Privacy Awareness Training: What It Is and Why It’s Important
Get the low-down on the knowledge your employees need to protect sensitive data
What Is Data Privacy?
Data privacy is the practice of how data (sensitive or otherwise) is handled as it both makes its way to and flows through a company. It covers the way data is acquired (including the kinds of consent that data subjects give), handled, used, stored, and deleted.
Data privacy is sometimes conflated with data security or cybersecurity, which gets (unfairly) stereotyped as involving hooded cybercriminals in dark basements trolling for credit card numbers. The world of data privacy isn’t quite that dramatic, but it’s no less critical.
Think of it this way: If information security is about defending data against outside threats, privacy is about the complexities of staying within appropriate boundaries on the collection, use, and storage of data, despite enormous financial pressures to the contrary. Both security and privacy professionals have a big stake in protecting data.
Data privacy pertains to the governance of information (data) permissions, transparency, and regulation. These privacy issues affect all of us as consumers and individuals, but organizations need to be especially mindful of how they handle their own data and that of their customers because mishandling such data can erode trust and destroy brand reputation.
What Is Privacy Awareness Training?
Privacy awareness training involves providing education to your workforce on what the regulations are in your industry concerning private data, what your company policies are, and how to comply with both. The difference between data security and data privacy discussed above continues into the realm of training. The risks in the data privacy realm are different: proper data handling vs. cybercriminals looking to actively steal data, for example.
Perhaps the greatest difference is that privacy risks are created by the business as it handles personal information in the conduct of its work; such risks are voluntarily chosen, not imposed by an outside actor. They are the risks that arise when you put complicated work in the hands of fallible humans, and very often they involve questions of ethics and judgment that can be genuinely complicated. This makes privacy training about these risks all the more important.
That said, here are some of the basics to cover in privacy awareness training:
- How to classify data
- How to handle data of different types during the data lifecycle (including storage and destruction)
- The rights of data subjects
- The obligation to report incidents (within a specific time frame)
Another concept to include is broader in scope, but no less important. “Privacy by design” refers to the practices of specific departments—such as customer support or marketing—that handle or process private customer or consumer data. Business functions such as these need to build data protection principles into everything they do.
The approach to protecting and handling data differs from department to department, which means you might consider role-based privacy training. For example, your IT employees don’t need to know about safeguarding conversations with potential hires, but do need to be well-versed in preventing unauthorized data access and use. Similarly, your HR staff may not need much instruction on data transmission practices, but protecting sensitive employee information is exactly in their wheelhouse.
Overall, the goal of privacy training should not be to turn your employees into legal experts. Lawyers go to school for years and practice for many more to acquire the legal expertise they possess, especially in the data privacy realm.
The goal should be to ensure employees are able practitioners of simple, basic privacy principles regarding data consent, access, choice, handling, and use. You’ll waste your own time and that of your employees trying to get too deep into the minutia of whatever privacy regulation(s) your organization might fall under. Focusing on the spirit of the law, not the letter, will help your employees apply data privacy principles both within your organization and in their personal lives.
Download our privacy training guide to learn the nine critical topics for effective privacy training and awareness programs.Download Guide
Why Is Privacy Awareness Training Needed?
Data is big business in our connected world—really big.
Industry research continues to show that consumers are demanding more transparency and more control over their own data. One report found that 75% of consumers would boycott their favorite retailer it if failed to keep personal data safe, while seven in 10 said they want to deny businesses the ability to sell their data to third parties.
The surge of consumer privacy laws with 4-5-letter acronyms means governments around the world are taking notice. Put simply, companies no longer have the luxury to ignore data privacy concerns. Their financial wellbeing, from avoiding fines to keeping their customers happy, depends on it.
If you answer yes to any of the questions below, you should take a closer look into data privacy training and awareness:
What Are Some Privacy Training and Awareness Best Practices?
When it comes to delivering a good training program, it’s not just what you’re training about that matters. It’s also how you structure and deliver the training and other communications that makes a big difference between boring your employees and turning them into effective data defenders.
