Key takeaways:
- To encourage employees to serve as privacy stewards, it’s important to illustrate the benefits to their roles and careers. Not only is this a positive addition to a resume, but it can also help employees better approach projects.
- Keeping employees engaged in privacy policies can hinge on effective training. It’s helpful to utilize more personal or situation-based education.
- Don’t underestimate the value of recognition. Giving accolades to employees who have stopped up to help privacy is a great way to generate interest in your program.
Implementing a privacy by design framework throughout a large and complex organization is a sizeable endeavor, but one made easier by privacy champions.
Champions or privacy stewards play a crucial role in the effort to operationalize privacy by design by serving as your “boots on the ground.” While they don’t necessarily have a legal or data background, they’re vital team members in the effort to drive privacy awareness, flag potential issues, and mitigate risk.
A strong system of privacy champions can set the foundation for long-term program maturity.
Still, every employee has their own set of obligations and goals, so finding the right individuals to join this network and keeping them engaged long-term can be a challenge.
Let’s dive into how senior privacy leaders have leveraged privacy champions to advance their programs.
Framing the Benefit of Serving as a Privacy Champion
During a recent Data Privacy Board panel on operationalizing privacy by design, Daniel Fisher, Director of Digital & Data at Merck, shared how valuable their network of roughly 250 privacy stewards has been to the organization.
“We rely on them to be our eyes and ears in the practice area,” Daniel said.
These stewards are regularly trained individuals outside of the privacy office who are either interested in this space or have some expertise but hold other roles across the business.
Daniel said their added support has been crucial for a large company like Merck, with over 70K global employees.
“Our global privacy office is less than 25 individuals, so there’s a lot of work to do for a global company,” Daniel said. “But that privacy stewards network are folks that are regularly trained. It really helps us have the extra talent we need.”
To find these dedicated stewards, Daniel shared that Merck positions the role as a career differentiator. It allows employees to distinguish themselves, and it can be a beneficial addition to a resume.
“We rely on them to be our eyes and ears in the practice area.”
Daniel Fisher, Director of Digital & Data at Merck
Additionally, Daniel shared that it’s important to illustrate how this position and its accompanied training can ultimately be self-serving.
When employees have a baseline level of privacy knowledge, they can better approach project ideas. Daniel gave the example of a marketing professional needing privacy metrics to reach a prospect through a targeted advertisement.
“A lot of your privacy stewards who come forward are folks in the cybersecurity space, in the marketing space, or in the direct consumer space who are really interested in this because it helps them,” Daniel said.
Setting Clear Expectations for Your Privacy Stewards
When engaging employees to participate in a privacy steward or champion network, it’s important to set clear expectations at the outset. If employees aren’t fully aware of the time commitment, you could end up with high turnover rates.
In the Data Privacy Board’s confidential community forum, one member shared an example of the general expectations they outline for their privacy stewards, including:
- Understand privacy policy, procedures, and risk processes and how they apply to their business unit.
- Know where to find key information and which privacy specialist to work with to inform their business unit of process updates or to provide help when asked/approached.
- Attend monthly meetings (or review recordings) to stay current on privacy topics and process updates.
- Complete assigned training.
They also shared the time commitments they require, including:
- One hour per month to attend meetings
- 30 minutes to one hour per month for training
- Four to six hours per month to support their business unit or privacy office
Keeping Employees Engaged Through Personalized Training
Bose Legal Counsel Evan Fleischer shared during the panel discussion that they don’t operate a formalized network of privacy stewards, but many employees have taken the initiative to get involved in privacy.
He shared that there are one to two individuals in each department who consistently reach out with questions and flag potential issues. Evan said this organic engagement is the direct result of really effective training.
“What’s happened is that through our training and making people realize the importance of privacy — how to think about it and how to potentially identify it — people have really stepped up,” Evan said.
Evan said early on, they asked employees to consider how they’d feel if their personal information was used in various scenarios. That personalization helps provide context behind privacy training and processes.
“It internalized it for some people,” Evan said. “When you have data on a screen, it’s just data on a screen; versus bringing more realization to what that data is to you personally is what really motivates people to potentially think about these things and flag it to the right individuals.”
“What’s happened is that through our training and making people realize the importance of privacy — how to think about it and how to potentially identify it — people have really stepped up.”
Evan Fleischer, Legal Counsel at Bose
Celebrating Your Internal Privacy Advocates
When building a privacy culture within an organization, you shouldn’t underestimate the value of recognition.
During the panel, Tom Holtan, Senior Director of Privacy at Northwestern Mutual, shared how the privacy office gives annual accolades to their most supportive employees
As part of Data Privacy Week, Tom said Northwestern Mutual hosts its own Privacy Champion Awards to recognize employees from an array of departments and seniorities for their stewardship and collaboration.
Tom said they hold an awards luncheon and gift custom Yeti tumblers to help show their appreciation for those individuals who have really gone to bat for privacy.
“Everyone wants to do the right thing. But we all have a lot of competing priorities. So it’s been a really nice way to just tip an accolade to these partners who are really watching out for privacy but also being really good stewards and collaborators.
“Everyone wants to do the right thing. But we all have a lot of competing priorities.”
Tom Holtan, Senior Director of Privacy at Northwestern Mutual