Putting Privacy In Your Organization’s DNA
“Ethics cannot be taught in a business school. It has to be a part of the DNA.”
The above quote came from David Wilson, president and CEO of the Graduate Management Admission Council (GMAC), the organization that owns and administers the GMAT exam that is used globally for entry into graduate business schools. (Disclosure: I’m the CPO of this organization).
Now, let’s take the statement above and exchange the word ‘ethics’ for ‘privacy’, so it now reads ‘Privacy cannot be taught in a business. It has to be part of your organization’s DNA' (OK, I tweaked it a bit to make my point). How much time, effort and resources do we all spend on staff training, and yet, we still see many of the same mistakes get repeated. Not that most people try to be malicious, but most employees are trying to get their jobs efficiently completed, and if our privacy or security controls get in the way and make it more difficult, people will find a way to circumvent our work. Even employees of government agencies holding very confidential and sensitive data are not immune to breaking the rules in the name of efficiency.
So how might we change an organization’s privacy culture and DNA?
Perhaps it’s time that we start looking at our communication to our users with a more critical eye. Is our training more geared towards meeting a corporate metric than it is about really understanding what your users’ needs are, their pain points, and looking for ways to address these? Am I suggesting that we just give up and stop training? Not at all!
First, our training is now shorter in time than in the past. We took out everything other than what we felt were the basics that an employee needs. Then, we created custom modules that we deliver only to those people in specific areas who need to know the additional material. Similar to the CIPP methodology, where everyone takes the foundation exam and then adds a specific module based on their individual needs, we first created a specific section that is only delivered to our technology staff. We then created content specific to the needs of our non-U.S. employees. The Intranet posts now cover both items that matter to protecting the organization’s data as well as topics that might impact individuals in their personal life, as a way to keep the content fresh and relevant and work to make privacy sensitivity part of each person’s DNA.
Are you doing anything in your training that is unique and you can share with others? If so, please show off what you are doing in the comments below.
About the Author
Allen Brandt, CIPP/US, CIPP/E, CIPM, is corporate counsel, data protection and privacy, and chief privacy official for GMAC, which owns the Graduate Management Admission Test (GMAT), an exam delivered to prospective graduate business students in 111 countries worldwide. He provides legal guidance and counsel on U.S. and domestic consumer privacy issues, creates data protection policies and procedures, responds to privacy inquiries and leads the privacy training program. In addition, he monitors compliance with the council’s marketing programs and oversees the filing of international data processing applications and notices.
Brandt is a member of the California and Missouri Bars and is a Virginia corporate counsel.