Making privacy relevant to every employee

- A culture of privacy is built slowly over time. Not with a quick decision, or the wave of the CEO's hand. You can't protect against regulatory inquiries, data breaches, and a privacy backlash from customers, if you don't have everyone in your organization working towards a common goal, with a common framework. But, how do you make the leap from a concept, simple idea, about how your company is going to approach privacy, and grow it into a culture that permeates every part of your business? Culture is very little about what we say, and very much about what we do. If we don't live it, it's never going to play out, as we want. So, how do you help your company act on a daily basis with privacy in mind? First, you need to make it relatable. Too many times I see companies try to get employees to comply with a long set of internal policies around privacy that they test them on, year after year, in compliance training. But, what you hear time and time again, in those companies, is employees not understanding how the policies that they are tested on relate to their day to day job. So, how do you make an amorphous topic, like privacy, easier to understand? Create awareness about the topic, first, through an event that draws a crowd, and shares your message. Some ideas I've used in the past are showing a movie that relates to a privacy topic, inviting in interesting speakers on the topic of privacy, or hosting a lock picking event. A lock picking event, employees learn how vulnerable different types of locks can be. This helps highlight how vulnerable security systems can be, and why your company needs more than just a simple password to protect it's most sensitive customer data. Second, make your company's approach to data privacy easy to understand. You can't expect every employee in your company to read your privacy policy. Sorry, us lawyers have just failed to make those lengthy documents interesting or understandable. So, you're going to need to do the work of boiling it down to a few key concepts, or phrases. One way to do this, is to create a simple message around your company's approach to privacy that everyone can follow. For example, LinkedIn uses the concept of the three C's, Clarity, Consistency, and Control. These are three words everyone in the company is familiar with and understands what they stand for. Clarity means we say what we do with our member's data. Consistency means we do what we say. And, control means we give our members control over their data. A concept like the three C's is easy for all employees to understand and act on. Third, share with employees the way in which privacy ties into the overall mission and values of the company. I found the most effective approach here is to have the company President or CEO communicate this directly to the employees. A good way to do this is by having your executive send an email to all employees outlining your companies approach to privacy or having him or her speak to it at a company meeting. Lastly give employee's clear guidance on the boundaries around how data is collected, used, and stored at your company. Provide training to different to teams to help them understand how to think about data privacy in the context of their role at the company. Make it clear to employees, it is okay to ask questions. And, let them know the privacy team is the one they should go to when need answers. At the end of the day, if you make privacy relatable, and provide a simple and clear mandate for thinking about the issue, you'll be one step closer to creating an awareness of privacy throughout your organization.