Increasing Privacy Awareness
The most common cause of a privacy breach is human error. It may be the loss of unencrypted portable devices, sharing/disclosing passwords, or allowing all email addresses to be viewable in mass emails (CC). Privacy training can help avoid these types of errors by ensuring that employees understand their roles and obligations under applicable laws and company policies. In addition to being good practice, privacy training is now required by law in many countries. Data-driven organizations also need to carefully consider role specific privacy training to ensure personal data is processed lawfully. A comprehensive training program should include:
- General privacy training for all employees;
- Role-specific privacy training; and
- Regular privacy training updates.
General Privacy Training
General privacy training should be mandatory for all employees. This training should, at a minimum, ensure employees are aware that laws apply to the collection, use, storage and disclosure of personal information, and failure to comply with such laws can have consequences both for the individual and the organization. It should provide information on the organization’s own privacy policies, including where to find those policies and who they can and should contact if they need guidance. Employees should be coached on how to recognize and respond to privacy inquiries, complaints and requests for access, including how and when to escalate such matters to the person(s) within the organization who are responsible for privacy compliance. Finally, privacy training must ensure all employees are aware of how and when to report actual or suspected privacy incidents.
Role-specific Privacy Training
Training all employees on general legal privacy principles is a start. Targeted, role-specific privacy training to relevant employee groups is an area where forward thinking organizations can gain a competitive advantage. For example:
Information Technology – Security is a main focus of privacy training for information technology staff. They will need to understand legal requirements to implement technological security measures appropriate to the sensitivity of information, so that they can assist the organization to comply with legal obligations. Technology staff need to enable a maximum degree of privacy by ensuring that personal data is automatically protected in any given IT system or business practice. Product managers and developers need to be aware that choices they make early on in product development will have a major influence on how safely personal data is processed.
Sales and Marketing – Training for sales and marketing employees should address consent requirements applicable to using personal information, including the requirement for fresh consent to use such information for new purposes. Marketing employees should also be provided with information on legal developments applicable to their function, such as anti-spam legislation. Employees who regularly build data-driven campaigns also need to understand when they need to seek guidance on privacy issues.
Privacy law is rapidly developing worldwide. Organizations are rarely static, and the way that they collect, use and disclose personal information changes over time. It is important that employees receive regular training on any new requirements or restrictions arising out of legal, organizational or policy changes. This ensures that any employee is thoroughly coached in privacy protection and understands how it applies to their day-to-day responsibilities.
To hear how we can help raise your employees’ privacy awareness and skills, get in touch. Contact us