For Year-Round Privacy Awareness, You’ll Need to Chop a Little Wood
When I was a boy, growing up outside Romeo, Michigan, my dad used to lead my brother and me out into the woods in back of our house to get firewood to help heat our house.
He’d identify a tree, line up where it should fall, cut a notch in one side, and then saw from the other.
Then CRASH! as we’d stand back and watch it fall.
What came next was hours of sawing the tree into sections, splitting it with a sledge and a splitting maul, then loading the split wood in the wagon behind our Gravely tractor and pulling it back to the woodshed. There the logs would sit to season for a year before burning it.
Putting in the Hard Work for Privacy Training and Awareness
With so much of my time recently spent thinking about running privacy training and awareness programs, I started to see parallels with my days as a lumberjack-in-training.
There’s the ultimate goal: warming the house = creating a privacy-respecting culture.
But mostly, there’s chopping wood: the regular, day-in, day-out work of regularly communicating with people across the company about their role in protecting privacy.
Most jobs are like this: a combination of high-minded goals, flashes of “exciting” work, but mostly a bunch of execution: doing the things you need to meet your goals. Chopping wood. When you really do feel a sense of purpose and passion in your work, I’ve found, the job of chopping wood becomes something that brings its own kind of satisfaction.
I know I loved the feel of driving a wedge into a crack in the wood, then slamming it with the sledgehammer and watching the wood pop open. The hardest woods—for us, it was oak—provided the deepest satisfaction. And I know that when I’ve run training programs, I love it when people respond to some new content I helped create or talk positively about how seamless their training experience went.
I wrote earlier about the mindset needed to deliver on a year-round privacy training and awareness program, so this time I wanted to go over the ongoing work to make that program successful. Because make no mistake, your ability to run a successful privacy program will require you not just to fell the tree, but also to chop wood.
Here’s an overview of three big classes of work you’ll need to master to make it all work.
You’ll Need to Build or Buy Content
One of the biggest tasks you’ll encounter as you build or expand your privacy training and awareness program is the need for decent content that supports your goals and matches your company culture.
You’re going to need online training for sure, which is usually the foundation of any program, including the “once-a-year” approach you want to evolve from.
But to truly expand your program, you need to consider other types of content, such as:
- Videos: Short, focused videos scale well, they’re easy to deliver electronically, and it’s easy to measure views.
- Posters/Digital Signage: You can’t miss these if they’re in the right place, and they deliver short, action-oriented messages, but they’re impossible to track.
- Lunch-and-Learn Programs or “Classroom” Training: In-person training engages people directly and it’s easy to adapt to what your audience needs, but it’s difficult to scale.
- Job Aids: Practical, informative “cheat sheets” and other job aids really focus on tangible things people can apply to their work.
Don’t let this list limit you though. Why not try new things—like a chatbot that answers privacy questions on your internal messaging tool (something used by the privacy team at Microsoft)? If there are particular forms of communication that are well accepted in your organization, by all means use those.
The Right Content for the Right People
In the end, your goal should be to find the right content to help you meet your objectives. Those objectives will differ by job role, by the level of privacy expertise you hope people will develop, and also by the frequency with which you expect to deliver the content. Identifying who needs training, how much, and how frequently they’ll need it should help you identify the right type of content for each audience.
Let’s consider an example. If there’s six people who need to be total pros on Privacy by Design, you’d probably send them to a class run by the IAPP. Similarly, if you’ve got a thousand widely dispersed people who you want to consult a standard set of personal information definitions that you update frequently, a website would be better than a printed job aid.
To Build or Buy?
For each type of content you decide to go with, you’ll need to resolve the old “build vs buy” question.
There will be some content you’ll absolutely want to build yourself. If you want internal case study examples to share with small teams, for example, or if you need to explain a special application of your privacy principles for a specific work group and you don’t need to produce “high-end” content, you’ll likely find it better to build your own content.
But if you’re looking for “flagship” content—maybe your all-hands online privacy training, or a set of posters or videos that really carry your brand—you simply may not have the talent in-house to do the work, or you may not wish to re-invent a wheel that a vendor has already perfected.
If you decide to use internal resources to build your content, you’ll face one set of challenges:
- Finding subject matter experts and then getting their time and commitment
- Creating content in unfamiliar formats
- Managing the work of people in other parts of the organization, such as L&D or Internal Communications
There are plenty of talented privacy professionals who decide that it’s not worth their time to build content in-house, even though they could.
If you decide to use external resources, of course, you’ll have a different set of challenges:
- Review and vetting vendors, all of whom are going to try to convince you that they’re perfect
- Choosing content that “fits” your organization, which means spending a good amount of time looking at vendor content
- Navigating your own internal procurement processes
- Managing the ongoing relationship with the vendors you choose.
There’s no guaranteed right or wrong decision when it comes to build/buy. It’s all about you making the best decision for you, given your evaluation of your skills and time and budget.
To Buy or Build Awareness Training? 4 Things to Consider
If you’re considering building your awareness training in-house, with only the staff you have, get our guide to learn the most important things you should think about.Download White Paper
You’ll Need to Deliver Content
Once you’ve managed to build and/or buy the content you need to meet all your objectives, you’ll quickly come up against the dual challenges of figuring out when and how to deliver this content to your users.
Keeping on Schedule
The “when” part begins with some straightforward calendar planning: spreading your deliverables across the calendar year with an eye to getting some spaced repetition on key messages while not overwhelming employees with too much privacy-related content.