Here are some training strategies we’ve seen prove successful in engaging employees and leading to behavior change:
Engage Learners with Novelty and Variety
Let’s face it: the subject matter of data protection, records classification, and the like can be a little dry. A variety of laws and regulations mandate training in these areas, but this doesn’t mean creativity should fall by the wayside.
In fact, novel approaches to presenting information have been shown to make the learners more open to learning. We’ve seen multiple ways of introducing novelty and variety work in practice.
One way to do this is with microlearning. If possible, consider breaking up training into small bits that can be consumed over time. Using microlearning is also a great way to reinforce topics covered in long-form training that you may give annually, or to introduce ideas at new employee orientation.
Using different presentation methods for your content is another way to keep topics and training from becoming stagnant and uninteresting to learners. And, it allows you to meet learners where they may learn the best, whether in a newsletter article, with a video, or through a game.
There is no reason you and your employees can’t have fun with your training and reinforcement. We’ve seen great success with training that references pop culture. For example, we developed a gamified privacy awareness training course that imitated the Amazing Race reality show. Learners moved around a digital board and answered privacy-related questions.
Relevance Is Key
Learners are more likely to retain the training they’ve been exposed to if it’s relevant to what they see on a daily basis. Why would an employee who doesn’t handle sensitive records as part of her regular responsibilities care about records management training?
Relevance comes out in good training in multiple ways. It starts with being focused on the practical aspects of the learners’ jobs, their perceived needs and goals, the organization’s culture—even the learners’ personal lives.
We call this a “role-based” approach to privacy training. This approach takes a little more work up front, but it pays off when people in different jobs find the training relevant.
The benefits of relevant, role-based training are many. Such training feels fresh and focused, and you never waste time on training you don’t need. Time is saved by not training employees on topics they don’t need to know. Less time spent training is always good for business!
Teach Desired Behaviors by Example
People learn best through practice. Here are some examples addressing data privacy topics with interactive training content:
You can have sections within training that ask learners to complete a specific task, such as selecting which information on the screen is PII. Or, you can ask learners to sort records by dragging and dropping icons into the wastebasket or locked file cabinet.
Even if your training itself is not interactive, you can incorporate interactive elements in other ways: through a knowledge assessment or survey that includes sorting files or selecting correct privacy practices.
Knowledge assessments are important both for figuring out knowledge gaps in your employee base before training begins and for determining how successful training has been after the fact.
Recruit Data Privacy Champions
Strictly top-down, decrees-from-on-high training can quickly wear out its welcome among employees. Your people don’t always need to get privacy messages from the privacy people.
Practically speaking, the whole company will be better off if there are other people, in all areas of the company, who not only get the importance of privacy goals but then marry that understanding with real expertise in their particular area of the business.
These people are privacy champions. They will help carry the message far and wide in the company and report back when they think there are areas where you need to make a broader impact. From hosting department-specific “privacy days” to helping you report to higher ups on your program, privacy champions can act as force multipliers for your training and awareness initiative.
Call in the Reinforcements
Whether you call it “reinforcement” or the “awareness” side of your privacy training and awareness initiative, the supporting communications that occur outside of your primary training push are vital to a successful program.
Your reinforcement content is your chance to talk with humor, directness, and brevity about the privacy values, best practices, tips, and guidelines that matter most to you.
If you can boil down what you want from your employees to the very basics—for example, if what you most want is for people to err on the side of considering data private, or if you want to really encourage proactive incident reporting/breach notification—reinforcement is the perfect way to get out those messages in multiple, simple, repeated forms.
MediaPRO Chief Learning Officer Tom Pendergast explores some key best practices around aligning your corporate privacy culture with privacy laws.Watch Now
How Do I Know Privacy Awareness Training is Working?
We see two primary motivators behind tracking the effectiveness of your privacy training and awareness program:
- Meeting regulatory compliance requirements for training
- Demonstrating true culture change toward greater privacy awareness
In regulated industries, the ability to show training completion rates, to track incident reporting, and to identify breaches is often required. These measures are numbers-based and concrete and fold well into monthly or quarterly reporting to a board of directors.
