Empowering privacy program through training and awareness

Why to train?

Regardless of the maturity level, the privacy program within the organisation does not exist in a vacuum. Instead, it is actually implemented and brought to live by its employees and third parties the organisation engages. This is why it is of utmost importance to make sure they understand what to do and how to react in different situations and in case of emergency. This is where properly arranged training and awareness campaigns should step in and have this issue solved.

In addition to this, a privacy manager should be realistic and not expect that employees would consider privacy matters important to the same degree as the privacy function itself considers them – just because employees normally put focus on the completion of their standard daily tasks and duties instead.

Therefore, it would be fair to say that a good training and awareness campaign should solve two issues – lack of knowledge and competence, lack of motivation. In other words, trainees should be equipped with sufficient knowledge, with a clear focus on privacy matters to be added to their daily routines.

Who to train?

First of all, internal employees and external consultants with a role similar to that of employees should undergo training. However, it would also be good practice to include the organisation’s data processors into the ‘training perimeter’, at least in respect of handling of information security incidents and data subject requests, since in those cases improper reaction from a data processor might lead to legal, financial and reputation implications for the organisation.

Employees within an organisation perform different roles. Some of them might face privacy aspects in their jobs very often (e.g., information security managers, HR staff), while others might not. It is unrealistic to expect every employee to be thoroughly trained on every aspect of privacy regulations, nor is it needed. For the majority of them, it is just enough to undergo ‘basic training’, since it is more important to just understand the key principles of compliance and the behavior that is expected of them.

For other employees, however, a role-based ‘deep-dive’ training is needed to cater for their needs. This might be the case when it comes to HR staff, marketing employees, members of incident response and customer service teams, since they work with personal data and privacy aspects to a greater extent and, therefore, need a more detailed understanding of what to do in different situations – e.g., how to investigate information security incidents, how to handle a data subject request received from an employee or a customer, or even how to properly implement information security measures to meet the legal requirements in the respective part.

How to train?

A good training program should combine different communication channels and ways of information delivery, both formal and informal.

When it comes ‘basic training’, different e-learning courses are widely used to train all employees (oftentimes – delivered as part of onboarding process, followed by “refreshing” training sessions conducted afterwards at predefined periods of time), that might be supplemented by, e.g., training webinars delivered from time to time to reinforce general compliance messages and outline desired behavioral outcomes.

Things normally look more complicated when it comes to role-based ‘deep-dive’ training. Simple e-learning course will not suffice here, since the employees need to obtain more detailed and profound knowledge, supplemented with respective hands-on experience. If you have a plan that is not tested, then you do not have a plan. This is why formal training methods (webinars, offline face-to-face training sessions) should be paired with table-top exercises and different ‘stress tests to ensure that obtained skills are tested’.

Further to the above, awareness also plays an important role. Of course, it goes hand-in-hand with training exercises, but it serves different purposes. While training is designed to educate employees in the applicable legal requirements, as well as in the organisation’s policies and procedures, awareness aims at reinforcing general privacy compliance messages through various reminders – advertisements, lobby video screens, handout materials, quizzes, posters, etc. The ultimate effect of the privacy training and awareness campaigns might be further strengthened if those are integrated with other campaigns conducted in the organisation (e.g., HR events).

To sum it up, the following training and awareness methods can be used:

• formal education – webinars, offline face-to-face training, etc. Those training sessions are normally recorded and documented;
• e-learning – either self-paced or live, different simulations can also be used;
• ‘road shows’ and department team meetings – this is an opportunity to provide different materials, pamphlets or other resources at booths or staff meetings to offer training opportunities to individuals;
• newsletters, posters and other materials delivered via emails, websites; print materials, and physical displays among other options;
• handouts containing tips and answering common questions;
• video teleconferencing – content is delivered through videos, it can be recorded live and then replayed;
• intranet pages, voicemail broadcasts.

To make training more effective, a privacy manager should consider materials of different nature and source. For example, lessons learned from high-profile data breaches, mistakes previously made in the company can become a good learning opportunity. Different gamification techniques and friendly competitions between employees might also facilitate the delivery of the training messages.

Records and metrics.

Keeping records of training and awareness programs, along with any corrective actions taken after training sessions, is indeed important. Metrics used to evaluate the effectiveness of these programs should not only just include the number of participants, but also demonstrate the process improvements resulting from the training.
For example, the effectiveness of training programs can be measured by linking them to other relevant metrics, such as a decrease in the number of information security incidents. If, for instance, the number of incidents resulting from human error does not decrease over time despite conducting training sessions, it may indicate a need to improve the current training program to address this issue.
More specifically, metrics for training and awareness programs may include the number of training opportunities provided by topic, the number of individuals who participated in training sessions or received awareness communications, the type of training method used (e.g. webinars, face-to-face, e-learning), the percentage of training completed, the results of quizzes or knowledge tests, and any changes in the number of privacy incidents reported or requests for additional training or consultation. This helps a privacy manager to keep track of the program in general and better understand where improvements and adjustments are needed.
Finally, proper keeping of those metrics and records may help an organisation to demonstrate compliance with accountability requirements.