Privacy. In many organisations it is not a top priority. Ever since the GDPR went into effect in May 2018, a lot of organisations have taken concrete first steps, however, are employees sufficiently engaged with privacy as a result?
Privacy awareness among employees and the risks of unawareness
Concrete measures such as a privacy statement on the website, a processing register and improved network security do not directly lead to increased awareness among employees. That is a risk, because the biggest source of privacy incidents is not technology, it is people. An employee accidentally clicks on an insecure link or attachment. As a result, ransomware can encrypt all computers or malicious parties gain access to sensitive files. Every employee working with personal data should know the importance around privacy. Without this sense of urgency and understanding, things are likely to go wrong at some point.
What is expected of me when it comes to privacy?
One of the most important aspects of privacy that you know what level you are at as an organisation. Chances are, most employees are not concerned with data protection at work; they probably just want to get their job done.
The attitude of management plays a crucial role in creating awareness. By actively propagating the need to protect personal data, employees are likely to act accordingly. We distinguish 5 levels around awareness of privacy:
Level 1: Unfamiliar with privacy
Privacy is not a theme within the organisation. It does not resonate with employees, and if it does, it is with a few individuals who are actively dealing with the AVG. Privacy comes up occasionally. It is only when things go wrong that a lot of effort has to be made to deal with the problem.
Level 2: Familiar with privacy
Employees in departments that deal a lot with personal data are familiar with the obligations around personal data. For example, there is an occasional phishing campaign, there are e0learnings for employees and some posters in the building, but no sustained awareness programme has been set up. Policies and procedures exist but are not widely communicated or relatively unknown to employees.
Level 3: Vigilant action
In the majority of process owners and within several departments, personal data is handled vigilantly. Employees are aware that they work with personal data and know the risks involved, thus mitigating a problem. If there really is an issue around privacy, they know how to spot it or act accordingly. For example, by putting their questions to someone specifically appointed who deals with privacy. Risk mitigation is not yet proactively addressed. Besides e-learnings and recurring knowledge sessions, an occasional analysis of vulnerabilities within the organisation is carried out.
Level 4: Attentive handling
The entire organisation is aware of privacy and handles personal data with care. A department has been set up to ensure that employees are continuously aware of what is expected of them when working with personal data. Employees know the risks and act accordingly. Not all processes are yet set up to limit privacy risks. Through structural training and campaigns, privacy remains under the spotlight throughout the organisation.
Level 5: Privacy as an organisational mindset
Privacy is in the DNA throughout all layers of the organisation. The processing of personal data is an issue from the strategy phase onwards, so all necessary processes are interwoven with other relevant and existing business processes. When the organisation develops new technologies, the principles of ‘privacy by design and default’ are taken into account in addition to risk analysis. There is also monitoring of processes outsourced to third parties and the risks of data transfers outside the EU are known. Across the organisation, there is a sustainable awareness programme with knowledge sessions, simulations and serious games. Employees are assessed on how they handle personal data and privacy is part of the KPIs.
Greater attention to privacy leads to a more customer-oriented organisation
The power of awareness lies in repetition, which maintains a focus on privacy and keeps the instilled knowledge from disappearing over time and employees. Companies with a high level of awareness also work more efficiently and customer-focused. Privacy is thus part of the organisation and employees better understand what customers do and do not want. By working privacy-aware, handling privacy can be shown to the outside world as a seal of quality.
Would you like to know more about privacy awareness and can CRANIUM help you?
[1] General data protection regulation