©2004 MediaPro, Inc.1
Privacy Training: Strengthening the Weak Link
By John Block
Director, MediaPro, Inc.
IAPP TRUSTe Symposium
June 9, 2004
©2004 MediaPro, Inc.2
Introduction
John Block
Director, MediaPro
Susan Welch
Global Privacy Manager, Procter & Gamble
Lyn Watts
Group Product Manager, Microsoft
©2004 MediaPro, Inc.3
“The weak link in many companies privacy ‘chain’ is the untrained employee. Awareness training is not an option, it’s a necessity!”
- Fran MaierExecutive Director, TRUSTe
©2004 MediaPro, Inc.4
"Human history becomes more a race between education and catastrophe."
- H.G. WellsOutline of History (1920)
©2004 MediaPro, Inc.5
Agenda
Privacy training implementation: six steps to achieve desired outcomes
Best practices within the six steps
Case studies from P&G and Microsoft
Q & A
©2004 MediaPro, Inc.6
How the Best Ones Do It…
Dr. Jack Zenger
Human Resource Development Hall of Fame
Extensive research with hundreds of organizations
Insight into what differentiates successful training outcomes
The “best ones” follow six steps
©2004 MediaPro, Inc.7
How the Best Ones Do It…
1. Obtain a Clear Vision of Organizational Goals
2. Link Privacy Training Outcomes to Business Needs
3. Earn Support of Senior Management
4. Position and Publicize Privacy Training
5. Conduct Privacy Training Effectively
6. Measure and Sustain Privacy Training Impact
©2004 MediaPro, Inc.8
1. Obtain a Clear Vision of Organizational Goals
Business issues driving the need to protect privacy
Core values related to a culture of privacy
Strategies employed to achieve privacy goals
Behavioral changes identified to achieve privacy goals
©2004 MediaPro, Inc.9
1. Obtain a Clear Vision of Organizational Goals
“We look at privacy the same way we look at our car business. People trust our cars. They should feel that same level of trust for how we handle their data.”
- Andrea WhiteToyota
“Our culture fosters respect for our customers and our employees. Our vision for privacy is no exception. We’ve woven it into the very fabric of our culture.”
- Matt LeonardIBM
©2004 MediaPro, Inc.10
Compelling case for doing privacy training
How training will help achieve business goals
Key indicators of success
What each target audience needs to know about privacy to support business goals
2. Link Privacy Training Outcomes to Business Needs
©2004 MediaPro, Inc.11
“Linking privacy training to company goals is a ‘heavy lifting’ exercise. I guess compliance can be a goal if you want it to be. And it can be tied to customer satisfaction goals, security goals and even positive labor relationships.
But we also key it to our ‘Standards in Business Practices’ in areas like respecting employees and ethical business conduct. That seems to strike a cord with our employees and position privacy as part of H-P culture.”
- Barb Lawler
Hewlett-Packard
2. Link Privacy Training Outcomes to Business Needs
©2004 MediaPro, Inc.12
Breakout Exercise:Privacy Training
Implementation Ideas
©2004 MediaPro, Inc.13
3. Earn Active Support of Senior Management
Decision-makers, champions, resistors
How champions help achieve privacy training goals
Management behaviors needed to support the desired outcomes
What leadership commitment looks like
©2004 MediaPro, Inc.14
3. Earn Active Support of Senior Management
Training managers in the same privacy content
Giving managers what they need to reinforce new behaviors
©2004 MediaPro, Inc.15
3. Earn Active Support of Senior Management
“Winning executive support? I think that’s an easy one! The investment I request from senior executives for employee privacy training is small budget ‘potatoes’ compared to putting our business at risk!”
- Michele Kemper
Safeco Corporation
“Our managers send employees ‘invitations’ to the training, and this is reinforced with ongoing communications from senior management and from me, as Chief Privacy Officer.”
- Dale Skivington
Kodak
©2004 MediaPro, Inc.16
Microsoft Privacy Training: Executive Support is Key
©2004 MediaPro, Inc.17
4. Position and Publicize Privacy Training
Creating sense of urgency
Making sure the target audience understands the business goals for the privacy training
Answering the questions: “What’s in it for me?”“What’s in it for our organization?” and “What’s in it for our customers?”
Developing an “elevator stump speech” to answer, “Why do I have to spend my time going through this privacy training?”
©2004 MediaPro, Inc.18
4. Position and Publicize Privacy Training
“We get employees ‘juiced’ before the training is rolled out!We’ve put posters up fashioned after movie promos that make the point ‘Something is coming!’ That builds curiosity and signals importance.”
- Elys Brewda
T-Mobile
“We use customer quotes when we market our privacy training. That really makes a compelling point that trust is important and that we can put ourselves at risk if we don’t do the right thing.”
- Barb Lawler
Hewlett-Packard
©2004 MediaPro, Inc.19
©2004 MediaPro, Inc.20
©2004 MediaPro, Inc.21
What’s in it for me? Sample E-mail Message
“Privacy Laws in many countries require that employees
complete annual privacy training. P&G needs to use and
share data globally and all employees must complete
Privacy Training so that P&G complies with privacy laws.
Failure to comply with the law can result in penalties and
fines to P&G. By completing this short training, you
increase your understanding of how Privacy affects the
work you do, help P&G be globally compliant and maintain
the trust of the people whose information you work with.”
©2004 MediaPro, Inc.22
Why Privacy Matters in My Job
©2004 MediaPro, Inc.23
5. Conduct Privacy Training Effectively
Knowing who is responsible for privacy training implementation
Making sure there is an Implementation Plan
Knowing what the budget is and who owns it
©2004 MediaPro, Inc.24
5. Conduct Privacy Training Effectively
Document how the privacy training is provided, accessed tracked and measured
Decisions on appropriate content
How the training will be made relevant to users
©2004 MediaPro, Inc.25
5. Conduct Privacy Training Effectively
“I use what I call the ‘warm nest’ approach. I initially implement it in a small area where I am certain it will succeed.
It’s a win for me. I end up with positive data to share with management on the impact of the training.
It’s a win for the organization. I’ve tested the training and made necessary tweaks BEFORE rolling it out more widely.”
- Michael Horodyski
Tektronix
©2004 MediaPro, Inc.26
Breakout Exercise:Privacy Training
Implementation Ideas
©2004 MediaPro, Inc.27
6. Measure and Sustain Privacy Training Impact
Privacy training seen as part of achieving business objectives (not a “program”)
Process for evaluating the impact of the training
Channeling data back to the management
Using data to make adjustments in business policies, procedures and technologies
Management recognition and reinforcement for using privacy knowledge back on the job
©2004 MediaPro, Inc.28
6. Measure and Sustain Privacy Training Impact
Communicating success stories to the organization
Follow-up and refresher privacy training
Use of privacy knowledge in performance management goals
Senior managers finding opportunities to communicate the importance of privacy to the organization
©2004 MediaPro, Inc.29
6. Measure and Sustain Privacy Training Impact
“A combination of anecdotal and quantitative measures communicated to management will help validate your training efforts. Going further and communicating those results throughout the organization can help privacy become part of the everyday culture.”
- Richard PurcellFormer CPO, Microsoft
“I look for opportunities to have conversations with employees in amongst the cubicles, and loud enough for others to hear. Often someone else will pop up from their cubicle and bring up a privacy issue that they are concerned about… and on it goes.”
- Lynn MajorsaQuantive, Inc.
©2004 MediaPro, Inc.30
Questions and Comments