Privacy Lawls with Donata

Ep.32 | Implementing privacy training the right way (Guest: Jodi Daniels)

What’s the purpose of privacy training? What should training cover? Can you include memes?

We recently had the founder of Red Clover Advisors, Jodi Daniels, come on the podcast to discuss the best practices when it comes to implementing privacy training in your company.

Show Transcript

[00:00:00] Hello and welcome to episode 32 of Privacy Lawls where I, Donata Stroink-Skillrud speak with amazing privacy professionals and we have some laughs along the way as well. Today I’ll be speaking with Jodi Daniels about how to implement effective privacy training. Jodi Daniels is the founder and CEO of Red Clover Advisors, a privacy consultancy firm, a certified information privacy professional.

Jodi brings over 25 years of experience in privacy marketing strategy and finance across diverse sectors from startups to Fortune 500 companies. Jodi is the co-host of the, she said Privacy, he said Security podcast, and she advocates for privacy as a fundamental human right. Jodi, thanks so much for joining me today.

I really appreciate you having me. Glad to be here. So what initially got you interested in the field of privacy? I was working at the time at a media company and was. In the [00:01:00] targeted advertising space. So essentially I stalked you for cars before Facebook did and before it was, stalking you for all kinds of things.

And that was honestly when the online advertising industry kind of came together to self-regulate. And I always joke it worked for about 10 years, but it was at that time that I was tasked with managing that self regulatory program for the company. And I thought this was kind of interesting. The more I dug into it, I, I liked it.

I was looking for something new to do. I had been building this network for years and, and was looking for something new to do. I was pre GDPR, so I’ve been in this privacy space now. I feel like I’m not as old as some of the people who’ve been in it for decades, but we’re closing in here on 15, 16 plus years doing data privacy.

That’s wild. Yeah. For me it’s about. Roughly like 10, nine years. And, and it’s, it’s good and it’s not good because, um, [00:02:00] you know, you see so much in privacy is changing and there’s all these new laws and some of your experience ca carries over to the new stuff. But, um, we’re always learning new things, I feel like.

Well, I actually think that’s what makes it interesting, because that’s true. There’s something new and it. Everyone is then learning together, which I believe also makes this community so special because it’s hard, it’s complicated. It’s kind of the land of gray. Some of these laws are black and white and a whole lot of gray in the middle, which I find when you need a question or you’re curious, Hey, how are you doing something?

Even in competitive spaces, people are sharing. Because we really are all in it together in the interest of the end user and the customer. So I think that’s what kind of makes privacy, fun and extra special. That’s true. It’s a, it’s a great community. Really welcoming, which is not the same across other industries.

Exactly. We’re special over here. [00:03:00] So you co-host your podcast with your husband Justin. What is it like to produce a podcast with your spouse? You should ask this in this question. It’s, um, well, it is fun and unique. We can honestly finish each other’s sentences. I guess I. Just realized I sound like a line from Frozen.

You know, it’s, it’s not common. I think it makes it fun. I think it makes it interesting and we just try and feed off of each other. There’s certainly some topics that are more Jodi episodes and there’s other topics that are a bit more just an episodes. We try and have some fun, uh, along the way and our poor kids get to hear about it all the time.

Yeah, I, um, I run termed with my husband and sometimes we’ll be talking about privacy topics and I’m like, why are we screaming at each other? Like, we, we need to tone it down. ’cause both of us are so passionate about it and we have such strong opinions and sometimes the arguments get pretty [00:04:00] intense. I’m like, wait, we’re just talking about.

First party, third party data like this should not be getting this like extreme right now. Yeah. Uh, well our kids could also tell you what we do ’cause they’ve heard it so many times. It’s kind of funny. That’s awesome. So let’s get into our main topic for today. Um, which is how to implement effective.

Privacy training. To start us off, what is the purpose of privacy training and what does it aim to accomplish? In my mind, privacy training is a few fold because you can have general privacy training and then you can have role-based privacy training. Let’s start with the general one. I think everyone in the company should understand what is data privacy and why does it matter to the company so much.

