Every comprehensive privacy program includes a formal training component. In-person classes, computer-based training and webinars are some of the ways to fill this need. Formal privacy training most often occurs once a year. However, other initiatives being promoted by your organization probably have annual training as well.
To keep privacy top-of-mind between annual trainings, an awareness program should be created. Awareness programs use informal, unscheduled mechanisms to remind your staff about protecting personal information. Previously I discussed utilizing posters to promote privacy awareness, and over the next several blog entries I’ll discuss some more of my favorite approaches.
Sometimes you have to do something special to get attention. Creating a privacy-focused event is can be that special something to grab your organization’s attention. An event does not have to be big to be successful; it just has to be something out of the ordinary.
For example, having someone from your privacy office attend and present at a departmental meeting, say within IT or marketing, will raise awareness within “small” groups. It’s limited effort for your team but a break from the ordinary for the department your visiting. That alone makes it memorable for them.
What to talk about
When participating in another department’s team meeting, it is vital that you discuss privacy in terms that are relevant to the attendees.
Certainly there may be some new guidelines (restrictions) for the use of personal information. I find it best to explain these from a customer perspective. I ask the audience to picture themselves as a customer with their own information being used under both the new and old guidelines explaining the risks and benefits in each case.
Let’s think bigger
Sometimes you need to shout to get attention. Coordinating a bigger event will allow you to reach across your entire organization instead of just a department. While you can hold an event anytime, luckily there is a perfect time to do a large, full-day celebration of privacy.
Every January 28th, Data Privacy Day is celebrated around the world. Coordinated in the U.S. by the National Cybersecurity Alliance, Data Privacy Day’s charter is to “to create awareness about the importance of privacy and protecting personal information.” Data Privacy Day is a fantastic opportunity to run a full day of activities to raise privacy awareness in your organization. (Note: My company, Privacy Ref, Inc., is a sponsor of Data Privacy Day in the U.S.)
Awareness activities need to be engaging and fun
During a Data Privacy Day celebration, you can certainly have webinars, presentations, workshops and lunch-and-learn sessions. You can use the members of your privacy office team to lead these efforts. However, I would suggest minimizing the discussion of policy and procedure and focus these sessions on privacy in general. For example, including how employees can protect their own personal information always grabs attention.
I have found that privacy and security vendors (including Privacy Ref) are happy to provide speakers for these activities for their clients. Having an outside expert visit often draws a larger audience when compared to an internal speaker.
These traditional methods of sharing information are certainly effective, but not everyone will participate. So how do you improve engagement?
A privacy game
One way is to find a high traffic area and set up a “privacy game.” A good location is in or near the company cafeteria or in the building lobby.
The game can be something simple. I once was working with a team that set up a table where they had all sorts of documents. Each document contained different types of information. The game was for a participant to classify a number of documents according to the organization’s information categorization scheme. Get a few right and be given a low-cost prize.
This simple little activity always had a crowd watching. The crowd surged whenever a senior executive stopped by to play; everyone was waiting for them to make a mistake. Of course, the executive was always a winner.
The game provided several benefits. It increased privacy awareness. It re-enforced the organization's information categorization structure. Most importantly, it demonstrated executive endorsement of the privacy program.
Hold a privacy fair
Another activity is to ask departments to participate in a privacy fair. In this activity, each department is provided a table where they demonstrate what they do to protect personal information. Visitors to the tables learn about the efforts going on in other parts of the organization, frequently finding ideas they can use within their own department.
You can even invite vendors to attend to discuss what they are doing with your company. They will also be happy to talk about products they have that enhance privacy and, possibly, give away samples.
I can only compare privacy fairs with the science fairs I attend when I was school. The contest between departments to have “the best” table can get very competitive. You can fuel this by allowing visitors to vote for the best. Giving the winner a trophy or a pizza party is a small price to pay for the rise in awareness this activity will provide.
Think out of the box
Sometimes you want the reminder to be subtle. One of the most effective approaches came from one of my team members when I worked at Staples. Her suggestion was to work with the staff in the company cafeteria to rename the menu to reflect privacy. Instead of eggplant parmigiana we had “encrypted eggplant.” Instead for buffalo wings, we had “firewall wings.” You get the picture.
It was interesting at lunch that day to hear the conversations at the tables turn to privacy. For limited effort here was another success in raising awareness. It worked so well that the second year the cafeteria staff undertook the renaming of the menu items themselves.
A word of caution
Holding events can be fun, effective and low cost. A critical success factor is to sharply differentiate the activities undertaken in these events from privacy training.
You should have classes that provide formal training to your staff on your organization’s do’s and don’t’s for the handling of personal information. The activities you provide in events should not revisit these topics, but provide a gentle, indirect re-enforcement of them.
This article is published as part of the IDG Contributor Network. Want to Join?