Privacy Awareness and Training

By Caitlin Gruenberg, Risk & Security Analyst

In the last few years there have been many changes and enhancements for businesses and consumers regarding privacy awareness and data protection.

What does this mean?

This means that businesses need to educate their employees and their consumers about privacy and data protection, in addition to how these regulations impact them.

While there are similarities between security awareness training and privacy awareness training, privacy awareness training is its own beast. In the United States, privacy awareness training content may vary by state, industry, or organization, depending on where they do business and what they collect.

All training should be applicable to the business, but let’s take a look at what privacy awareness and training should look like for businesses and consumers.

Business Privacy Awareness Training

1. Start With “Why”

First, it’s important when training employees on any subject to start with the “why.” Provide information on the threats to personal data and recent breaches to show the value and importance of protecting personal information.

2. Talk About Personal Information Types

Second, talk about the different types of personal information. Inform employees on the types of personal information that the business collects and who should and should not have access. This training may be role-based as not all employees have access to personal information, but all employees should know what to do if personal data falls into their hands.

3. Educate On Privacy Regulations

Third, educate employees on privacy regulations or privacy aspects of regulations, that impact the business. For financial institutions, educate on The Gramm-Leach-Bliley Act and for businesses who collect information on California residents, educate on the impending CCPA.

4. Discuss Company Policies and Best Practices

Fourth, provide training on the company’s policies and best practices for handling personal information, such as how to encrypt files and “clean desk” practices.

5. Create A Step-By-Step Process

Lastly, provide a step-by-step process on what to do if an employee feels personal data has been mis-handled and a potential incident has occurred. In this step, it’s important to find a balance between making an employee feel comfortable enough to report a potential incident and fear of being disciplined.

Related: CCPA and GDPR Compliance for IT Systems

Consumer Privacy Awareness

Some privacy and data protection regulations require organizations to provide privacy and data protection information resources on their consumer-facing websites. Other resources are optional but can provide consumers with a positive experience by knowing that their personal information is safe from exposure and breaches.

A privacy policy on an organization’s website should be easily accessible and understandable.  This policy should be written in plain language and located in a clear position on the website. These are just two (of many) of the GDPR requirements for organizational privacy policies.

Related: 6 Security Controls You Need For General Data Protection Regulation (GDPR)

Other resources that may not be required by regulation may help customers understand their privacy rights or further understand the privacy policy. This can be accomplished through informational videos or blogs about privacy, personal data, data protection, breaches, etc.

Even using a “Frequently Asked Questions” section on a website to dissect the privacy policy may provide consumers with a different platform to receive privacy information.

Consumer privacy awareness can be difficult, as the consumer must be willing and want to learn. However, by making privacy documentation publicly available, organizations can improve trust and consumer confidence.

Do You Have a Security Awareness and Privacy Training Program?

If not, you should. Knowledge is power! Understanding the concepts of personal information and privacy gives consumers a better understanding of their rights and empowers employees to prevent potential breaches.

Caitlin Gruenberg

Risk & Security Analyst

Join 10,000+ risk professionals who subscribe to the CyberGRX Newsletter