Often people who are not versed in this all day long, they think about privacy as in, oh, my data could be out there. There could be [00:05:00] a data breach, and they kind of immediately associate it with security. And while that is a part that’s actually most privacy, people might agree only apart, there’s so much more about what do we collect and how do we use it and should we use it, and who do we share it with?

All of that I think is not as commonplace and. While there might be a privacy team, a legal team, a compliance team responsible for privacy, really everyone is because the person who is sending an email or calling or even in payables or receivables or managing employment reimbursement expenses are on the marketing team or in customer service.

Personal information is all over the place and they need to know what is privacy and laws and how that might apply to a company, and then why it matters and the why it matters. One, there’s probably some laws and comp. Most companies decide, I, I wanna comply with some laws. So which laws apply to you?

And what is it that person needs to know? [00:06:00] But hopefully companies are also realizing that it actually really matters to customers that that customer expectation or that it also matters from a PR point of view. Because if someone does something wrong, maybe inadvertently, and it gets out there. Or the company misuses information in a manner that a customer didn’t expect.

That’s negative to the whole company, and everyone collectively is working in a company because they’re trying to make a successful company, which means when it comes to privacy, everyone has a role. That is why I feel like the purpose of privacy training in terms of that general training, educate everyone, make sure everyone understands what it is, and then why it matters so much and really articulate how that ties to the company goal, the company culture, the company strategy.

Just as an example, I’ll never forget, there was a company and they had serving the customer, high customer service as one of their just strategic pillars, and they tied [00:07:00] privacy to that customer service pillar. That was a way of bringing it to everyone in the company, and it was really successful that way.

The role-based piece is, is very, very important and I know that we’ll talk a little bit more about that because what Susie and marketing needs versus Harry in finance versus Sally and hr, they’re similar, but different. Yeah, I, I think it’s. You know, for me, like looking at it from a consumer standpoint when talking about why privacy training is important to employees, I’ll talk about, I’ll ask them like, how much time each morning do you spend, uh, sorting through spam emails and deleting them and unsubscribing them.

How do you feel when you get spam calls or maybe you got a spam text message at three in the morning that woke you up? You know, you probably weren’t super happy about that. And we wanna make sure that our customers don’t have that same experience, because you’re not gonna wanna buy from that company again if you feel like you’re being harassed or your [00:08:00] privacy is being invaded.

So, you know, trying to bring it to to that person and, you know, I know that. Throughout my entire work life experience, whenever somebody brings up training people are like, ah, really? Like, ah, do I really have to do this? You know, I have all this other work. You know? How do we best communicate the fact that privacy training is important?

Like, what do we tell employees? I think it goes back a little bit to what I was just sharing in terms of what those values are to the company. Number one, there might be some really serious fines and what are those fines? How can you attempt to qualify or quantify and how you don’t wanna be one of those.

It also has customer expectations. That are assigned to ’em. If our customers, just like you were describing, expect us to do right by their data, to not misuse their data, to protect their data, not just from security, but also just how the data is actually used. We wanna make sure that everyone [00:09:00] understands how protecting their data means in their DA daily role.

And I feel like when you get to that root and you’re able to tie it to those pillars, like that customer service example, mm-hmm. If you’re going to have training on how do we deliver great customer service, well, one of the ways we do that is also through protecting their personal information and being really safe with their personal information.

Then the person and that employee understands why it’s important. Part of that fine piece is also time and resources, because if there’s any kind of enforcement action or even just an inquiry, and of course if there’s a data security incident, now people’s time is diverted away from all the fun and exciting things that are in their job, and they have to go deal with that.

That’s expensive. Which expensive for that means we can’t in the company use what might have been money to grow or bonuses or fund activities or employee bonding. ’cause now we have to go deal with this [00:10:00] privacy incident over here that might have been avoided in the first place. So true. Yeah. I find it, it’s much better to explain that to the employees when they start the training or before you do the training, rather than just saying, well, you’re hired, so now you have to do this.

