Following in the footsteps of California and Virginia, Colorado last week became the third U.S. state to officially pass a comprehensive consumer privacy law. In doing so, the state added yet another layer of complexity for consumer-facing organizations striving to keep employees and executives abreast of the latest regulatory compliance responsibilities.
We often hear about security awareness training's role in maintaining proper cyber hygiene, but what about privacy awareness programs? Experts largely agree that such training is integral to ensuring employees don’t run afoul of a growing array of legislations, including the landmark General Data Protection Regulation and the California Consumer Privacy Act.
Companies do seem to be grasping the importance of privacy awareness training, according to Marla Berry, director of training at the International Association of Privacy Professionals, citing a 2020 IAPP-FTI Consulting Governance Report, which found that 95% of privacy teams are involved with companywide privacy-related awareness and training.
“As a significant portion of privacy incidents happen from human error, training is critical to mitigating privacy risk within an organization,” said Berry. “The good news is that the governance report also showed that 42% of privacy pros expected their budgets to increase, and, of those, 43% thought that additional budget would go to privacy trainingprograms.”
But it’s not just about companies recognizing the value of such training; in many cases, it’s actually legally mandated by regulations such as HIPAA and the CCPA.
“Under certain data privacy regulations and laws, there is a specific requirement that employees be trained on the privacy practices within the organization,” said Rebecca Rakoski, co-founder and managing partner at XPAN Law Partners. “And so as organizations collect more sensitive data, their employees should be more attuned, and… better trained on what constitutes sensitive data…”
Rakoski said that providing training helps place companies in “a defensible position in the event of a data breach” so that the victimized organization can legally demonstrate that “you’ve put your organization in the best possible position to say we did everything we could have done.”
Still, the various privacy laws on record typically do not specify precisely how training and education should be executed, so a lot is still left up to the organization.
In some cases, privacy training can be packaged alongside security awareness training, as they often do go hand in hand. Training provider AwareGO, for instance, considers both areas as falling into the category of data security. After all, “privacy regulations state that cybersecurity education is part of the package, even if they don’t specify how it should be done,” said Ragnar Sigurosson, CEO and co-founder. “Cybersecurity is data security and helps companies comply with privacy regulations...”
“There is certainly an overlap between privacy and security," concurred John Just, senior vice president of learning innovation at KnowBe4. "If you do not have basic security awareness training in place, it is nearly impossible to fully comply with laws like GDPR and CCPA."
Still, some lessons fall distinctly into the privacy compliance bucket, and that may require more specialized training.
“Privacy training intersects with security training when the content covers the actions to be taken to protect data; for example, teaching employees how to identify phishing emails, social engineering attempts, implementing secure passwords, safe browser use and screen locking are security concepts that also contribute to a mature privacy controls environment within organizations,” said David Forman, vice president, privacy and international assurance, at Coalfire. “However, explicit focus on privacy topics such as the collection, use, dissemination, and retention of personal data is encouraged to be segmented as modular topics for affected staff,” he noted.
Just from KnowBe4 said his company training that covers organizations’ responsibilities under privacy laws, noting that while such modules are not widely viewed across organizations, they are used by “those in… legal, IT and other areas that must establish the processes and controls needed to comply.”
“What is taught very frequently is handling customer information properly, and we have a lot of modules that cover that,” said Just. “We recommend at least having one of these aspects per quarter on data privacy/protection in a monthly training plan for any users who come in contact with or handle data of both [employees] and external customers. Compliance with these sorts of laws is an ongoing process of making sure that you have the right security measures, processes and ultimately culture in place to protect private data.”
Likewise, Sigurosson said that AwareGO offers “direct lessons and awareness reminders that deal with specific privacy regulations, such as reporting data leaks, knowing which data is safe to ask for and keeping client data safe.”
“Our direct privacy lessons feature subjects such as the handling of sensitive data, how to share it securely, not asking for unnecessary data, the right to be forgotten, keeping a clean desk, the risk of data leaks and dumpster diving and how to safely destroy printouts, the risk of online PDF makers, not leaving client information out in the open, and much more,” Sigurosson continued. “Within our learning management system we have curated a program specifically to educate about and comply with privacy regulations. It is mostly in line with GDPR, but applies to other regulations as well.”
Additional topics suggested by Coalfire’s Forman include: “explaining the privacy principles and ethics of privacy, identifying and classifying personal data as well as sensitive data, the data management lifecycle,” and data subject access requests.
While there are plenty of security and privacy training providers to select from, Rakoski emphasized the importance of companies customizing their awareness programs to their unique privacy challenges and requirements, lest they overlook an important regulation that applies to their specific industry needs or data collection practices.
“From a legal perspective I would never recommend to my clients to just buy like an off-the-shelf boxed product," said Rakoski, whose own legal firm conducts individualized training for its clients that accounts for what data they possess, how they handle and store it, and whom they share it with. “I am of the opinion that both security and privacy need to be tailored to an organization.”
Of course, it can be tricky to know precisely what to teach when there are so many different privacy regulations to account for. But there are ways to narrow down the curriculum. “The data is what is going to drive this,” said Rakoski. At her firm, “first, we're going to look at what the data is that you're collecting, what laws are we triggering, what laws are impacting that data… Once that is completed, you need to cross-map those laws to see where they align, and where there are differences…”
And that allows companies set privacy policies and teach them, Rakoski continued. For instance, do you segment data in various regions separately if they are subjected to different privacy laws that do not align with each other? Or do you keep all data together and simply adhere to whatever the toughest standard is? Or something in between?
Berry from the IAPP further suggested that privacy awareness training be role-based, because it is “generally more effective, as it provides specific context and examples for staff.”
But how does a company ascertain if its privacy awareness training is sinking in? Much like security training, impact and lesson retention can be difficult to measure.
One option is to conduct interactive surveys or test to assess trainees’ privacy knowledge and attitudes toward privacy compliance.
“It is important to measure these programs by testing the users on what they learned through interactive modules or quizzes throughout the course, as well as provide reinforcement training throughout the year in order for the training to become sticky,” said DePaula.
But perhaps a more meaningful way to determine training effectiveness is to measure response times to privacy-related requests, said experts.
“Because a lot of times the data subject has a certain period of time to respond under the laws to data subject access requests, you can see whether the program you put in place is working depending on how long it takes you to go from initial contact to providing the information,” said Rakoski.
“There are ways of looking at the metrics on that,” she continued. “It's a combination of using technology to monitor [that] and good old fashioned elbow grease and manpower – going in and having someone look at what they're doing to say, ‘This interaction was one that actually comported with what we would expect to see, versus something that we would not expect to see.' So periodic audits and assessments or I would say are needed.”
Indeed, the best way that the success of privacy training is measured can be how well the privacy practices in an organization are implemented and followed,” agreed Forman. “If proper notice is provided to data subjects, data subject requests are answered in a timely manner, and the data lifecycle is followed, then an organization can be reasonably confident that the training is sufficient and achieving its purpose.”