While attending the IAPP intensive in The Hague, I was especially inspired by the talk that Simone van Esch – Fennell gave on metrics. Based on her pragmatic approach and practical tips, here’s my view on enhancing awareness through leveraging your metrics as a privacy professional operating in a small privacy team/office. Furthermore, I recommend reading Privacy program management as published by the IAPP for more information on how to define and report on metrics that will greatly enhance your privacy program.

Raising privacy awareness in your organization

Your colleagues need to know what to do when they create or encounter a data breach. Your marketing managers need to understand they can’t just start sending out email bombs to all your customers. Your HR employees have to be aware of the delicacy of their work with personnel files. In summary, creating privacy awareness within your organization matters. In reality, most of us privacy professionals work in small teams, and we all know there’s limited time to make all those much-needed changes. So how can you, talented privacy professional, ensure that your colleagues are aware of privacy while performing their jobs?

Get the right people on board, get a budget
The first step is an obvious one; gain support for your privacy program. A tale as old as time, but often skipped. In practice, aim to get at least one member of your executive suite ‘on your side’, meaning they understand the importance of your program. If at all possible, get your management team a privacy workshop, even if it’s a short one. Often quite difficult, but it pays off to understand the existing knowledge level in your executive suite, and simultaneously explain management where privacy comes into play within the organization.

When managers understand that they themselves still have things to learn about privacy, it contributes to the understanding that their employees need awareness and training too. This realization will then hopefully lead to a wonderful budget for you to start those awareness workshops for your colleagues.

You can only spend it once; how to set yourself up for success
If you’re just getting started with your awareness program, it’s never a bad idea to start with the basics. Offer a standard workshop that explains privacy basics and try it out with different teams. How does the information land? Is there a common denominator within different groups of employees? Casting a wide net allows you to find out what (group of) colleagues have most to learn and work with the most sensitive data. Understanding what teams do will also help you align your program with team and company values.

Pick a channel or multiple channels that fit with the audience you’re trying to reach. If your communication department puts together a wonderful magazine for all your colleagues to enjoy, get yourself a column in it.

For some, e-Learnings are a great help in getting your awareness plans going. While they can be expensive to create and roll out, the upside is that you get a vast variety in progress to track and analyze. This makes e-Learnings pretty popular to assess and track the knowledge level of your colleagues over time.

Overall, it is a good idea not to put all your eggs in one basket; spread your budget over all communication channels available, and spread it in time. Awareness is best measured over time, so don’t expect overnight results. Your awareness program should be adjustable to the inevitable changes within the organization and proportioned well over a timespan that fits the business.

Finally, don’t be afraid to step outside your comfort zone. If your colleagues are used to learning about a new topic through video instructions, it’ll be worth it to record a video yourself, no matter how cringey it might make you feel.

It’s a marathon, not a sprint
You defined your awareness program, created all the relevant workshops and shaped the perfect communication for the channels used within your organization. You tested your messages on the appropriate audiences and found that sweet spot for all your privacy awareness endeavors. What’s next?

Start measuring. If the goal is to raise awareness within a certain amount of time, you better have a way to measure and understand the progress you need to make. It might be as simple as tracking the number of mistakes made in the e-Learning per team, but it often isn’t.

One way in which metrics might surprise you, is that after you start creating awareness, there’s bound to be an uptick in the number of data breaches. Not because there are more breaches happening, but your colleagues are more aware, and they start actually reporting breaches. Once you see the number of data breaches flatten out and dipping again, it’s time to pick up those sessions again.

In general, metrics are a great way to showcase the effectiveness of your awareness activities. One way to start is by studying if you’re offered program actually works; are people signing up for your voluntary privacy sessions? Is the survey you’re sending out to measure the baseline of privacy knowledge being filled out by a significant percentage of employees within the company? Once you find an answer to those questions, you can dive into finding more relevant metrics for your specific organization. Make sure you keep the people that are interested from the start close, and include them in your plans. Those might be the colleagues that will turn into your privacy champions. They will play a big part in letting awareness flow through into other parts of your privacy program, for example by helping you determine the knowledge level of the rest of the team.

Once you have a fair amount of data from all your campaigning, it’s time to analyze and create a relevant overview for other departments. Quantifiable results are a shared language between you and the rest of the company. Creating a one-pager with your most relevant results and learnings lets you share your progress easily. It’ll help other teams and departments understand what your work is all about. And again, make sure to share your findings via the communication channels your organization uses. That way, even your write-up will contribute to more, you guessed it, privacy awareness!