Putting Privacy In Your Organization’s DNA

By Allen Brandt, CIPP/US, CIPP/E, CIPM

“Ethics cannot be taught in a business school. It has to be a part of the DNA.”

The above quote came from David Wilson, president and CEO of the Graduate Management Admission Council (GMAC), the organization that owns and administers the GMAT exam that is used globally for entry into graduate business schools. (Disclosure: I’m the CPO of this organization).

Now, let’s take the statement above and exchange the word ‘ethics’ for ‘privacy’, so it now reads ‘Privacy cannot be taught in a business. It has to be part of your organization’s DNA' (OK, I tweaked it a bit to make my point). How much time, effort and resources do we all spend on staff training, and yet, we still see many of the same mistakes get repeated. Not that most people try to be malicious, but most employees are trying to get their jobs efficiently completed, and if our privacy or security controls get in the way and make it more difficult, people will find a way to circumvent our work. Even employees of government agencies holding very confidential and sensitive data are not immune to breaking the rules in the name of efficiency.

So how might we change an organization’s privacy culture and DNA?

Perhaps it’s time that we start looking at our communication to our users with a more critical eye. Is our training more geared towards meeting a corporate metric than it is about really understanding what your users’ needs are, their pain points, and looking for ways to address these? Am I suggesting that we just give up and stop training? Not at all!

In past years, our privacy training talked about the need to protect data, our privacy policy and all sorts of interesting (at least, to us) stuff, but the rate of mistakes and questions from users didn’t change much, if at all. We then started taking a very critical eye at every communication that we deliver, from the annual required trainings to our Intranet postings, and made some changes.

First, our training is now shorter in time than in the past. We took out everything other than what we felt were the basics that an employee needs. Then, we created custom modules that we deliver only to those people in specific areas who need to know the additional material. Similar to the CIPP methodology, where everyone takes the foundation exam and then adds a specific module based on their individual needs, we first created a specific section that is only delivered to our technology staff. We then created content specific to the needs of our non-U.S. employees. The Intranet posts now cover both items that matter to protecting the organization’s data as well as topics that might impact individuals in their personal life, as a way to keep the content fresh and relevant and work to make privacy sensitivity part of each person’s DNA.

Are you doing anything in your training that is unique and you can share with others? If so, please show off what you are doing in the comments below.

photo credit: ynse via photopin cc

More from Allen Brandt

About the Author

Allen Brandt, CIPP/US, CIPP/E, CIPM, is corporate counsel, data protection and privacy, and chief privacy official for GMAC, which owns the Graduate Management Admission Test (GMAT), an exam delivered to prospective graduate business students in 111 countries worldwide. He provides legal guidance and counsel on U.S. and domestic consumer privacy issues, creates data protection policies and procedures, responds to privacy inquiries and leads the privacy training program. In addition, he monitors compliance with the council’s marketing programs and oversees the filing of international data processing applications and notices.

Brandt is a member of the California and Missouri Bars and is a Virginia corporate counsel.  

See all posts by Allen Brandt


Get your free study guide now!
Get your free study guide now!