Increasing privacy awareness
The most common cause of privacy breaches is human error. It may be the loss of unencrypted portable devices, sharing/disclosing passwords, or allowing all email addresses to be viewable in mass emails. Privacy training can help avoid these types of errors by ensuring that employees understand their roles and obligations under applicable laws and policies. In addition to being good practice, privacy training is now required by law in many countries. Data-driven organizations also need to carefully consider role specific privacy training to ensure personal data is processed lawfully. A comprehensive training program should include:
- General privacy training for all employees;
- Role-specific training; and
- Regular training updates.
General privacy training
General privacy training should be mandatory for all employees. This training should, at a minimum, ensure employees are aware that laws apply to collection, use, storage and disclosure of personal information, and failure to comply with such laws can have consequences both for the individual and the organization. It should provide information on the organization’s own privacy policies, including where to find those policies and who they can and should contact if they need guidance. Employees should be coached on how to recognize and respond to privacy inquiries, complaints and requests for access, including how and when to escalate such matters to the person(s) within the organization who are responsible for privacy compliance. Finally, privacy training must ensure all employees are aware of how and when to report actual or suspected privacy incidents.
Role-specific privacy training
Training all employees on general legal privacy principles is a start. Targeted, role-specific privacy training to relevant employee groups is an area where forward thinking organizations can gain a competitive advantage. For example:
Information Technology – Security will be a main focus of training for IT staff. IT staff will need to understand legal requirements to implement technological security measures appropriate to the sensitivity of information, so that they can assist the organization to comply with legal obligations.
Marketing – Training for marketing employees should address consent requirements applicable to using personal information for marketing purposes, including the requirement for fresh consent to use such information for new purposes. Marketing employees should also be provided with information on legal developments applicable to their function, such as anti-spam legislation. Employees who regularly build data-driven campaigns also need to understand when they need to seek guidance on privacy issues.
Privacy law is rapidly developing worldwide. Organizations are rarely static, and the way that they collect, use and disclose personal information changes over time. It is important that employees receive training on any new requirements or restrictions arising out of legal, organizational or policy changes. This ensures that any employee is thoroughly coached in privacy protection and understands how it applies to their day-to-day responsibilities.
To hear how we can help raise your employees’ privacy awareness and skills, get in touch. Contact us