BY MICHAEL IRENE, PhD
Training in data privacy, I believe, is often overlooked. This is done for good reasons. First, there is that belief that once an initial training is done, there is no need for a refresher training or further training. It is a one-training-fits-all-approach. Second, there is that notion that repeat training can become monotonous and boring for participants which could lead to lack of interest. And third, there is that misconception that data privacy training doesn’t motivate the needed change within an organisation. Report by Forrester suggests that 70% of data privacy breaches are caused by human error and lack of training.
There is the need for companies, therefore, to focus on training and ensure that this remains part of their ongoing business as usual activities whilst maintaining and monitoring their compliance framework. It is not about rolling-out refresher training, but what’s important is for stakeholders to design bespoke data privacy training that can help staff understand how their roles tie into the overall data privacy strategy of the company. The question, however, is what should the focus be? What topics should be covered? In this week’s piece, I focus on human resources (HR) and five key areas they should be looking at.
When it comes to convenience and how staff work, especially in this modern world, they want to do everything on their device. As such, a typical HR training would focus on Bring Your Own Device (BYOD) training for HR professionals to cover special considerations when employees use their own devices for work. This will help the organisation understand the risks and know how to communicate and enforce policies to protect the organisation.
Second, another key area would be maintaining privacy when handling employee files. The proper handling of employee files is critical. This area will cover controlling access to files, how to store medical checks and background check data and understanding the employee data lifecycle. Succinctly put, because HR manages special category data, all HR personnel should understand their role.
Another focus would be consideration when monitoring employees. Some companies carry out these monitoring actions and some do it for good reasons. However, what transpires is that there are no considerations for the privacy risks embedded in monitoring staff. A clear training on what is conceived as best practice monitoring or how it would be done within the confines of reason would do the company a great good.
Fourth, companies must protect privacy during the hiring process. In this training, focus would be on how HR can reduce legal risk and maintain a good reputation with applicants, especially with protection of applicant’s information. Some companies claim that after six months they would usually delete an unsuccessful candidate’s CV, but when one digs into their assets, there are CVs sitting in the email boxes of some managers. This training will focus on teasing out the impending risks and reputational damage these could cause.
Fifth will be considerations and issues related to vendors. Vendors are essential to the success of most organisations, and they can also create liabilities for an organisation. So, all third parties managing all HR files and processes must be audited regularly and staff should be aware of the right uses of these vendor tools or applications. This will inform their day-to-day activity and give a clear picture of the pros and cons of each tool/application.
This is not an exhaustive list. However, this could serve as a foundation for any organisation. Focusing on this would keep large, medium or small enterprises safe and enhance their data privacy programme.