Um, or we do this every year, so now we’re gonna just do it. And there’s no explanation as to why. ’cause people don’t connect with it because they don’t think it’s important, just because you told them it is. Okay. So what types of companies should conduct privacy training? Um, is it only for companies that are legally required to do it?

Um, or would all companies benefit from doing it regardless of whether or not, um, it’s an actual hard requirement. I think all companies should do this and. There’s a few different reasons why. For the first is that customer expectation. I mean, I live in Georgia. I have no privacy laws really protecting me.

I have no state comprehensive privacy law. I have a few in health and in [00:11:00] finance, and a couple other scenarios. When I give my data to a company, I have expectations and. For those reasons, companies need to be able to understand, well, what are those company expectations? What is okay? What are our values?

What are our ethics? What’s, what can I do with this information? What’s acceptable for us? That is training, that is part of the value that you have. Just like how you’re building a product, how you’re pricing, how you’re gonna serve customers, all of all of that goes together, which means all companies are going to benefit.

And at the same time, if you are a company that is national, you’re not going to figure out, well, you, it’s almost impossible to carve out. Well, you only work on the data covered by these states. You have kind of compliance focus training, and then just general concepts of privacy, which is notice and choice.

Thinking of that customer first, should I sell this data? Should I share this data? How do I vet a vendor? What, what is in the [00:12:00] best interest of the company? And thinking of that customer first. So I definitely think it is an all company situation. Now, at the same time, if there are listeners here who have to comply with some of the hardy privacy laws, then your training might have some extra specialness to it because you are going to wanna talk about what some of those requirements are because truly people.

Your organization are responsible for helping to vet vendors and to perhaps have risk assessments first, or to not just place a pixel on the website without reviewing the consent banner or the privacy notice. First, there are real impacts. Privacy rights training is a great example for role-based training because whomever, first off, it’s required by California, and then if I get a request.

What do I do with it? I need to know what to do with it. If anyone here wants to go on vacation, I actually recently wrote kind of a series of contents and posts [00:13:00] on how you’re able to build resilient programs, and part of that is having training and process in place so that someone goes on vacation, someone needs to leave unexpectedly.

You want all of it to kind of keep humming. So that role-based training and cross training is actually really important for those. Specifically doing privacy activities for the general. Everybody else, it goes back to that customer service piece, those values and that strategy. Definitely not just because I have to check a box.

In fact, if you have to do it that way, the training you would probably purchase or create is gonna be really boring and no one’s gonna pay attention. Yeah, we’ll talk about that in a minute of how to make your training interesting too. I feel like so much of. Privacy requirements are really beneficial to the business overall.

Like for example, let’s say you don’t have any privacy laws applying to you, which I find pretty hard to believe because. Most business sites don’t like automatically [00:14:00] block people from California or from these other states, from visiting and submitting their information. But you know, let’s say some customer reaches out to you.

They’re not from any state that has a privacy law and they says, Hey, I, I’m not a customer anymore. Can you delete my data? If you give them the answer of, well, I’m sorry, these privacy laws don’t apply to us, so we’re not gonna delete it. The customer is gonna be upset regardless of whether or not they actually had that.

You know, same thing with vendor due diligence, doing vendor due diligence for privacy requirements. You find out a lot about these companies that are really beneficial to the other aspects of the business, like the fact that they’ve been sued for fraud or they’ve had multiple data breaches, or you know, they don’t actually do the services that they say that they do.

So while you’re doing a privacy assessment, you’re actually learning a lot in terms of maybe this isn’t just a good vendor overall, not just from a privacy perspective. Completely agree. Yeah, it, it, it’s wild. So how often should we [00:15:00] conduct this training? Is it when somebody’s hired and then every year?

More frequently, less frequently? I think it should be upon hire and definitely annually. However, it should not only be annually and I think there needs to be other formats of training throughout the year. Typically when we think about training, we think about some type of video or a PowerPoint with a voiceover.

