The GDPR is Coming: 3 Things for DPOs to Consider About Privacy Awareness
Many of the impacts of the EU's wide-reaching General Data Protection Regulation (GDPR) are still being hemmed and hawed about, but one thing is clear: more Data Protection Officers will be needed.
The IAPP reported last year that an estimated 28,000 new DPOs will be needed to oversee data handling for organizations subject to the GDPR. The mandatory DPO is one of many provisions within the GDPR going into effect in May 2018. (Check out our white paper here for a primer and some industry expert input).
While the requirements for getting in compliance with the GDPR are many-see the full 88-page regulation here or take a look at a short version from the DPO Network Europe-there's one important factor that we want to draw attention to:
The GDPR requires privacy awareness training, and it's the DPO's responsibility (see article 39 section 1B).
While the GDPR offers no real specifics on what privacy awareness training should entail, I'd like to provide some suggestions, based on our years of experience working with some of the most privacy-aware global companies. If you've been assigned the DPO duties in your organization, here are three things for you to consider as you begin your work (in the form of an open letter).
To the new Data Protection Officer
Congratulations on your new DPO position!
You'll undoubtedly be hitting the ground running, so allow me to quickly get to my point. The GDPR in no uncertain terms requires privacy awareness training. With this obligation hanging over your head, you might be wondering how exactly to begin moving down the path of organization-wide privacy awareness.
The short answer: strive for a privacy-aware culture. Even nebulous corporate values like "privacy awareness" can be essential to the functioning of an organization if they are championed by executives, embedded in operational procedures, aligned to key business goals, measured regularly, and effectively communicated on a consistent basis to all employees. Such steps ensure that these values are proactive parts of corporate culture, embedded within the organization's design, and accepted across the organization as the default mode of operation for all employees.
The onus is on you to champion privacy-based thinking as a vital part of organizational culture. Such a task is no small feat, but possible. How? You can start by following some of the best practices of America's most risk-aware companies. Here are some ideas:
Start at the Top
For better or worse, people look to leaders to set the tone for their organization. That's why you, your organization's new DPO, and your executives must understand the importance of clear communication about privacy risks.
In our experience, too few people at this level understand or speak personally and directly about the impact this risk has on their lives and their organizations. We need to do a better job of educating leaders about the nature of risks, and get them to incorporate this understanding into the regular communications to their employees and citizens. Ensuring that privacy risks are understood at the executive level will also make it easier to make the case for comprehensive privacy awareness programs when there is a check to be signed.
Recommendation:Educate all executive-level personnel in privacy best practices and ensure they're committed to giving privacy a regular place in communications both to their employees and to the public.
But Make it For Everybody
Employees may look to leaders to set the tone, but they will not make substantive changes in behavior unless they can directly connect data privacy risks to their work and personal lives. That's why it's so critical that you reach people where they are:
- Those handling financial information need to practice the skills involved in securing credit card data and all sources of financial data, just as nurses and healthcare professionals need to protect confidential health information
- Managers and executives need to understand that their heightened access to information makes them targets
- IT staff need special training, not just on their privileged access to data but also on the role they play as ambassadors in understanding and using information technology to protect information
No matter our age or our job, we all face privacy risks. But these risks take different forms, and what we need to know and do to protect ourselves differs across our roles. The way you educate must reflect those differences, or it will be irrelevant and ultimately ineffective.
Recommendation:Tailor all privacy-related training and communication to roles (whether they be job roles or phases in life) to ensure the information is relevant and actionable.
Make It Engaging
If we ever expect privacy knowledge to become a foundational element in our culture, we need to take our cues from advertising, communications, and PR. (And not, I'm sorry to say, from conventional training practices). Look what Smokey the Bear did for preventing wildfires or what "Where's the Beef?" did for hamburgers. As someone responsible for teaching privacy best practices (or at least researching and managing a training vendor), you need to think like an ad executive.
Simple slogans or interactive experiences, clearly and repeatedly delivered in fun and relevant ways, do far more to build awareness than the long, dry training courses that are so frequently hailed as the solution when it comes to data privacy. Companies that leverage highly visible, regular communications and activities focusing on key risks have the most success at building information protection into the organizational culture. Is there a risk in using humor or games or shock tactics to communicate about data protection? Sure. Some people won't get it or may be put off by a particular approach. But the risk of boring people is much greater. If people are bored, they'll never learn.
Recommendation: Engage in a comprehensive campaign to get people talking about privacy best practices with features like games, phishing simulation, posters, and videos. The more varied ways you can present your message, the better.
My advice ultimately comes down to this: Employees need to see the benefits of identifying personal information, handling it appropriately, and reporting potential privacy incidents before they lead to data breaches.
It's essential that you raise the transparency and visibility of efforts to promote information protection, as it's critical to the development of a privacy-aware culture within your organization. This is your opportunity to make sure that everyone at your organization makes data privacy their responsibility, as it should be.