The Three Stages of Employee Awareness...Where are you?

On this Thanksgiving Day 2012, as we make efforts to be aware of what we are grateful for, I can’t help but gravitate to other related aspects of awareness – employee awareness. Specially, employee awareness training and how it effective it is.

The other reason that this topic comes to mind is because I am currently developing a new privacy awareness curriculum for my company. Like every other developer of training, I am concerned about many things: the delivery, the topics, the accessibility of the material, the level of interest of the participant, the language I use, the vernacular, the jargon, and on and on.

I think training practitioners are at a point that it is no longer reasonable or practical to simply create a 90 minute training module packed with every law, regulation, procedure and policy statement about the topic in question, and rationally believe that it will have any impact on the employee. In fact, recent studies show that the shorter (15-20 minutes), more pointed training concepts that involve more interactivity with the viewer result in better retention of the material, and ostensibly, better overall compliance with your privacy, security or compliance objectives. I have also noticed that a trend towards ‘gamification’ of training is getting a lot of press for the way it mimics the participant involved in a video game. The idea is that this level of interaction engages the viewer on almost of sensory level, thus allowing them to fully embrace your curriculum, and ultimately your message.

I have a theory about employee awareness that involves three stages of awareness. It is my opinion that a majority of employees move through these three stages throughout their professional engagement and exposure to training in general. You can also see how, as a developer of awareness programs and as someone who is responsible for company privacy awareness overall, I am very interested in not only how employees move through these stages, but how quickly and efficiently.

The Three Stages of Employee Awareness

Stage 1 of Employee awareness is what I term the “I want to do the right thing” stage. Every employee (hopefully) comes to the organization with the best and most honest of intentions in mind. What they may lack is an understanding of what the right thing is – as your company defines it – and how to go about doing it.  This is where the onus is completely on the trainer to create a program that lays out the intentions of the curriculum in clear and unambiguous terms so that every level of employee throughout the organization walks away with the right message.

Stage 2 of Employee Awareness is what I call the “Is this the right thing?” stage. This level of awareness is where most employees in most companies are. The assumption is that training has been given already or that employees are somewhat aware of what they should or should not do as it relates to say, data privacy, and are conscious of some degree of best practices. This stage is also when employees are starting to exercise their knowledge and e-mail or call me with what they think is the proper way to protect or disclose data and what to just make sure it is correct. If your employees are reaching out to you before they act, then you know that your awareness campaigns and profile is starting to take root and pay dividends.

The last Stage of Employee Awareness is the “Employees just do the right thing” stage.  Since your staff now knows what is and is not the proper way to handle, process, share or store data, they no longer have to either wonder about it or ask you about it. What you have done to raise the visibility of privacy or data security awareness in your firm has now come full circle to bringing everyone up to the level of consciousness that you have. Not many companies are at this level of awareness utopia however. It takes a lot blood, toil, sweat and tears of employee engagement to get to this point, but it is possible – regardless of the industry or silo your company is in. And well worth striving for.

If your company is already in Stage 3 of Employee Awareness, then you have something extra to be thankful for this year.  ;-)

What If Privacy Polices Were As Easy To Read As IKEA Instructions?

I was building a wardrobe closet from IKEA the other day and I realized something remarkable after following the directions, page by page - and there must have been at least 25 pages of directions. Though the closet is over 9 feet tall and at least 8 feet wide, with hundreds of screws, washers, shelves, frames, tracks and bolts, I was able to easily follow the directions to a successful completion - and I am not very handy, let me say - without the directions ever posting a single word. Everything, and every page of instruction was a simple line drawing.

I began thinking about how other people with no privacy background, interest or expertise feel when they look at what we do in the privacy space. That is, how average users of websites and apps feel about the privacy policies that they come across or, god forbid, ever dare to read.  According to a recent study released by the digital branding firm Siegel+Gale, most users of Facebook and Google had fundamental gaps in understanding, even after reading the posted privacy policies, of what the websites were saying in those policies or what they did with customer information.  Think about what that says about the privacy profession and its ability to communicate a coherent message!!? Can you imagine any other industry in which its primary user base or target audience doesn't understand its products? Anyone you know buy a bicycle and not know how to ride it? Because of difficult to read and understand privacy policies, readers of those documents walk away from the policy with no more understanding of what is happening with their data then when they started. If that is the case, then you, as the writer of that policy, have failed your customer.

Years ago, the privacy role was taken by the General Counsel who was typically appointed the Chief Privacy Officer one day because she had written the privacy policy sometime before. It goes without saying that the document was probably a bog of legalese; a vague and deliberately obtuse read that only served to cover the company's metaphorical ass. Then, someone in the company heard that there was a Chief Security Officer in the building. Eureka! So now he should also in charge of security along with privacy. (They are the same things, no?). That worked out well for a while but then it was soon realized that the CISO's primary duty is to protect data so that no one gets to it. That didn't do the marketing folks any good, let alone customers who wanted control over their own data.

As time has elapsed, consumers matured, and our appreciation of the treasure trove that we call our database of customer and employee data begins to rise, I believe that the role of the privacy professional is now converging to a middle ground. The role is moving from the polar extremes it previously inhabited towards an individual with a skill set that is a confluence of three core proficiencies: first, an appreciation of the law, second, respect and understanding of security, and finally, a practitioners eye for the use of data and real world operational understanding of the business. When a privacy policy is written by someone with this kind of resume, an average user who reads it will know exactly what the company is doing with the data they collect and use. Maybe, someday, that privacy policy will be as easy to follow and understand as the directions for building an IKEA closet.