The Why and How of a Privacy Awareness Program

The Why and How of a Privacy Awareness Program

For every organization, privacy awareness plays a large role in the success of risk mitigation. Whether an organization is large or small, it is essential that privacy is taken seriously. A successful privacy program requires many elements can include technical solutions – such as encryption, firewalls and virus scanners, procedural elements, processes and more. However, one of the elements that can make the biggest difference is the human one. Knowing how to deal with risks to private data and how to respond to threats is essential. The way people handle privacy can be your strongest shield. This makes an informative and engaging privacy awareness program essential.

Why is a Privacy Awareness Program important?

Aside from that fact that employee awareness is key for success, it is also a mandatory part of the GDPR regulation. The second subpoint under the heading ‘Tasks of the Data Protection Officer’ (Section 4, Article 39) in the General Data Protection Regulation (GDPR) states: ‘to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;’ The GDPR does not go into further detail regarding what awareness-raising and training should entail. This is why it is important to consider a range of factors when deciding what kind of privacy awareness program is appropriate for your organization. The privacy awareness program should, as stated, make those employees and contractors who deal with the protection of personal data aware of their responsibilities and how to execute them. However, it may also be relevant to the broader organization to have a basic awareness of privacy. Especially if the type of work done in the organization is focused around the use of personal data. By creating broader awareness, you help create a mindset that encourages people to be proactive and vigilant.

What should be included in a Privacy Awareness Program?

Naturally, what you include in your privacy awareness program will depend on the target group. Although you may be inclined to focus on news-worthy subjects, it is actually better to take a look inside your own organization for inspiration first. A training that is based on real-life examples from within your organization will be much more impactful than examples from other companies or news stories. Risks that need to be controlled or mitigated within your own organization offer great subject material for a privacy awareness program. An example that is applicable to most organizations and is a significant risk is ransomware. Teaching employees how to detect and report ransomware is essential in mitigating risk. Your organization most likely has a range of policies; it is unrealistic to expect ALL employees to retain all the information about these policies. In many organizations, even reading and understanding them is a hard requirement. Creating targeted content for each key subject means that you can select elements for 4 the different awareness trainings. You can focus on a broad or specific aspect, depending on what the target of the training needs. It is important that awareness moments are scheduled regularly. Short and regular bursts of information are much more likely to be remembered and will help instill the culture of privacy awareness across the organization.

How should you create and deliver a Privacy Awareness Program?

As a general rule, people don’t take well to being told what they can or cannot do. In this respect, it is highly advisable to focus on how to conduct actions safely, rather than a “Do Not Do” list. Also, ideally, an awareness program should not be limited to the office. By helping employees understand how to deal with information safely at home as well, you are actively helping them at a personal level and are instilling a mindset that will help at work. Consider social networks. Rather than telling employees they are not allowed to access a social network, teach them how to safely use it instead. The key is to help enforce positive habits. Although many aspects of security are seen as common sense, without some understanding of the rationale, it’s often not so common at all. It is crucial to deliver a privacy awareness 5 program in a way that is accessible and realistic. Talking down to employees or making the content too dry will not serve you well and will most likely decrease the success of your program.

A privacy awareness program is an essential part of the GDPR requirements

  • It is important to carefully consider the needs of your organization and audience so that the effectiveness of your program is guaranteed.
  • Using a variety of engaging content to bring the message of privacy awareness to employees in an accessible way is essential.
  • The more employees can relate to the information you are sharing with them the more likely they are to take on board the messaging of your content.
  • It is a good idea to start with a baseline of quantitative and qualitative data to be able to show the effectiveness of your program.
  • Taking the time to measure the effect of your efforts will ensure you are able to steer your organization and its employees towards a positive mindset in relation to privacy awareness.


To read the full article published by EIMF partner organization EXIN click here. EIMF offes courses preparing participants for the EXIN Data Protection and Privacy Foundation and Practitioner qualification exams.