If you’re considering training for your employees, you’re probably wondering about the value for your organization. We’ve come to measure return on investment, or ROI, in terms of the financial benefits obtained over a specified time period in return for a specific investment. But training — privacy awareness training in particular — can be difficult to measure in dollars and cents.
Let’s look at a privacy breach as an example. Training and awareness can support existing strategies, such as a breach response strategy. On the front end, awareness of the strategy can support actions that minimize the occurrence of a breach, saving time and effort through role awareness and the mitigation of harm. While difficult to measure in financial terms, there are tangible benefits to avoiding reputational harm as well as the effort and cost to manage a breach.
Yet the energy organizations expend in developing this “human capital” is often still seen as an expense rather than an investment. Let’s challenge this thinking and consider training programs as if they were capital investments.
Privacy professionals, including Elizabeth Denham, B.C.’s Information and Privacy Commissioner, have long argued that data stewards should treat personal information assets the same way they safeguard financial assets. Following her Office’s recent investigation of a privacy breach at BC’s Ministry of Education, Commissioner Denham reiterated this sentiment, stating that “Government in B.C. has a very long tradition of strong financial management, which includes specialized training and record keeping as well as a robust audit function, so the probability of a loss, for example, of $3.4 million is highly unlikely. Information assets, particularly personal information of citizens, deserve the same respect, rigour and control.”
Statistics tell us that the majority of privacy breaches are due to employee error or inattention. While the benefits of decreasing this risk may be a challenge to measure, most people would agree that training dollars spent to reduce privacy breaches would represent a return on any investment in training.
Successful privacy awareness programs keep privacy top of mind with ongoing activities and monitoring. They encourage employees to treat personal information with the same respect they expect from other organizations that store and use their own personal information. Privacy training lays the foundation for this understanding.
So what’s in it for me, or us, or them? A great deal. Organizations expect their employees to know and do the right thing, which leads to greater trust and confidence. Employees feel more valued when organizations spend the necessary time and the money to invest in them, leading to a positive relationship between the organization and its staff. And last, but not least, the organization’s customers, clients and constituents will bestow greater trust in the organization.
Training opportunities in 2016
Rouleur Consulting has partnered with the OIPC to deliver workshops to B.C. municipalities to provide privacy training that is both practical and cost effective. Access training will also be offered in a second workshop.
“I am very supportive of these workshops,” says Commissioner Denham. “The people who are really going to make a difference are the access and privacy professionals in the organizations we oversee, along with any staff who have access to, use, and disclose personal information.”
Visit oipc.bc.ca/events to learn more about the upcoming privacy and access workshops.
Jay Loder is the Principal at Rouleur Consulting, a Vancouver based Privacy Consulting firm that supports private and public sector organizations to effectively manage privacy risk and compliance issues. Jay is speaking on the panel, “Internet of Things: The Connected Eco System” at the 17th Annual Privacy and Security Conference in Victoria, B.C., February 3–5, 2016.