Privacy awareness training educates an organization’s workforce about the way that the organization protects privacy and the workforce’s role in this endeavor. In this post, I explain what privacy awareness training should include. Privacy awareness training typically covers the following things:
(1) Importance of Protecting Privacy
A key component of privacy awareness training involves teaching people why they should care about protecting privacy. If people don’t care, they won’t pay attention and won’t change their behavior. People need to understand why privacy matters and the concrete implications that violations of privacy can have on individuals, on the organization, and on the workforce members involved in a violation. People pay a lot more attention when they are told why they should be paying attention.
Privacy training should address the following issues:
- Why should people care about privacy?
- Why is privacy valued by the organization?
- What are the consequences of failures to protect privacy to customers, clients, and colleagues?
- What are the consequences to the organization?
- What are the consequences to the individual(s) involved in the failure?
(2) Definition of Personal Data
The workforce needs to know what type of data is covered, as not all data that an organization possesses involves privacy. People must learn roughly how to identify personal data and sensitive data. A challenge here is that the GDPR has a definition of personal data that is different from how U.S. law defines it. U.S, law defines it in many different ways. Most global organizations follow the GDPR definition of personal data, so this is the definition they use in their training.
A key point that should be made in the training is that it isn’t possible to provide a comprehensive list of all personal data. Data that alone is not identified to a particular person can be combined with other data and become identified to that person. People should understand that a lot of data that they might not think is personal data in fact can, in fact, be personal data.
(3) Individual Rights
A central part of privacy awareness training consists of teaching the workforce about the privacy rights that organizations provide to individuals. Many of these rights are mandated by various laws, such as the GDPR and the CCPA. There are circumstances where organizations might provide rights to individuals that are mandated by laws that the organization isn’t regulated by or that are promised to individuals because organizations want to go beyond the law. Privacy awareness training should also discuss how individuals exercise their rights.
Even if certain employees are not involved in handling individual rights issues, they ought to understand the basics about the rights that organizations provide. As part of a culture of respecting privacy, all employees should know about what the organization is doing with regard to protecting privacy.
Employees need to be taught what they should know about how an organization handles its responsibilities for protecting data as well as their role in the process. What should people know about the way the organization handles privacy? What should people do in their jobs to protect data?
(5) When to Contact the Privacy Office
People should be made aware that the privacy office is available to help, answer questions, and provide guidance. People don’t need to become experts on privacy law. Instead, they should learn when to consult with the privacy office. People need to know enough in order to have questions or to ask the right questions.
* * * *
At many organizations, privacy awareness training is the primary opportunity of the privacy office to share its message with the workforce. The workforce must know about privacy if the organization is to have a robust culture of protecting privacy.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Table of Contents