Should You Consider Infusing Innovation Ιnto Training?
Training, an eight-letter word, which on the surface appears to be easy to implement. However, every trainer will know that finding seat time and ensuring understanding has become a challenge. As training is seen as a necessary component of doing the right thing with an individual’s data, it has resulted in many companies examining the number of training modules, their length, and quantifying “non-productive time.” This shift has required privacy program trainers to do the minimum by getting a short, non-engaging computer-based-training to the masses, without considering the audience. The one-size-fits-all approach is the quickest, but mostly ineffective, a method for meeting privacy training requirements.
In response to computer-based training, employees have become “click fatigued” by racing through their training modules to receive their completion certificate and move-on, without an understanding of why and how the training will impact their work. Training leaders have implicitly supported this practice through publishing metrics on completion percentages, rather than gauging understanding, which later may result in potential consequences of non-compliance with internal policies or regulators. While Benjamin Franklin states, “an investment in knowledge pays the best interest”, many companies continue to churn out poorly executed training modules. According to SHIFT Learning, it is estimated the total loss for providing ineffective training is $13.5 million, per 1,000 employees. Also, some regulators have evolved with the understanding that companies must go beyond completion rates and be able to demonstrate a user’s mastery of the content beyond taking a quiz.
The "golden days" of pulling staff into a training room and delivering live training on adherence to privacy regulations and company policy is gone. In fact, with mobile devices and alternative work locations, the need to provide just-in-time training, via computer-based-training, will continue to evolve. However, there are many ways privacy programs can engage and connect with employees, while still being mindful of the budget and impact on employees' productivity. This requires innovation and the willingness of the privacy office to seek out new opportunities. As all good trainers use acronyms and slogans, this article will present change using TRAIN.
Tell others what training is required and its drivers. Senior leaders need to understand the reason for why training is needed, such as a regulatory requirement, risk reduction, best practice, or it is merely the right thing to do. Companies handling information about its customers, employees, or other stakeholders are obligated to do the right thing, which is ensuring there are proper training and awareness regarding the ethical use of data.
Review what training topics need to be covered as well as the audience. It is essential for trainers to understand the landscape and the target audience. Also, review current statistics, metrics, or antidotal information, which may provide insight into what topics should be focused on more than others. Training time is limited, and organizations must assess where to spend their time and money.
Assess innovative ways to provide training and awareness. Remember, this is not a one-size-fits-all approach. Take time to work with senior leaders, middle management, and frontline staff to determine current levels of understanding regarding privacy rights or knowledge of the policy. Hold structured, focused meetings on gauging awareness and gain buy-in for different methods to provide messaging. Computer-based training is so "yesterday" that organizations must be able to reach a broad cross-section of employees. Do not forget role, age, and seniority differences.
Innovate. Seems simple enough but how innovation occurs mostly depends on leadership support and cultural buy-in. Change takes time, and it’s crucial to obtain the Chief Privacy Officer or company officer’s buy-in to try different tactics. Start slow, take a practical approach, adjust, and deliver an enhanced product. The training opportunities must often occur, using different techniques. Also, do not be afraid of failure. Adjust as necessary but celebrate if you get only one convert as that individual becomes your advocate.
Consider these approaches if you are not sure where to start:
- Commit to getting the privacy office in the field to understand issues facing the company as well as company procedures. The most effective individual is one who builds rapport before a compliance issue occurs. Seek out natural allies, such as customer service, human resources, and legal.
- Use compliance issues as opportunities, not punitive measures. The most effective compliance areas are those who use their relationships constructively.
- Leverage significant media events regarding data or security breaches in the news as an opportunity to assess the privacy program and to educate users on how to protect themselves. If the incident is large enough, you will naturally have nervous users who seek help. Now is the time to make the training personal to protect their and their family’s data. Then circle back to how those techniques must be used to protect information the company collects and uses.
- Deputize individuals within the company to be your ambassadors, providing them with unique training or educational opportunities. If practical, consider obtaining a corporate membership through the International Association of Privacy Professionals, allowing the ambassadors the opportunity to receive daily news feeds, sign up for certifications, or attend a local chapter meeting or conference. A little tender-loving care and small expense will allow the privacy office to immediately gain acceptance and insight without having to hire additional staff.
- Use existing media outlets, such as employee and manager newsletters, other business unit communications, internal social media, or portal media windows. Consider posting thought-provoking privacy material near the privacy office as this is an opportunity to start the discussion.
- Finally, use role-based computerized training. Notice this suggestion is last as it is the most frequently misused medium. During the above "A" planning step, different roles should have been identified and mapped to processes. Role-based training ensures specific training related to a user's job is provided. Companies should consider testing the user’s knowledge before and after the training, gather metrics as to what questions are answered incorrectly and develop follow up messages. Knowledge checks should be considered later in the year to determine what information has been retained. Companies must also make training more than a click-through exercise but engaging, using gamification. If one implements the first 9 steps, gamification and other ideas should come naturally.
Never stop reinventing the program. It is work to continue to keep the program revitalized and fresh. However, there is never a shortage of topics to discuss, and many employees enjoy being engaged through different methods. Internal social sites are the most efficient way to reach out to the masses to provide an insight into how to protect their information as well as applicability to their responsibilities at the company. Continue to ask and listen to feedback. Understand no program is perfect and it is impossible to achieve perfection but continue to look for new opportunities, such as partnering with compliance-focused business units (human resources, customer service, and safety).
By implementing these tactics, organizations can successfully implement an efficient privacy training program. In the rapidly shifting privacy landscape, it’s more important than ever for companies across industries to make privacy a top priority. This requires buy-in across the company, from junior staff to senior management. By creating a program that focuses on engagement and takes your staff away from mundane trainings, you’ll be able to successfully create a culture of privacy that will keep privacy and compliance top of mind.
