Privacy Awareness and Employee Behavior

By Suzette Corley, Global Privacy Paralegal

New data privacy rules mandated by the General Data Regulation Protection (GDRP) will take effect in late spring 2018. The GDRP is creating an urgency for multinational companies who must begin acting now. The stakes are high with fines of 4% for any acts of non-compliance whether intentional or not. All organizations planning to do business with the EU are urged to develop strategies to bring their businesses into compliance and prepare employees adequately to avoid costly mistakes. Once a privacy program is established, data privacy awareness training should frequently be conducted.

Implications of nonawareness

Recent surveys show that 80% of global companies participating in the study were unaware of the details about GDPR and the FTC regulations or their impacts. Fewer than one out of three companies believe they are prepared for it now and 97 percent of the company’s surveys do not have a plan to develop yet.  IT professionals painted a dim picture with only 9 percent of them feeling confident that their organizations will be fully prepared when the changes take effect. The word needs to get out to all company management teams. The first step is reaching them with the importance of establishing awareness and coming up with a follow-up plan to avoid the 2% fines and damaged reputations.

Required steps

  1. The GDPR stipulates that a data protection officer must be hired or appointed. It could be an existing employee. An existing, employee is an efficient way to centralize the data privacy training along with ongoing quality assurance monitoring. A privacy professional could in charge of working with HR to ensure all parties receive adequate training before working with sensitive data.
  2. Establish a Firm Access Governance Solution. Before training the parameters of education and level of access codes with clearances and access criteria are set. An examination of job roles and responsibilities are used to determine who is eligible for access with attestation and necessary recertification’s under the supervision of line of business management.
  3. Control Access Management system. The GDPR requires employees and associated contractors are only given required access to perform required duties and nothing more. Technology to establish an identity with multi-factor authentication, user credential confirmation, secure remote access, granular password management and risk-based adaptive security measures are required. Password management falls under this category because of its high risk for vulnerability to hackers. Passwords should be changed on a regular basis to enhance security.

Employee awareness training programs

Even if the leaders of a company are acutely aware of the changes in data privacy mandates and their potential impacts, a lack of thorough employee training could derail the entire operation. It only takes one innocent mistake to cause a security breach. Severe financial consequences for the company can occur.

The solution to the problem

The development of a top-down privacy awareness training program is key to avoiding issues with data privacy. When everyone has the same level of knowledge, there is less risk of compliance failures. Training programs should be customized based on access to job duties with clearance level tiers. Not all employees of a firm will have open access permission, and this could change the platform for each level of data privacy awareness training. For example, IT staff would deal with information that is different from marketing professionals or workers in the manufacturing or production areas. The training should be relevant to the assigned job duties.

The goal of awareness training and recommended types of training

Satisfaction of GDPR requirements is the broader goal which means a thorough adaptive risk-based approach to securing all confidential data from the EU from any vulnerabilities. Another important aspect of the training is to get people interested, involved and cognitively processing. There are a few different ways to implement data privacy training programs.

Smartphone based Where’s Waldo

A fun yet effective method for lightening the mood and getting everybody to participate willingly. It is used to attract attention to the tiny details involved in mobile data transmission and to point out all the potential security breaches. The best part of this activity is that the trainees are asked to identify any possible security risk issues. Being able to identify risk issues helps stimulates awareness and causes them to process in an active search for problems cognitively. It enhances their troubleshooting skills and then drives home the seriousness of the situation. It is an effective way to engage everybody in training and open them up to absorb the information that presented.

Other training methods

Data privacy training can be in a series of shorter courses which cover all the bases sequentially but in shorter segments. For example, an interactive overview of responsibilities regarding privacy including the life cycle of personal data, how it is shared, how it is used and the responsibility of professionals who handle the data can be accomplished in less than a half hour. A follow-up quiz shows participants and administrators how well the information is absorbed. This could be followed up with other relevant areas of data privacy responsibility. One of the key factors in employee retention is to present the training in an interactive style that gets everyone involved in the process and using their reasoning skills.

Concluding thoughts

The need for data privacy training programs is based on the necessity for becoming compliant with the new GDPR regulations which are backed by the FTC.  Once all requirements are satisfied, companies may proceed with the training in any fashion that they choose. We believe that there are quite a few ways to reach target staff efficiently and more while having a little fun on the way. These are just a few ideas to get you started.

Article keywords: Data Privacy, GDRP, FTC, Awareness

Resource References

Brill, Julie, January 2016. Two-Way Street: U.S. -EU Parallels Under the General Data Protection Regulation Ghostery/Hogan Lovells Data Privacy Day; U.S. Federal Trade Commission; retrieved from https://www.ftc.gov/system/files/documents/public_statements/910663/160121hoganghostery_dpd.pdf on 10/18/16.

Dell Press Releases, 2016. Dell Survey Shows Organizations Lack Awareness and Preparation for New European Union General Data Protection Regulation (GDPR); retrieved from https://www.dell.com/learn/us/en/vn/press-releases/2016-10-11-dell-survey-shows-organizations-lack-awareness 10/18/16.

Heimes, Rita, 2016. Top 10 operational impacts of the GDPR: Part 2 – The mandatory DPO, The Privacy Advisor; retrieved from https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-2-the-mandatory-dpo/ on 10/18/16.

Research Report, 2016. Preparing for the EU General Data Protection Regulation, IAPP Resource Center; retrieved from https://iapp.org/resources/article/preparing-for-the-eu-general-data-protection-regulation/ 10/18/16.

Solove, David, 2016. “Privacy”: A Unique Play Starring Your Smart Phone, Teach Privacy; retrieved from https://www.teachprivacy.com/category/training-privacy-awareness/ on 10/18/2016.

 

Disclaimer: This article provides general information and materials related to contract management. This article does not provide legal advice. Agile Contract Management is not a law firm nor does it provide legal advice. You should contact an attorney to obtain advice with respect to any particular legal issues or questions.

Back to Main Blog Page