Tips for Employee Privacy Training

As more and more privacy laws go into effect every year, privacy compliance obligations are only increasing for businesses. For example, you may now be required to allow customers to delete their data, be more careful as to who receives your marketing emails, and include privacy checkboxes on every form on your website. These types of obligations can affect every part of your business and every employee. Since most privacy violations are caused by employee mistakes, it is imperative that you properly train your employees on privacy so that these types of mistakes can be avoided and that your business is less at risk of privacy-related fines and lawsuits. In this article, we will discuss the most important aspects of this training, such as how often it should be conducted, what it should include, and more. 

How often should you conduct employee privacy training?

Since employees can make privacy mistakes as soon as they start working at your business, privacy training should first take place when they are hired. The training should also take place once per year as a refresher. If any changes take place such as a new law was passed or if your obligations have changed due to a new client, a short training should be conducted at that time covering the changes. 

What is the difference between information security training and privacy training?

If you already conduct information security training, you may be wondering whether you also need privacy training as these topics can be related. It is important to note that information security training does not replace privacy training. This is because privacy concerns how personal information is viewed and used while information security training protects that information from unauthorized access. For example, privacy obligations may dictate that you cannot send email marketing to individuals who have unsubscribed from email marketing. On the other hand, information security obligations would dictate that you need to use a complex password for your email marketing account so that the account does not get hacked. 

Tips for conducting privacy training 

Before we get into what privacy training should include, let’s discuss some best practices when it comes to this type of training: 

1. Make it relevant. Your training should be relevant to your business and privacy practices. For example, if you do not collect Social Security Numbers, your training should not discuss the privacy obligations of dealing with such data; 
2. Make it fun. There is nothing more tedious than listening to a boring lecture. Make your training fun by including privacy-related memes or short funny clips; 
3. Make it engaging. Chances are that your employees have been faced with privacy questions in their personal and professional lives. Encourage them to ask you questions throughout and after your presentation; 
4. Provide examples. There’s nothing more illustrative than real world examples of situations that your employees may face relating to privacy. For example, your sales staff may be tempted to increase sales by installing trackers on your website that allow them to reach out to potential leads. However, there may be privacy concerns with such practices – your training should spell out how to deal with such situations. In addition, you can use examples to illustrate what type of behavior is unacceptable or inappropriate;
5. Take a break. We all know that modern attention spans are lacking. Consider taking a five minute break even thirty minutes so that staff can stay focused; 
6. Take attendance. Make sure to make a list of who was present at the training for your records. 

What should privacy training include? 

While each company’s privacy training will look differently based upon their privacy obligations and practices, in general, training should include the following topics: 

1. The purpose of the training; 
2. When training will be conducted; 
3. Definition of “privacy” and what privacy actually means in the real world; 
4. Why we need to care about privacy; 
5. Defining and providing examples of Personally Identifiable Information (PII) (e.g. name, email, phone number, IP address); 
6. How PII can be collected in compliance with the law (for example, you can provide a definition and the requirements to meet the consent legal basis for processing PII); 
7. Transparency obligations (e.g. what your Privacy Policy must state, how it changes, etc.); 
8. How PII may be used (e.g. it may be used for email marketing only if the client has consented to such use); 
9. How PII may be shared (e.g. providing information about vendor due diligence and how new vendors that have access to PII are onboarded); 
10. What it means to sell PII and whether your company allows PII to be sold; 
11. How long and where PII is retained; 
12. Which privacy laws and obligations apply to your business; 
13. Privacy rights, including which privacy rights you offer and to whom, how individuals can exercise their privacy rights and how such requests are processed; 
14. Transferring PII to other countries; 
15. Other relevant policies and procedures; 
16. The consequences of employees not following privacy training and requirements; 
17. Question and answer session. 

After conducting the training session, make sure to reflect on how the training went and make adjustments accordingly. Then, create a calendar reminder for yourself to schedule training again in one year. Lastly, ensure that you are responsive to employee questions about privacy throughout the year as privacy questions and concerns can come at any time, not just during training.