Like, you know, there are some that are gamified and exciting, but something along those lines. There’s other forms of training that can be quick tip guys. Could be a short video, 32nd video multiple times. Maybe it’s a few minute video. So there can be newsletters, there can be at a meeting, someone speaking and reminding.

Of a particular topic. There can also be that role-based training and cross training, uh, throughout the year. If it’s only once a year, people are going to remember it, and then a little bit later they’re going. To forget. I know there’s all kinds of, of fancy science. I’m forgetting my fancy statistics at the [00:16:00] moment, but it is not very long that you remember it and then you forget it, which means you have to have multiple touch points.

It’s almost like seven times someone has to hear something. I’ve actually heard anywhere from seven to 21, which that’s a huge range, but pick one of those numbers. That’s a lot. Even seven is a lot to have to actually hear it, to remember and have it ingrained and. For those reasons, I believe it should be that kind of core training.

I’ve also seen people break it up. This is also really common in security building little short videos that are or even, you know, PowerPoints, but some content blocks throughout the year and that way every month or quarter as appropriate. You’re getting something along the way for those that want kind of the traditional one.

Then mix up your content format, and I will say. The content format that your company is using in other areas to communicate is what’s going to be successful here. Sometimes I’ve seen, I had one company and, and [00:17:00] they said, well, video, no one ever does video. No one’s gonna watch video. That’s not going to be successful here.

And until that culture changed, video wasn’t the right option. Instead, it might’ve been an intranet site or an email for companies that have physical spaces. Think and use. How can you use privacy Day or cybersecurity awareness month for physical reminders? Anywhere from cool little gadgets that have privacy tips on ’em to just eases with tips or, fun different games and things along those lines to, to make it exciting, but mixing the format and the timing is what’s going to make it successful.

I’ve seen a cybersecurity company once use those, um, like vintage war posters, um, and they would put their own text over them being like, uncle Sam wants you to change your password every three months. Um, or something like that. And they had them all over their office and they would give them out to their clients which I thought was so cool.

I personally like for just random reminders, so [00:18:00] our company communicates through Slack. So I see some kind of really interesting enforcement case, um, or somebody really messed up or there’s like a dark pattern that I randomly see and I’ll just take a screenshot and send it to them. You know, just something where it’s not necessarily planned.

It, it’s pretty random, but just it know random reminders throughout the year of like, look at. These people got in trouble for doing this, or, you know, let’s make sure we don’t have these types of designs because they’re really sucky, you know, um, just kind of random reminders, um, is what I do pretty frequently.

So you touched on, um, roles and responsibilities and tailoring the training to roles and responsibilities. Can you tell us a little bit more about that and what that means? Yes. If I think about what the marketing team needs to know, um, they need to think about what kind of personal information I’m collecting.

I love marketers. They also wanna collect a significant amount of data. They might not need [00:19:00] all of that data, understanding why that’s okay, why that’s not okay. If they’re the ones responsible for placing pixels or tags or cookies on the site, what is the process, the process that they should be going through?

That process might need to change because of various privacy laws. The finance team isn’t doing the same thing. The finance team is receiving really sensitive information from a completely different area. Can they store it anywhere? How do they ask follow up questions? Do they print information?

Those rules are gonna be a little bit different. We’ve done some training where there are remote employees working at their home and also working on really sensitive data. The rules that the company wanted to have in place were very particular to remote employees and especially those that had sensitive data.

You can’t print, you can’t forward personal information to home. You can’t have mail sent to home. There was just a lot that we needed to think about and then if I think about hr. Really sensitive process. There are a myriad of HR related [00:20:00] laws that are also unique to them. Some of that has that personal information.

Again, how do I pick a new vendor? What is the process that I have to go through? Where do I store the sensitive information? If I have to share it with another team member, what’s the process to do that? Do I have to use special tools? Can I just print it? Can I email it? Do I have to put it in a system? Do I have to delete it?

A lot of questions that get to process, and those are just three core groups, but what is it that you want those employees to be doing and thinking about? Another really common one is customer support or sales. Think about someone in a company, they don’t like your product. They’re really unhappy. They call and they’re mad, and then they’re really mad and they say, you know what?

