Privacy Awareness and Training

2018 has been quite a year for businesses and consumers regarding privacy and data protection. The General Data Protection Regulation (GDPR) became effective in May, the California Consumer Privacy Act passed in August, and now, CEO’s from Fortune 500 companies are calling for a federal privacy law.

What does this mean?

This means that businesses need to educate their employees and their consumers about privacy and data protection, in addition to how these regulations impact them.

While there are similarities between security awareness training and privacy awareness training, privacy awareness training is its own beast. In the United States, privacy awareness training content may vary by state, industry, or organization, depending on where they do business and what they collect.

All training should be applicable to the business, but let’s take a look at what privacy awareness and training should look like for businesses and consumers.

Business Privacy Awareness Training

First, it’s important when training employees on any subject to start with the “why.” Provide information on the threats to personal data and recent breaches to show the value and importance of protecting personal information.

Second, talk about the different types of personal information. Inform employees on the types of personal information that the business collects and who should and should not have access. This training may be role-based as not all employees have access to personal information, but all employees should know what to do if personal data falls into their hands.

Third, educate employees on privacy regulations or privacy aspects of regulations, that impact the business. For financial institutions, educate on The Gramm-Leach-Bliley Act and for businesses who collect information on California residents, educate on the impending CCPA.

Fourth, provide training on the company’s policies and best practices for handling personal information, such as how to encrypt files and “clean desk” practices.

Lastly, provide a step-by-step process on what to do if an employee feels personal data has been mis-handled and a potential incident has occurred. In this step, it’s important to find a balance between making an employee feel comfortable enough to report a potential incident and fear of being disciplined.

Consumer Privacy Awareness

Some privacy and data protection regulations require organizations to provide privacy and data protection information resources on their consumer-facing websites. Other resources are optional but can provide consumers with a positive experience by knowing that their personal information is safe from exposure and breaches.

A privacy policy on an organization’s website should be easily accessible and understandable.  This policy should be written in plain language and located in a clear position on the website. These are just two (of many) of the GDPR requirements for organizational privacy policies.

Other resources that may not be required by a regulation may help customers understand their privacy rights or further understand the privacy policy. This can be accomplished through informational videos or blogs about privacy, personal data, data protection, breaches, etc.  Even using a “Frequently Asked Questions” section on a website to dissect the privacy policy may provide consumers with a different platform to receive privacy information.

Consumer privacy awareness can be difficult, as the consumer must be willing and want to learn. However, by making privacy documentation publicly available, organizations can improve trust and consumer confidence.

Do You Have a Privacy Awareness and Training Program?

If not, you should. Knowledge is power! Understanding the concepts of personal information and privacy gives consumers a better understanding of their rights and empowers employees to prevent potential breaches.

 

CAITLIN GRUENBERG,

LEAD PRIVACY ANALYST

 

 

Leave a Reply