One of the nicest but also often perceived as difficult requirements of the AVG is creating awareness about privacy among employees. The Autoriteit Persoonsgegevens and various certifiers put a lot of emphasis on this. And rightly so. Often the privacy expert within an organization, usually the Data Protection Officer (FG), has the register, data breach procedure, privacy statements, etc. all in order. But what good is the organization if employees are not aware of the privacy sensitivity of the data they process?
If someone does not realize that a lost USB stick might contain personal data, the loss is never reported. Never mind that appropriate measures can then be taken, no matter how nice the existing data breach procedure is.
Thus, with privacy-aware employees, the entire privacy policy stands or falls. But how does an FG ensure that employees become privacy-aware? In this blog, I offer some tips.
Actions should be tailored to the organization's level of maturity. An organization with high awareness about privacy requires different actions than an organization where privacy is still in its infancy.
In many cases, attention to privacy is new to an organization. It is not yet ingrained in the business processes. Sometimes it will also be perceived as yet another additional burden. "Yet more bureaucracy distracting from work," I am often told. So the person responsible for data protection may start off 0-1 behind.
If an organization or part of it does have a lot of focus on privacy, it can get off to a flying start. Then it is much more a matter of maintaining it and keeping it top of mind.
In larger organizations, it is also important to pay attention to whether privacy awareness is the same everywhere. I encounter quite often that management, as the processor(s), is well-versed in the need for privacy, but people on the shop floor are much less privacy-aware. It is important to examine that distinction.
Furthermore, it is essential for employee awareness that the person responsible for privacy policies is visible in an organization.
Above all, that means going into the organization! He or she can conduct interviews with employees about the data they process, retention periods, etc. Often, while talking, employees already draw their own conclusions for adjustments in their work.
Regular attendance at management meetings is also recommended. You probably don't have to do this every time, but it is wise to update management regularly, say once a quarter, on the state of privacy.
If there are staff meetings, the stage can be set for privacy, for example with a presentation. It is then important that such a presentation does not become a boring enumeration of the requirements of the AVG, but rather contains examples linked to the organization. You can also organize short information sessions for employees, for example. I usually limit that to no more than an hour. I put privacy in historical perspective to show that it is not hype. Then I briefly discuss the main points of the AVG and link them to the organization. The second half hour is for questions.
It also works well to issue a privacy news flash once a quarter. All employees in the organization then get an email, briefly detailing what has happened in the privacy area. If there has been a juicy data breach in the media, I often include it myself, with comments to link it to the organization. Chances are, in response to such a news flash, there will be a few emails with questions from employees.
Once the initial mission work is done, it is important that attention to privacy does not wane. It must stay alive in the organization.
Again, consider what suits the organization. At least at that stage, make sure that someone like an FG or DPO does not continue to pull the privacy cart alone. The manager(s) and processor(s) should pick it up. For example, privacy could be included in the annual performance review with all employees.
Further, the privacy officer may also conduct privacy audits in the organization over time. In these audits, he or she checks whether the description of the processing of personal data in the register still corresponds to practice. Does the register need to be adjusted or are the requirements of the AVG no longer met in practice and do the finishing touches need to be added in the work process?
The AVG has an obligation to discuss the data breach register. It is therefore wise to actually do this once a year, to see what lessons can be learned and translate them into measures. Propose measures and discuss them with the processor(s).
It is also advisable to repeat a possible information session, as I described earlier in this blog, over time for all new employees.
Another idea is to put up posters with five privacy rules of thumb. Or, if there is a bit more budget: purchasing a privacy quartet game, which I came across the other day. Nice to add to the Christmas package? Or to give as a birthday present, along with the obligatory gift certificate?
The AVG, fully in the spirit of the times, is primarily about transparency and demonstrability.
The efforts of the person charged with the task to raise awareness of privacy in the organization must therefore also be made demonstrable. This can be done, for example, by putting the sheets of a presentation on the intranet. Also make notes of the analyses and send them to the processor(s) in the form of an advice with suggested measures.
The analysis of the data breach register with conclusions and actions can also be put back into a short opinion. The same applies to the findings of privacy audits. It is useful here to use a fixed format. This is easy for yourself, but more importantly, it also increases readability for others.
To get it absolutely right, a privacy awareness program can also be organized. In it, all actions can be put with description, planning and results. It is useful to coordinate that planning with the person(s) responsible at the start of the year.
In all of this, it is important that an FG not forget his or her role. An FG is advisory and monitoring based on the AVG. He or she can advise measures and to some extent implement them, but the responsibility does not lie with the FG. It is primarily the responsibility of the processor(s) to ensure implementation. To make the role of an FG a success, support from those processor(s) is needed.
This article can also be found in the Privacy in the Workplace file
