Data Privacy Day (DPD), held every January 28 and coordinated by the National Cyber Security Alliance (NCSA), is an international effort centered on “Respecting Privacy, Safeguarding Data and Enabling Trust.” While the day is focused on raising awareness among consumers, DPD is also an opportunity to raise privacy awareness within any organization. Often I hear from my clients that it is too costly or too time consuming to undertake an awareness activity, but here are five easy activities your organization can undertake to support privacy awareness this DPD or anytime throughout the year.
Leverage existing communication vehicles
Your organization probably has some standard communication vehicles – such as newsletters, emails, videos or magazines – that are targeted to employees, vendors or other stakeholders. Utilizing these routinely distributed methods provides a privacy team the opportunity to share a privacy awareness message that is tailored to the target audience of the vehicle, which takes minimal effort and supplies content to the owner of the publication. Consider placing an awareness message as a regular occurrence within the chosen vehicle(s) to keep awareness high.
An offbeat event that raises awareness and starts a buzz across the organization involves working with the cafeteria staff to create a special privacy-themed menu for one day featuring items such as Firewall Hot Wings, Privacy Pasta or Encrypted Eggplant Parmesan. Once this idea is presented to the cafeteria staff, their creativity may begin to flow, resulting in some fun, culinary creations.
There will always be some unsung heroes in your organization who go above and beyond to protect personal information. Whether identifying a vulnerability or threat before any damage is done, establishing or improving a process or increasing awareness within a department ‒ recognition of these individuals will pay the dividend of creating a buzz about their outstanding work and the individual themselves within their department. The recognition can be very inexpensive, ranging from a certificate of appreciation to a gift card. Of course, one of the aforementioned communication vehicles should be used to publicize the accomplishment.
Guest Speakers, Webinars and Lunch-and-Learns
Bringing guest speakers into the organization is another way to increase awareness. These speakers are often available from various privacy organizations, vendor companies or business partners (sometimes without a fee).
One example is of my client who held a lunch-and-learn for their IT organization. The guest speaker was a representative from the International Association of Privacy Professionals, and the event attracted more than 250 employees between the live presentation and web conference.
Webinars and lunch-and-learns should not be limited to guest speakers. A regular quarterly schedule of these events can be used to present current privacy topics that are of interest to your staff by members of your privacy team. Even if the attendance is a small fraction of the employees, simply publicizing the event will remind the staff about privacy.
Also, executive testimonials and participation can enhance the acceptance and effectiveness of any event. If an executive can introduce a presentation, kick off a meeting, banter with a guest speaker or simply attend the event, it can increase acceptance of the messages that follow.
Posters are an effective, moderate effort way to share privacy awareness messages. You can create two types of posters:
- Permanent posters are reminders to staff members to follow proper procedures (like a poster by an exit door reminding people to secure their electronic devices and paper documents before leaving).
- Rotating posters provide an opportunity to send timely messages to the staff with the content based on recent events or areas on which the privacy team wishes to focus. Poster messages may be focused on improving performance in an area that is not meeting expectations (perhaps posters might focus on metrics which reveal an increase in misdirected emails, for example). Rotating posters may contain messages that share “the right thing to do” (such as always shredding documents containing non-public personal information) or they can explain the consequences of not following proper procedures (such as the possibility that improper personal document disposal may lead to identity theft and tarnish the trust customers have in your organization).
Every organization has a number of programs and privacy initiatives that each staff member needs to remember and practice regularly. An effective awareness program will keep privacy top-of-mind on DPD and throughout the year.
About the Author
Bob Siegel, Privacy Ref’s president and founder, is a Certified Information Privacy Professional (CIPP), awarded by the International Association of Privacy Professionals (IAPP), with concentrations in U.S. private-sector law, Canadian law and European law. Siegel is also Certified Information Privacy Manager (CIPM) a Certified Information Privacy Technologist (CIPT). He is a member of the IAPP faculty, having trained over 3,000 individuals, and is currently on the IAPP Publications Advisory Board. Prior to founding Privacy Ref, Siegel served as senior manager of Worldwide Privacy and Compliance for Staples, Inc. where his responsibilities included development, awareness and compliance with global privacy-related policies and procedures for more than 60 business units in 26 countries.
Privacy Ref Inc., a Data Privacy Day sponsor, provides privacy consulting, assessment, training, and coaching with clients in diverse industries including financial services, health care services, technology, business services, manufacturing, utilities, product testing and entertainment. Clients vary in size from less than 50 to over 160,000 employees with revenues ranging from $15 million to over $65 billion. For more information, visit privacyref.com.