The cultural angle, however, is a little more nebulous and therefore harder to track. In our experience, though, the more mature programs are moving beyond merely reporting compliance numbers and focusing on these cultural measures.
Below we’ll expand on a variety of measures useful for both tracking required compliance and culture change.
Training Completion Rates
Depending on your regulatory environment and contractual obligations, you may have to show compliance with employee training requirements. Your learning management system (LMS) should include employee training completion metrics and reporting, but compliance reporting can be more complicated than it seems at first glance.
You may have to answer questions such as: Are our contingent workers required to take the training and are they in my LMS? Is my LMS fully integrated with Active Directory or another “source of truth” for employee data, so that I can make sure new employees are being assigned the training and employees who have separated are not skewing the reporting?
Additionally, you should think about how best to report these figures for an audit or for presentation to executives and/or your board of directors. Executives will most likely want something relatively high level, while more detailed figures (such as reporting by country or division) might be needed for an auditor.
Monitoring Employee Data Privacy Behaviors (with IT’s Help)
Chances are that your IT or security department has tools in place to monitor employee behavior in the form of network event logs and data loss prevention. Data Loss Prevention (DLP) software is the one most likely used in a data privacy context.
DLP software monitors the transmission of sensitive information to make sure an employee doesn’t send it to unauthorized destinations, or send it unsecurely to legitimate recipients. Tools like DLP can serve as a gauge for determining what data needs protecting and which employee behaviors are putting your organization at risk.
Another method of measuring the efficacy of privacy training is tracking IT help desk tickets that relate to specific privacy issues, such as lost and stolen company devices, or requests for IT help with proper data disposal.
Work with your IT team to set baseline metrics prior to your training event. A few months after your initiative starts, check these numbers to see if the training and awareness initiatives have been effective, or if you need to make adjustments.
Privacy Incident Reporting
You likely have a process in place for employees to report data privacy incidents—hopefully before they became a full data breach. A few points you may want to consider as you raise privacy awareness in your organization:
- It is easy for your employees to report?
- Is the reporting mechanism (email, web form, phone) easy for them to find?
- Do you think employees feel comfortable reporting?
- Could a new employee who had no training easily navigate the reporting process?
Think about the process from a busy employee’s perspective and remove as much friction in the process as possible. It can be interesting to measure incident reporting frequency before and after efforts to educate employees and improve the reporting process. Keep in mind that an increase in reported incidents may not be a bad thing, if it means your employees have developed sharper eyes for questionable activity (not necessarily that more incidents are actually happening!).
Measuring something as nebulous as “engagement” might require some creativity. But demonstrating engagement is one of the best ways to show that your efforts have had a lasting impact on your company’s culture and have achieved behavior change beyond mere regulatory compliance.
Start with some metrics for your secondary awareness content; the stuff that’s not part of your required training. These metrics can include open and click rates for newsletter emails and view counts for videos deployed to reinforce specific topics. These will show how willing your people are to engage with your educational content voluntarily, demonstrate your successes, and point to where more work might be needed.
If you’ve recruited your own band of “Privacy Champions,” they can be used as canaries in the coal mine, so to speak, to gauge how far-reaching your training messaging has become. Ask them how well attended their own mini-privacy programs are, for example, or how often they get inquiries about data privacy topics.
Protecting a Company’s Information Is Everyone’s Job
In today’s data economy, more and more companies need to develop mature data handling practices, whether it’s to keep up with the rising tide of regulation across the globe or simply to maintain customer trust and a company reputation for good data handling practices.
These goals require every employee to be accountable to an organization’s data privacy practices.
Luckily, a good privacy training and awareness program—one that equips employees with a core understanding of universal privacy principles and how to apply them—will equip you to weather the shifting tides of regulation. A sound foundation using the tactics described above will put you well on your way to a privacy-aware corporate culture.
Explore the current state of employee knowledge in cybersecurity and data privacy with our 2020 State of Privacy and Security Awareness Report.
Keep security top of mind while your employees are working remotely with our free toolkit. No kidding. Really free.
This guide walks through the steps to take to establish a simulated phishing program and provides phishing program ideas.