In most companies, though, other considerations come into play: restrictions on the amount of “seat time” allowed for training, for example, or admonitions not to take time away from the sales team in the final month of any quarter. Consulting with the groups you’re expecting to train before you build out your calendar will help avoid collisions between your plans and theirs.
Actual conditions will vary depending on your organization, but one thing is true: a year-round program requires that you envision your plan spread across the year. (Winging it, in other words, isn’t going to work!)
Learning How to Manage Your LMS
The “how” part of delivering content in most organizations involves some work with a Learning Management System, or LMS. Though I’ve seen rare cases where an LMS team simply accepts the training you provide them and does the rest, in most cases you’re going to have to accept some or all of the responsibility for staging the content to the LMS, assigning it to the right people, and providing notifications and tracking.
In most cases, I’ve seen training teams build a relationship with the team that owns the LMS (and perhaps also with whoever controls the corporate calendar) to get the job done, but in smaller organizations, there’s a decent chance you’ll need to grapple with the maddening complexity of managing LMS delivery on your own.
Sadly, the tools available in the LMS market lag behind much other workplace software and you may find yourself having to use an outdated, clunky tool. But even the best tools are complicated, requiring you to correctly navigate a blizzard of options for most online content delivery. (One of the reasons that MediaPRO has been a good partner to our customers is that we’ve learned how to use most LMS’s.)
With luck, you won’t be the first to deliver training via your LMS, and thus won’t have to deal with the potential technical obstacles that can occur when you implement new technology. If you are the first, though, let me sing the praises of a good piloting program, where you test run content delivery to a small set of employees to flush out any technical bugs that might exist.
Of course, not all content gets delivered via an LMS, so there are other tools to master:
- Presentation tools like Zoom and Teams and Visme and Presi and many more
- Video sharing tools like YouTube
- Mail and message distribution systems
For each, you may need to invite and manage guests, format content, etc. Someday, you may even invite guest speakers to come speak in person.
There are good reasons for using all these delivery formats—but they all have a cost associated with them that you’ll need to account for. Building in time in your calendar for the planning and testing of all types of content delivery will ensure that you won’t be caught, uh, chopping wood with a dull ax!
Mandatory or Voluntary?
One of the most complicated decisions you’ll make about delivering content is whether to make it voluntary or require it. This topic deserves an article of its own, but I’ll just say that the question is more difficult than you may first think.
Requiring training doesn’t mean that people will automatically take it, nor does making it voluntary mean that they won’t. I’ve seen cases where a voluntary program got higher completion rates (95%) than a mandatory program (<90%), and it was because of the quality of the content and the attitudes of those running the program. The successful voluntary program used short, entertaining content spread out over time and the privacy team was friendly and supportive. On the other hand, the failing mandatory program used overly long, dry content and the team tried to scold and bully employees into compliance. There are pros and cons for taking either approach that you’ll want to think through in advance.
You’ll Need to Figure Out Whether It’s Working
Assuming that you’ve got all the content and you’re getting the right people exposed to this content and training, you’ll certainly want to understand whether it’s been worth all the time and effort.
The beauty of an LMS is that it gathers data and allows you to quickly report on the numbers of people who have “consumed” the content you’ve delivered. I often think that people tolerate the complexity and occasional kludginess of the LMS because they really need the reporting.
I think it’s important not to be satisfied with mere completion data. Knowing that somebody spent X minutes in your course and passed an assessment that you intentionally made fairly easy is a pretty low bar. If your LMS can report assessment scores on a question-by-question level (most can), you can gather detailed data about what employees do and don’t know.
Completion and assessment data provides you with a good start on your overall reporting package, but it is inherently limited to what people know—not what they do.
Measuring Awareness Training Success: 7 Metrics that Matter
Download our free guide to help measure the effectiveness of your security and privacy training and awareness programsDownload White Paper
Going Beyond Completion Rates
To really gauge training effectiveness, you’ll want to measure the desired outcomes and behaviors you’re trying to create. Here are some examples of qualitative indicators to determine if you are making an impact with your program:
- Are you seeing successful use of privacy incident reporting mechanisms?
- Are people completing more privacy impact assessments?
- Are you seeing less incidence of improper data classification?
You may have additional capacity to measure real behavioral improvements, and I’m a big fan of combining these measures with the standard completion and view data to get a more complete picture of how you’re doing.
Finally, I think it’s important not to ignore how people feel about privacy—that is, to gather qualitative as well as quantitative measures. You may be able to pick up on this using attitudinal surveys, but you should also simply pay attention to the way people talk about and act related to data protection.
Is privacy by design a welcome component of the software development process, or does it cause groans? Do people really buy in to the importance of trust, or do they simply pay it lip service? In truly privacy-aware cultures, the importance of data protection begins to feel as intuitive and logical as the imperative to serve the customer or make a profit.
When you present your glowing year-end report to your executive team, you’ll have some nice charts showing progress, but you should also have some good stories that demonstrate your success.
When you combine the mindset needed to promote privacy with the logistical skills described in this article, you’ll have a formidable approach to running a year-round privacy program.
You’ll not only spot the trees in the forest that are ready for cutting, you’ll also bring them back to the woodshed to cure and warm the house in years ahead. And when you sit in front of the warm fire of a privacy-aware culture, you’ll see that all that chopping wood was worth it.