Why Your Privacy Training Should Hit the Spirit, Not the Letter, of the Law

When it comes to creating privacy training, it’s better to follow the spirit, not the letter of the law. Read more for advice on doing just that.

For many of my hikes in the nearby mountains, I leave the marked trail and scramble to the summit, following route descriptions written by fellow mountaineers and shared on websites.

What I realized the other day is that when it comes to route descriptions and privacy training, I’m a big believer in following the spirit not the letter of the law.

Let me explain.

2 Routes to Choose From

I was digging for intel on a summit I was planning to scramble. Like many of the hikes I do, it started on a trail, but at some point veered off the maintained trail to trace a path to the summit.

Scrambles tend to be direct, steep, and VERY lightly trafficked. Gathering good intel on the route can be the difference between a straightforward day in the mountains or a frustrating and even scary adventure among rocky gullies and steep cliffs (oh yeah, I’ve got stories).

Now, route descriptions come in many “styles,” just like privacy training.

Some of them are impossibly vague: “Keep just to the right of the cliff until the path reveals itself.” Others are super precise: “In 3.35 miles, keep bearing NNE around a band of granite.”

Privacy training can be like this too.

On the one hand, there’s the three-minute privacy video that says privacy is important and we should do all we can to protect it.

On the other, there’s the overlong course that quotes directly from privacy laws—like this beauty, GDPR Article 19: “The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17 and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.”—and then requires employees to also read and certify that they accept the company’s privacy policy.

The Perils of Following the Letter of the Law

When it came to the summit where I had my aha moment, I (uncharacteristically) chose to follow the route description that adhered to the “letter of the law” with its precise mile markers and elevations to indicate the way.

“At 0.3 miles, the trail departs to the right just after a shallow trench,” for example. Or: “At 1.3 miles, after about 1400 vertical feet of climbing, the forest canopy opens into an apparent slot.”

Do you see the problem? We sure did! Our ability to follow this description was only good if our tracking devices matched his exactly—and they didn’t.

At 0.3 miles the watches of my partner and I were close (within .05 miles), but as we went on, the imprecision of our trackers became clear. My watch said we’d gone 1.3 miles; Sara’s said 1.15. Our elevation gain readings were closer, but didn’t match the description. And it got worse with time. We started spending so much time kibitzing over which measure was right, arguing over the “letter of the law,” that we kept forgetting to look around and dig the beauty.

Privacy training can be like that too. It can get filled with impossibly precise definitions of terms that regular people—non-lawyers who don’t spend their time poring over legal documents—simply don’t know how to make heads or tails of.

Take that GDPR example above. Do you think that most people would know how to interpret what “disproportionate effort” means? And would they all agree? Or, would they spend a lot of time bickering over whether their effort was disproportionate before throwing up their hands and moving on?

Getting Into the Spirit of Things

Two miles into our hike, we finally agreed that trying to follow this precise guidance no longer made any sense, and we began to pay more attention to the landscape and the major features.

Clearly, that saddle up ahead was the one we had to reach before heading left up the ridge. Obviously, this was the false summit—it had the flat top so clearly described.

The moment we started paying attention to the spirit of the hike and not the letter of the route description, to the major features and unmistakable landmarks, everything about the hike got better.

You Can Make Your Privacy Training Incredibly Detailed and Precise…

As someone involved in creating privacy training at your organization, you’ve got a choice to make in how you construct your training.

You can follow the letter of the law.

You can make your training incredibly detailed.

You can reference the regulations chapter and verse, using the exact terminology favored by regulators and legislators.

After all, this is what you, the privacy professional, work with as you create policies and procedures. How could you possibly be criticized for being precise?

But the risks are that you will lose your employees, who will throw up their hands in confusion (or boredom) at the profusion of detail. Or, they’ll become so enmeshed in trying to sort out the nuances that they will lose sight of the objective: handling personal information in ways that build trust and ensure compliance.

Or Take a Principles-based Approach to Privacy Training

Or, you can follow the spirit of the law. You can center your privacy training on some broad privacy principles, and provide vivid, realistic examples of how those principles work in your company.

You can trace a route to protecting data that is simple and straightforward for people to follow, and you can provide opportunities for people to consult with privacy experts when that expertise is needed.

Let me be clear: when you build a privacy training program based on the spirit of the law, you WILL sacrifice detail. But the detail you’re sacrificing is not detail that people can use. For most of your employees, it’s noise and it disrupts and diminishes their ability to focus on the things that matter most in their jobs.

When it comes to privacy training, you’re not trying to make your employees experts in the letter of the law. They’re not going to become lawyers. You’re trying to get them to adopt and apply broad principles, and to turn to you and your team when they need help sorting out the details. You’re trying to build a privacy aware culture.

So build privacy training that follows the spirit and not the letter of the law. It’s the best route to the summit.


Like What You Read?

Check out more content from Tom Pendergast on his blog Confessions of an Awareness Nerd.

Explore the Blog

Share this Post