Just delete me. What is your team going to do? Do they know what to do? Do you don’t want them saying. I don’t know what you’re talking about. I can’t delete you. You might have just violated a law now. You actually might be able to keep some of that information, but probably not all of it. And you want those people to know, here’s what you do.[00:21:00]

For some organizations, I’ve seen them be the people who actually do the process and do the deletion as appropriate. I’ve seen others where they create the request on behalf of the customer, and I’ve seen others where they tell, Hey, customer, that’s great. Go fill out this over here. Those are all just a few examples of how to tailor it.

And the other piece is that’s where training is effective. Because we talked earlier about, oh my gosh, I have to do training. This is so blah and boring. Well, people are gonna pay attention and tune in when it’s unique to them. We did a training course for a company and we had a different training. Some were the same.

And then we did case studies that we knew were real for each of the different groups. We did hr, we did vendor, we did it, we did um, or vendor, I guess was procurement. We did finance and marketing, and we used real use cases that each team was using because that’s how they were then able to ask the, well, what about my special situation and what do I do over here?

And that’s where all the goodness comes [00:22:00] in. And when they’re asking questions or trying to relate it to what they’re actually doing all day long. Then it’s starting to sink and they’re gonna make good decisions, or at least know who to ask if they’re not sure about something. That’s such a good point because you know, when watching some of these videos, it just drones on and on and on and it’s like, how does this actually apply to me?

Um, and. I do our own privacy training, and before I do that, I look through tickets that have like a privacy tag on them. And that’s what I use as my examples. Um, and I’ll say, um, Thomas, you received a ticket saying X, um, how do you respond to that ticket? And it’s an actual real ticket. And we go through that as an example.

Um, and, and that’s a really, really good way to keep people engaged and, and excited about it because they know it actually applies to them. Yeah, that makes sense. So talking about, um, we have the, uh, rules-based training, which would differ, [00:23:00] um, between the different roles that somebody undertakes in.

In my opinion, every company has to have somewhat tailored training because, we’re all in different industries. We all face different privacy issues, but just in general, um, what should our privacy training cover? I think this kind of goes to that roles and responsibilities piece, so the general training and that I might have given some of my thoughts away earlier.

I just so excited. The general training should cover if you have laws in scope, what are those laws? Because each company is gonna be a little bit different. And I think also the size of your company and how you deliver that training might determine how deep you go into that. Mm-hmm. So you’re gonna wanna cover the laws that are in scope.

You’re going to wanna cover any, I’ve seen people have privacy charters or privacy values. What are those going to be? And then a definition of personal information as well as how does that tie to any existing policies you have in a company. You [00:24:00] might have personal information that differs from what people are used to in a company.

You might have sensitive information classified as one way in a policy, but privacy laws define it and it’s a little bit longer. So thinking about the kind of data your company takes and using examples to articulate, here’s what personal information is, but here’s the kinds that we collect. Then thinking about what does this mean from a privacy notice or privacy rights?

And again, kind of how that ties to the individual’s role. Sometimes it goes a little bit deep into process. So we’ve seen privacy training that covers, here’s a data inventory process, here’s what that means, or here’s how to conduct a privacy risk assessment. So those are gonna be really unique kind of deep training.

But that general training can cover those types of things. And then explain, oh, if you are one of those lucky people that gets to do one of these other areas. You would go here for extra information. I’ve also [00:25:00] seen where there’s sort of that case study. So for example, if you wanted to have customer data and uh, they give it to you, what could you do with that?

And use an example, you know, someone signed up for that service. Can I use it for marketing? Well, maybe yes, but consider these things here. Can finance use it? Well? Yes. Consider these things here. Can customer support? So in other words, you take a a specific example in your company and kind of use that, almost like the hub and then each of the areas that you’d wanna cover could be some of the spokes around it.

That makes sense. So, you know, we create our privacy training. We obviously wanna make it. As fun as it can be and as engaging as it can be, what are your thoughts on including like privacy memes or funny clips to try to make things more fun? I love that idea, and again, I think this goes back to culture.

