Typically, when we talk about employee training, it’s to upskill that person to be the best they can be, which in return boosts their productivity and engagement. Data privacy training is different. With data privacy training, the focus is on your customers and how you do your best to protect their data from harm or misuse and earn their loyalty.
Most (84%) consumers are privacy savvy, with nearly half (48%) indicating they have already switched at least one product/service provider due to poor data privacy practices. Despite the high stakes, an incredible 39% of security leaders admit their biggest challenge is internal training. In this article, we look at what data privacy training involves, who needs it, and how to deliver it effectively within your organisation.
What is data privacy training?
Data privacy is not the same as data security. Data security is typically concerned with an organisation’s efforts to prevent any third-party access to data. Data privacy focuses on how the organisation governs its personal data to ensure it’s collected, stored, processed and managed in the right way.
Therefore, data privacy training ensures that employees are adequately informed and reminded about the organisation’s data policies. Because every organisation and every employee’s role is so different, the Information Commissioner’s Office (ICO) doesn’t stipulate precisely what data privacy training should cover, only that, “Like any other mandatory training, it should be relevant to people’s role and refreshed regularly”.
For example, it wouldn’t make sense for a restaurant with very little customer data to provide its staff with the same rigorous training as a financial institution, which has access to vast volumes of personal and potentially highly sensitive data. Similarly, you wouldn’t necessarily invest in the same detail of data privacy training for an IT engineer as you would a sales director.
However, as a rough guideline, it’s essential that your data privacy training should cover:
- Data protection basics: such as strong passwords, storing and sharing data, and confidentiality.
- Your specific data policies: what data you collect, why, how it’s used, and how long it’s retained.
- What to do if something goes wrong: your process for informing the business, its customers, and the regulator.
Why is data privacy training needed, and who should be doing it?
Under the GDPR (or in the UK – UK GDPR), organisations can be fined a maximum of €20 million or 4% of the firm’s worldwide annual revenue (whichever amount is higher) for breaching the regulation. Every employee is responsible for data protection, so data privacy training should be given to all (including temporary) staff and volunteers.
However, it’s not just a tick-box exercise to show compliance.
Nearly two-thirds (60%) of data breaches are due to insider threats. And it’s not necessarily malicious attacks from employees who feel their organisation has somehow ‘wronged’ them. Most insider breaches result from unfit policies or policies that are not adhered to when people are simply trying to get on and do their job.
Over half of organisations (53%) leave 1,000+ files containing sensitive data open to all employees – regardless of whether they need to access the data. It’s a huge and unnecessary risk that can be easily mitigated through data privacy training.
Different methods of data privacy training
Broadly speaking, training falls into three categories: classroom-based, online/e-learning, resource-based:
- More personalised as the content can be tailored to your experience.
- Instructors are available to answer questions in the moment.
- Opportunities to network during breaks.
- The costs associated with taking employees off-site and making them unavailable to work.
- Locations aren’t always suitable for remote workers.
- Time pressures to make it through all the course content.
- People can learn at their own pace.
- Ideal for fitting training around a busy schedule as you can learn on the go.
- Highly scalable because the content remains online for everyone to access.
- Without a facilitator, it’s hard to know whether people have engaged with the training.
- It’s very easy for people to get distracted by emails, apps, and notifications.
- Lacks hands-on experience and discussion.
- Information can be presented in different ways to match how people like to learn.
- Training materials are easily accessible so that people can revisit the information.
- Very quick to share new updates and track their effectiveness.
- Training materials are limited in how interactive and demonstrative they can be.
- It takes time and money to create resources and keep them up-to-date.
- There is no facilitator for people to ask questions if they are unsure.
It’s important to remember there is no right or wrong approach – and often, it can work in your favour to blend different methods to strengthen your training programme.
Keys to successful data privacy training
According to the ICO, employees should receive “Appropriate training about your privacy programme, including its goals, what it requires people to do and what responsibilities they have. The training must be relevant, accurate and up to date.”
Rather than a blanket ‘catch-all’ approach, think about how you can tailor your data privacy training to different roles/functions within your organisation.
For example, your over-arching policies could be shared as part of your new employee onboarding process because everyone will need to know about data sharing, information security, breaches and records management. But then there may be specific training resources to cover what that means for a specific department – for example, what systems are used in sales, the data you collect, the reports you run…etc.
You can consider how to blend different types of training. For example, as part of the onboarding process, you may deliver formal classroom-based training, so new people are allowed to ask questions. But functional-specific resources are accessible in different formats and with the appropriate level of detail from a central knowledge hub. Additionally, you could require people to attest that they have read the documents, which creates an audit trail and helps you identify knowledge gaps.
When new information is created – perhaps due to a change in regulation, following a breach, or implementing a new system – you can roll out updated resources quickly to those affected and check they have been received and understood. As well as regularly assessing current resources to ensure they remain relevant.
Need some help with your data privacy training?
If you’re thinking about upgrading your data privacy training, so it continues to meet the requirements of your organisation and support individuals in their day-to-day roles, perhaps we can help? Our consultants have an average of 10 years of experience in data security and privacy and have supported a range of organisations in tailoring an affordable programme to meet their ongoing training needs.