Executing a Privacy Training Program For Employees and Customers
by Justin Luebke
Well-executed privacy programs begin at the top. Executive buy-in is essential for an effective program that demands cooperation from all business units of an organization. Once an organization can convince the C-Suite the importance of a privacy training, many companies struggle with implementation.
Let’s take a look at key areas a privacy training program for employees and customers should include.
Train your Workforce: Privacy Awareness
1. Start with “why”
It’s important when training employees on any subject to start with the “why.” Provide information on the threats to personal data and recent breaches to show the value and importance of protecting personal information.
2. Talk about personal information types
Inform employees on the different types of personal information that the business collects and who should and should not have access. This training may be role-based as not all employees have access to personal information, but all employees should know what to do if personal data falls into their hands.
3. Educate on privacy regulations
Educate employees on privacy regulations or privacy aspects of regulations that impact the business. For example, financial institutions should educate their employees on The Gramm-Leach-Bliley Act and businesses who collect information on California residents should educate their team on the California Consumer Privacy Act.
4. Discuss company policies and best practices
Provide training on the company’s policies and best practices for handling personal information, such as how to encrypt files and “clean desk” practices. Arming employees with knowledge is the best defense.
5. Train on cyberattacks
Cyberattacks, especially social engineering attacks such as phishing, spear phishing, and pretexting, are very common. Training on these methods of illegally personal information teaches your employees to recognize threats and malicious actors.
6. Create a response plan
Think carefully about a response plan to handle data incidents. This should include a step-by-step process on what to do if an employee feels personal data has been mis-handled and a potential incident has occurred. In this step, it’s important to find a balance between making an employee feel comfortable enough to report a potential incident and fear of being disciplined.
Train your Customer: Consumer Privacy Awareness
Some privacy and data protection regulations require organizations to provide privacy and data protection information resources on their consumer-facing websites. Other resources are optional but can provide consumers with a positive experience by knowing that their personal information is safe from exposure and breaches.
A privacy policy on an organization’s website should be easily accessible and understandable. This policy should be written in plain language and located in a clear position on the website. These are just two (of many) of the GDPR requirements for organizational privacy policies.
Other resources that may not be required by regulation may help customers understand their privacy rights or further understand the privacy policy. This can be accomplished through informational videos or blogs about privacy, personal data, data protection, breaches, etc.
Even using a “Frequently Asked Questions” section on a website to dissect the privacy policy may provide consumers with a different platform to receive privacy information.
Consumer privacy awareness can be difficult, as the consumer must be willing and want to learn. However, by making privacy documentation publicly available, organizations can improve trust and consumer confidence.
Do You Have a Privacy Training Program?
If not, you should. Knowledge is power! Understanding the concepts of personal information and privacy gives consumers a better understanding of their rights and empowers employees to prevent potential breaches.
Caitlin Gruenberg
Risk & Security Analyst