This year, all the world is paying attention to the coming of the (California Consumer Privacy Act) CCPA in January of 2020.
Some are waiting to see how lawmakers will amend the act under mounting corporate and public pressure. Others are speculating that these same pressures will finally prompt action at the federal level. And others still are watching new laws pop up in their own states (true here in Washington state).
Déjà Vu All Over Again
If you’re like me, you’re getting a strong feeling of déjà vu: wasn’t it just yesterday that we were all wringing our hands as the GDPR deadline loomed and industry surveys decried the lack of preparedness? Enter a recent TrustArc (formerly TRUSTe) report finding that 86% of U.S. privacy professionals described compliance with CCPA as a “work-in-progress” with a little less than a year before the January 1 2020 CCPA deadline. Sound familiar?
Amidst all this speculation, worrying, and waiting, privacy professionals in businesses across the U.S. are preparing policies and practices for a new privacy regime, however the details turn out.
But there is one element of a privacy program that need not wait and in fact should not wait. If you or your company want to get out in front of increasing pressures to respect and protect consumer and employee data, the time to start your privacy awareness and training program is now. Today. Here’s how:
Focus on the Basics
Whether you are seeking to comply with the CCPA, the GDPR, or some other existing or future privacy law, there are some fundamentals that unite all data protection programs. The training program that you provide to all your employees should focus right in on these fundamentals.
Knowing how to identify personal information is at the heart of any privacy program, and you can begin communicating and drilling on the key attributes of this information right away, using posters, videos, job aids, etc. We just happen to have a free privacy awareness toolkit packed with resources to help you get there.
Knowing when and exactly how to report any potential problems with breaches of personal data is another key element of a program. Building on these basics, you can layer on the core privacy principles associated with notifying data subjects of how you’re using their data and their rights with respect to that data.
We’re talking about helping your employees build up a basic grammar around privacy protection, a set of mental models that enable people to easily add on any future details or complications that emerge with the various privacy regulations that will come. After all, once your employees totally master an idea like “if it’s about a person, it’s personal information,” it’s just a small leap for them to understand that things like biometrics, IP addresses, or geolocation are also personal information.
Mix Your Messages
To be clear: I’m not talking about sending mixed messages! You want to be completely consistent about the importance of building customer trust through rigorous data protection. In our data-fueled world, there is rarely a time or a business scenario where being cognizant of privacy protection doesn’t matter quite a lot.
But it’s precisely because data protection matters everywhere and always that you should communicate your core values about data protection is a variety of formats, tones, and settings. Data protection is a serious business, and there’s a great case to be made for serious, somber treatments. After all, the personal and business harms associated with a data breach are quite real.
But the daily habits and practices that employees use to protect data needn’t be treated with high seriousness: there’s ample room to use humor and wit to lodge your privacy messages deep inside your employees’ psyches.
Similarly, using a variety of formats will also help land your message in people’s minds. After all, some of us really respond to video and tune out posters, while others read a newsletter message while completely ignoring the company intranet. You’ve got to get the word out in every medium you have at your disposal if you want to stand the greatest chance of building a privacy aware culture.
Anyone who has raised or worked around children knows that you have to repeat something multiple times before it sinks in.
Well guess what? The same is true for adults, especially adults who are busy doing their jobs.
If you want all your employees to know and practice good data protection practices, it’s important that you repeat the key elements of your program again and again and again. And then again. After all, an employee may have been on vacation the first time you described your breach notification protocols, then buried under a tight deadline the second time you covered the same topic. It wasn’t until your third communication—that goofy video you sent around on Slack—that they paid attention and recognized the value of knowing this information.
Learning is like that, especially when you’re learning stuff that maybe isn’t inherently intriguing or directly related to your job: you’ve often got to see the content multiple times before you start to embed it into your model of how you’ll work.
Get Started Now!
Maybe you’re waiting until the CCPA law is amended to build your own training, or maybe (like our customers) you’re waiting for your preferred vendor to put the finishing touches on the privacy training you expect to use. (Come see us at IAPP May 2-3 at booth #415 for a look.)
But that doesn’t mean you can’t get started right now, today, on communicating about privacy. It’s easy to sometimes put too much emphasis on training, thinking that one good training course—especially a mandatory training course—is going to accomplish your objectives. But companies with truly privacy-aware cultures know that a privacy awareness program is always on and always active.
MediaPRO’s Privacy Awareness TrainingPack includes our full suite of privacy awareness training courses, plus lessons on a variety of privacy regulations. Speak to an expert to learn more about our privacy training and other offerings.