As an executive, it’s up to you to set the standard for your organization’s data privacy approach. You can use International Data Privacy Day to start your year off on the right foot.
Thursday, January 28, 2021, is a big day. Not only is it National Have Fun at Work Day, National Kazoo Day, and National Blueberry Pancake Day, it’s also International Data Privacy Day. On this day, groups in the United States, Israel, Canada, and 47 European countries work together to empower individuals and businesses to respect privacy, safeguard data, and enable trust.
It’s no secret that consumer expectations and regulatory requirements for data privacy will drive business best practices’ development and innovation over the next decade. The implementation of compliant privacy programs has a steep learning curve. It’s in your best interest as a leader to get in front of it now when you have time to do it, rather than wait until you legally have no choice.
Observing International Data Privacy Day is a smart place to start building your company’s data privacy culture.
Why you need a robust data privacy program
If your company sells products online or collects data from online users, the odds are high you’ve heard about the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), or the EU’s General Data Protection Regulation (GDPR).
These are the most aggressive and far-reaching data privacy laws, but they are far from the only regulations on the books. Unlike other countries, the United States follows a sectoral approach to data privacy regulations, meaning regulations tend to be either regionally based or industry-focused. Industries and states currently without specific data privacy regulations may find them cropping up in the next several years.
Constantly shifting goalposts pose a big challenge for businesses. Just adhering to the current best practices for data privacy and protection for meeting current regulations isn’t enough to keep you competitive. If you want to maintain agile responsiveness to a changing data privacy landscape, you need to follow best practices that exceed existing standards.
Regulatory compliance is not the only reason you need to pursue an aggressive privacy culture. Consumers are increasingly proving that how a company uses their personal information plays a role in their purchasing decisions. A recent Salesforce survey found that 84% of consumers are more loyal to companies with strong security controls.
With 69% of consumers believing that companies will use their personal information in a way that they are not comfortable with, there is a real opportunity for businesses willing to differentiate themselves through forward-thinking, consumer-focused privacy programs.
So break out your kazoos and look through the suggestions below to find a way your organization can celebrate National Have Fun at Work Day by observing International Data Privacy Day. (Blueberry pancakes optional.)
Ideas for Data Privacy Day
While it may sound like a tall order, getting your team committed to, even excited about, privacy is the natural result of education and empowerment. And it can be fun!
The National Cyber Security Alliance, a leading nonprofit, public-private partnership dedicated to promoting cybersecurity and privacy education, has five suggestions for ways executives can improve their company’s privacy program:
- Create a privacy-aware culture
- Organize regular privacy awareness trainings
- Help your employees manage their individual privacy
- Add privacy protections to your employee’s regular toolbox
- Get expert help
One note — while the ideas below are a great entry point, running an effective privacy program doesn’t happen just by checking items off an agenda. Your privacy to-do list is more like a rotating chore chart than a to-do list. Just like you do month-end reconciliations and scheduled inventory orders, maintaining your privacy infrastructure needs to be part of your standard operating procedures.
One of the biggest challenges companies face in developing an institutional privacy awareness is that people just don’t understand what data privacy is. The fastest way to eliminate this barrier is to help your employees see just how vulnerable they are and how much of their personal data is out floating around the internet.
Two great tools to help people see the gaps in their data privacy knowledge are the National Privacy Test and the Google Phishing Quiz. On January 28, you could have your team/department take these tests and give prizes to top performers. And bonus! If multiple people miss the same question, you have a ready-made list of training topics for future staff meetings.
Other steps you can take on January 28 include running an internal campaign to make sure your employees know and understand your privacy program and their place in it. Every group email, newsletter, and meeting should have a “privacy moment” where these ideas and best practices are reinforced.
Teach your employees to fish (but to avoid phishing)
There is a reason the saying “teach a person to fish, you will feed him for a lifetime” has stuck around. As corny as it sounds, it’s true. Here’s a quick exercise your team can do on January 28 (or any day) that will help them understand their level of privacy savvy. The results may be surprising.
After completing the Google exercise, National Cybersecurity Alliance’s Manage Your Privacy Settings page can help them set personal privacy settings that align with their comfort level.
Why should you use your valuable working hours to take your employees through this process?
Employees who are empowered to manage their personal privacy are more likely to understand why privacy is so important to your clients.
Training, training, training. (Did we mention training?)
Before we talk about why your employees need consistent privacy training, let’s go over a few definitions:
- Effective frequency is the number of times a person needs to hear an advertising message before acting on it.
- Mere-exposure effect is the likelihood that people will develop a preference for something the more familiar they are with it.
- Redundant communications is the term used to describe using multiple communication modalities to convey the same message.
Advertisers, masters of getting people to do what they want, use these terms to create a framework for the behavior they are hoping to elicit with their campaigns. Current marketing research indicates that effective frequency can change behavior with as few as three messages but is most effective between 6 and 20 times. Similarly, mere-exposure reaches maximum efficacy between 10 and 20 times.
But that’s advertising. How does this apply to employee training?
Several years ago, Harvard Business School professor Tsedal Neeley conducted a study of how managers use redundant communication to help their team meet deadlines and other project goals. Neeley found that the most effective managers repeated themselves at least once, but more often between three and four times using multiple methods.
This means managers who successfully changed employee behavior and/or maintained team performance standards communicated the same information via meetings, emails, individual phone conversations, internal message boards, texts, and face-to-face.
If you want your employees to buy into your data privacy strategy, you need to:
- Consistently expose them to it
- Provide opportunities for them to understand it at a deeper level
- Clearly and repeatedly communicate your expectations using multiple modalities
These “trainings” do not need to be formal seminars with expensive guest speakers. They can be five minutes in a staff meeting or five sentences in an email. The key is to up the effective frequency and exposure to messaging using redundant communication.
Make privacy standard. And easy.
If you want your employees to understand you are serious about privacy, you can prove it by:
- Implementing company use of VPNs, encryption, and two-factor authentication
- Explicitly prohibiting the use of work devices for personal use (and vice versa) and use of public WiFi networks
- Providing company-branded camera covers or privacy screens
- Requiring strong passwords
Whether or not you do it on January 28, activities like passing out new privacy swag or sponsoring a company-wide strong password challenge reinforce your commitment to privacy as a core company value. That can only help in the long run.
Use an expert
Getting your team on board is important, but employee buy-in alone will not make you compliant with privacy regulations or best practices. As a leader, it’s your responsibility to figure out or hire out the critical and technical pieces of your data privacy program:
- A gap and maturity analysis will show you where you have exposure from your data privacy practices.
- Creating a data inventory will give you insight into what types of data you are collecting, where and how long you are storing it, and who you are sharing it with.
- Custom privacy notices and policies allow you to clearly communicate your data practices in a way consumers can understand (instead of in dense legalese).
- Reviewing and updating your cookie consent practices will help ensure that you collect only what you need and are compliant with collection notification regulations.
- Having someone review your digital marketing practices can prevent costly fines and operating injunctions that can damage your reputation and bottom line.
- Third-party assessments are vital to confirming your vendors’ privacy policies are both compliant and aligned with your standards.
Proactive privacy programming is possible
Whether you are subject to existing regulations or not, take advantage of International Data Privacy Day 2021 to chart a new course in your organization’s privacy journey. Need some help getting started? Contact Red Clover Advisors today to jumpstart your privacy program.