this relate to ongoing work in these areas?
A: For Uber and many others, Data Privacy Day is a day or week dedicated to increasing awareness about the importance of respecting privacy, safeguarding data, and enabling trust. For privacy and cybersecurity pros and everyone who bears a shared responsibility for privacy and cybersecurity, we work on improvements in these areas all year long. But we can’t do it alone, and celebrating Data Privacy Day/Week, or Cybersecurity Awareness Month, are simply opportunities to provide awareness activities, education, practical tips, and fun for those people who don’t make it their focus all year long.
In the past, my teams have created or offered special internal and external activities to celebrate, including: speakers on various relevant topics; an internal virtual conference with different rooms, recordings, and live Q&A; internal signage (including “learning on the loo” in the restrooms); and IAPP privacy training and certification for our business unit privacy champions. Celebrating data privacy with these activities for a day or week supports and reinforces our privacy principles and our culture amongst the broader employee population, and offers insights to people outside the company as well.
-Ruby Zefo, Chief Privacy Officer, Uber
Q: Is there a significant difference between protecting personal privacy versus protecting the privacy of customer/consumer data in the corporate world?
A: The short answer here is no, at least for the majority of employees. Sensitive data is sensitive data, no matter if it belongs to your customers or your employees. When educating your employees on your own data privacy requirements, I like using a “golden rule” approach. That is, tell your employees to treat the data they handle as part of their job the same way they’d want their own data treated. This personal approach makes privacy more “real” and less theoretical. You don’t need your employees to know the letter of the law. You want them to take a principles-based approach to data privacy that they can use both at work and at home.
Of course, there are employees who need to parse the differences between employee and customer data—I immediately think of folks in HR and marketing—but you can help them go deeper on the differences with role-based training.
–Lisa Plaggemier, Chief Strategist, MediaPRO, and Tom Pendergast, Chief Learning Officer, MediaPRO
Q: What recommendations or best practices can you offer to assist with socializing and promoting material across Data Privacy Week, especially in a virtual environment?
A: First, know your audience. Are they already interested in learning more about privacy, or do you need to start by generating interest? This is a gap in a lot of programs – we assume people are interested because we ourselves find this stuff so dang interesting. Second, be ready to spread content out across multiple channels. Email, internal social media or messaging apps like Slack, Zoom meetings; these tools should all be used to hit slightly different angles on basically the same topic (data privacy). Third, think of your campaign in terms of the classic sales funnel. Some employees will simply be less than interested than others. They’re at the top of the funnel, and the quickest, flashiest content should be included for them.
Your mid-funnel is those who are generally interested but might need some help applying data privacy practices in their lives and to their jobs. Include content with a personal touch; anecdotes about an experience you might have had with personal data being exposed and what you learned from it.
For the most engaged, the ones at the “bottom” of the funnel ready to change their behavior, give them tactics. This could mean a guide for setting up a company-approved password manager, or how to update their privacy settings on the most popular social media apps. Consider setting a day of the week aside for each of these types of content, with bookends that first introduce then summarize the general principles you’re trying to convey.
–Lisa Plaggemier, Chief Strategist, MediaPRO
Q: Many of our internal teams are aware of “security” and they think if they do cybersecurity training that that “covers” privacy. How do you help distinguish between the two areas, which are related, but separate?
A: To the “average” employee, cybersecurity and data privacy are so related that practical differences don’t really exist. Why should we avoid clicking on phishing emails? So private data doesn’t get exposed. Why should we avoid sharing too much information online? So it can’t be used to trick us with phishing emails. The two topics are two sides of the same coin in many instances. For the “experts” out there, however, the differences are night and day. The risks are different. The bad guys are different. The sweet spot to hit is training and awareness messages that share the common theme of risk reduction. Teaching specific tactics, whether they be knowing the signs of phishing emails or recognizing and respecting personal information, will allow employees to achieve the desired behaviors in both spheres.
– Tom Pendergast, Chief Learning Officer, MediaPRO
Q: In 2021 do you (the NCSA) plan to put more of a focus on privacy for a remote workforce?
The short answer to this question is a resounding “yes.” I think before we understood the true impact of the pandemic on the world economy, most people figured the global transition to remote work would be temporary. That proved false. As the permanence of distributed workforces became clearer, we adjusted our narrative to discuss the repercussions of this change and the oversight of business leaders to ensure that privacy protections were top-of-mind throughout the transition.
In 2021, we’ll be dedicating even more resources to amplifying awareness initiatives around privacy and remote work infrastructures. Our content, campaigns and resources will all reflect the ways that remote workers can better own their data regardless of where they’re working. Our focus will also highlight the ways businesses can ensure that privacy is a keystone of company culture, IT policy and employee education – all of which are pivotal in ensuring more effective privacy for the workforce in the long term. NCSA is also working with Lisa Plaggemier (MediaPRO), Ruby Zefo (Uber) and others to expand our recognition of Data Privacy Day to Data Privacy Week! This will be a significant step in elevating this issue to more prominent exposure to people. Like it or not, remote work is here to stay. Businesses and employees will inevitably continue to grapple with work-from-home fatigue; complacency and carelessness can set in, resulting in potentially devastating consequences for privacy on business networks. It’s our mission to help people stay protected, prepared, and vigilant about privacy and data hygiene in 2021 and beyond.
-Kelvin Coleman, Executive Director, NCSA
Check out a recording of our Data Privacy Week webinar via the link below!
Toward a Data Privacy Week: Something We Can All Agree On
Join a panel of data privacy experts in a special IAPP on-demand web conference making the case for a full Data Privacy Week in 2021.Watch Now