So I have seen some cultures where that’s not appropriate. It’s gonna go nowhere. [00:26:00] It’s not gonna be approved. It’s and then I’ve seen others where if you had. Just bullets and a voiceover that’s gonna, that’s not on brand. You have to find the middle ground, and I think visuals are very important.

Here’s the other thing, I think that’s extremely important. You have different learners. There are people who are going to read and they need reading. They can’t. Hear it and process it. Mm-hmm. So some people want the least amount of information on a slide. Well, those people might miss everything you’re saying because they’re not, they’re just.

They’re readers. They’re not auditory. Other people are going to listen and they’re gonna ignore what you have on the slide. Some people learn by pictures, so don’t have too many words, but they need pictures and visuals. So think about how you’re going to blend all of those different styles together to be able to reach an entire audience that is here.

So memes and funny clips are great to [00:27:00] intersperse. I wouldn’t do all of that because you might lose some of the people who. Aren’t able to hear everything that you are saying, and they won’t they won’t be able to, to connect. But definitely having something in there. I’ve seen animation, I’ve seen clip art, I’ve seen bullets, I’ve seen words, I’ve seen graphics, all different ways to be able to connect.

I’ll say I think older school we had lots of quizzes and kind of, um, some of the advanced ones they have like match. People don’t love those and I don’t think they always pay attention to them. At the same time, it’s about trying to balance, balance it out. So hearing a video versus, um, words on a page, those are a nice balance and a mix that is there.

But my biggest feedback is please ensure that you’re really thinking about all the different kinds of learning styles and feeling like, does it. Does whichever point you get across, come [00:28:00] through in those various ways? Yeah, we’re, um, our company is pretty casual, so our privacy training, I try to do every like five to eight slides.

There’s some kind of visual or something of interest. Because I feel like a lot of people just kind of tune out after a while. Um, you know, if you’re talking about this, let’s, I’ll be honest here, pretty dry topic. After a couple minutes, people start tuning out or thinking about other things, and then you just hit ’em.

Bam. Like, here’s, here’s a good visual, or here’s something funny to look at. Um, you know, to keep people engaged. One thing that I struggle when it comes to training is long-term employees. You know, um, when somebody starts at a company, you give them the privacy training. Everything’s new, everything’s fresh and exciting.

But somebody who’s been there for five years, they’ve been going through this training every year. It kind of gets repetitive after a certain point. What are your thoughts on a tier training approach? [00:29:00] So, for example, in the first year, everyone goes through the standard training that covers. All the topics.

Um, in the second year, the training is mostly examples and discussions In the third year, the, it has like a actual exercise. Um, what are your thoughts on that? I think for larger companies and sort of in an ideal universe, that makes a lot of sense. Training’s also time consuming to put together and just being thoughtful to resources that companies have, whether that’s time or people or dollars.

I think that might impact that tiered approach. I, I, I love that we see that a lot, again, in other areas of training and some of the larger training companies will have multiple different modules and they kind of cycle through them at the same time, some of the training might just need to come through again, because what I learned two years ago doesn’t mean I actually remember a whole lot.

Remember, we’re gonna, we’re gonna move on. We’re gonna forget. So they’re sort of, well, do you go back and do the same thing? You know what? The privacy space, as [00:30:00] we talked about in the beginning is changing so darn fast. So what you did is probably not accurate. I mean, I’m literally delivering next week a training that I did last year and I had to update the entire deck.

’cause all the laws are different. Nothing’s, there’s very little, that’s the same. I had to start over and a training is similar. What I do think is also really using, and I know we talked about this a little bit, but I, I just, I think it’s so important is using real live stories is also one of the ways to help make training relevant and different.

Actual stories. What? What are some of the challenges that have happened, or what are some of the questions that the privacy team or the legal team or the person anointed privacy got? What did the company actually have to tackle and use those as real stories and case studies to help explain, say, Hey, look, here was this product idea that we had and here’s what we had to do, or.

A idea that you think is coming up and you can change it a little bit or a [00:31:00] customer question, but the more that you’re using re reality, it will connect significantly more with people. Very true. Yeah. When it comes to like making presentations, there’s nothing worse than you made your presentation, you submitted your slides, and by the time it comes time to give the presentation, you have to go back and update it because there’s new laws.

Terrible experience. Like then I have to go in and edit everything and then, you know, resend it and stuff. It is just, it sucks, but yeah, that’s true. It applies to training as well, um, in the sense that there’s new laws and new requirements all the time and, and new examples. Um. Thinking about people’s attention spans.

Um, obviously our attention spans aren’t that great anymore. How long should our training be? You know, it’s kind of hard to sit everybody down for multiple hours at a time. Like, what should we aim for in terms of timing? I, I personally think shorter snippets is better. [00:32:00] At the same time, I create a lot of hour trainings because.

That is what companies are looking for and that is what they want. So I’ve done, I’ve, we’ve done all of them. You know, in an ideal scenario, five to seven minutes, or three to five minutes is a common amount. I just did a LinkedIn, uh, learning course and their focus is sort of, um. 30 to 60 minutes to learn something new, but breaking it down into the short modules.

When I look at some of the other significant training platforms out there, especially in security training, it’s the same. It’s sort of these five to seven minutes, but multiples. So you might say you gotta do these five to seven of them. That might be 25 to 40 minutes that I’m doing. Some companies say, okay, you’re gonna do these, but we’re gonna put it over quarters, and you’re kind of rotating.

So maybe it’s 15 minutes each quarter. Over the course of the year, it might have been the same hour, but it was broken up. [00:33:00] I think from an attention span, shorter is better, but you can’t cover it in seven minutes. So I think the total training needs to be at least an hour to. To really be able to get across all the things that you have to be able to do.

And I also think it depends on the kind of company. So if you have a smaller company or you’re doing it by teams and you can break that content up, then. The ability to have that hour session. Maybe your training is 30 minutes, but you’re allowing for q and a because that q and a is actually where everyone’s asking the questions and you’re getting the not formal training in that is incredibly effective.

I can think of multiple different situations where we did that. The content was probably maybe 30 minutes. All the conversation had people engage and that’s when it’s sinking in. So there’s not a right way to do it. Anyone listening if you wanna, if you take your kind of traditional hour PowerPoint kind of thing, you can still make it fun and [00:34:00] interesting, but you can shrink it down a little bit and go department by department or a few departments together and have that interaction and your training will be so much more effective.

If you’re one of those that is using some type of software tool, you’re gonna pick a new one. Then you have a, an more easily available to use shorter options and just pick them and kind of put them over time. Yeah, I feel like the q and a portion of a training, at least from the employee side, doesn’t really feel like you’re going through training because you’re not like watching slides and nobody’s lecturing you.

But you still are, right? Because you’re still gaining all that information. It just doesn’t feel like training. Right. I mean, I kind of liken this to as kids or maybe even adults, if you went to grad school or you sat in on a course and there’s a test. You’re focused on, oh my gosh, I ha I ha there’s a test.

Is this gonna be on the test? I have to know this ’cause it’s gonna be on the test. Compared to when you just go somewhere and you’re interested and you’re just learning. You’re [00:35:00] engaged. And then when you get a chance to ask questions or hear someone else ask the question, you’re think, oh, I didn’t think about that.

Both that, that’s really good. And you’re thinking about it. It’s the same here. You’re listening to the other questions or here’s where you’re not sure, and you get that opportunity to ask. You’re, when you listen to that answer, you want to know the answer. Why? Because there’s no test at the end. I mean, you might have a quiz, but it’s not the same.

The person is there and actually engaged because they want to be. Absolutely. Yeah. You know, let’s say you’re a, a, a small to medium sized business. You’ve never had privacy training before but you want to, or have to get it started now, who within your company should be the one that’s either evaluating training options, evaluating different vendors or coming up with the slides and the format?

I think that’s a little bit of, you know, who kinda. Owns training and communication and privacy. [00:36:00] So the person who knows privacy is the one who needs to own this training, in my opinion, and be the leader. But we’ve also seen companies that have training teams and how that content’s gonna get delivered.

So you might need to work with the training team or the communication team, but, or you hire an outside vendor. We obviously do a lot of these kinds of custom trainings all the time. There’s also software providers and software providers is where. Someone responsible and knowledgeable about privacy should be the one, making sure that you’re picking the right courses and identifying do you need to supplement?

So sometimes maybe there’s a great general privacy training for everybody. You’re not loving or you don’t think that there’s a really good niche training and role and responsibility training. So maybe you create one and then again, you’re kind of back to that same situation in terms of how would you create one.

Do you have the time? Do you have the skills? Do you have the knowledge? To be able to do that. And I think working with the different departments to [00:37:00] pull in that real time and stories and examples is going to be very, very valuable. So if you’re going to create something, really work with the marketing team or the legal team or the compliance team or the, the web, like any of the teams and pull in what, where were some of the cha, what are some challenges that you see here and incorporate it that way.

Yeah, I, I know that a lot of companies don’t necessarily have anybody that’s knowledgeable in this, or maybe they don’t have their own time to, to create their own privacy training. How does your company, red Clover Advisors help with that? Well, we love training. I love training. I could train all day long.

So we’re gonna start with what are the goals and understanding first your organization, the size of the organization, the complexities, what are the privacy challenges? And any of the laws as well, and also what you’ve done. And then from there, we’re gonna make a decision together and a recommendation on where we [00:38:00] think it should go.

It might be a short training and communications throughout the year. It might be a traditional long training. We’ve done training on. Cookie governance or web technology governance, really niche. We’ve done kind of privacy meets security and there was this challenge of remote employees taking personal information home.

So it was general meets a very hard focus on that. There’s also just overall general training to a huge massive employee database that needs interesting plus general privacy training, but then also really niche. We’ll do privacy rights training. What is the team responsible for? Privacy rates need to know, very particular about privacy to a small group of people and also figuring out and pulling in the stories as well as the method so that it’s effective. Right. I was sharing that video piece. One company is like, video’s not gonna work. We’ve also done scripts, so we might write [00:39:00] a script and then their executive might be the one to record it.

We’re really about right sizing. I firmly believe you have to match in any part of privacy training included. What is the company actually need, what is the, what will be successful in that company, and then create it that way. That’s really awesome. I feel like so much of training has to do with like the passion behind the people making the training too.

I mean, you’re obviously very passionate about this and you know, that comes across in training and employees pay attention to that so much better than somebody who’s just like, this is. The chore, you know, this is having to do, this is the bane of my existence. Well, that’s gonna come across to your staff too, and they’re gonna feel the same way about it as well.

And you know, if you don’t know what you’re talking about, if you don’t know what you need to cover, you know, some of this training ends up being just in one ear and out the other if you do it that way, versus having somebody professional who loves [00:40:00] doing it. I mean, that’s just an awesome solution. I agree.

And I, I, I do have to say, I think the greatest compliment I got is when I did a training and the, the feedback was, can Jodi do all our software training? So I do try, and I, and I have genuinely been told I make privacy fun. Uh, now I’m not the only one. We have many other lovely people who also deliver trading, but I agree it, it needs, it is a hard topic and it is something to make it resonate and it’s so important.

How can you make it fun? How can you make it stick? And we feel we found some ways to help people do that. That’s awesome. Good. So where can people learn more about you and your company? Two great ways. So, connect with me on LinkedIn. I post a lot of content on our personal, on my personal page and our company page.

And then we have oodles of content@redcloveradvisors.com. Awesome. Jodi, thanks so much for sharing your insights with me today. I really appreciate [00:41:00] it. Thank you for having me. Absolutely. And to our listeners, make sure to subscribe to Privacy Lawls so that you do not miss our next episode.

Listen to more episodes!

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates
Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates