Building a team of privacy champions

- Let's say you have the fundamentals of a privacy program down. A clear sense of how privacy ties into your company's value and mission. An employee base that cares about the issue. Well, what next? As you build a culture of privacy in your organization, you're going to need advocates. People who understand what you're trying to accomplish, and are ready to help you build it and promote it. Most privacy programs do not have unlimited resources. They also typically do not have large teams. It's not possible to be everywhere in the company, raising the red flag whenever there is a privacy issue. How do you successfully get the word out and begin to scale? Well first, identify teams in your organization who have a shared interest in the privacy program succeeding. Look to leverage the security, compliance, internal audit, and legal teams. Next, create a privacy champion program. Offer something beyond the annual privacy compliance training that inspires your employees. The goal of a program like this is to create a diverse group of employees from every part of your organization who are knowledgeable about the basics of privacy and your company's policies and procedures. These are people who will sit in product reviews, marketing pitches, and team meetings, and will raise their hand when they hear something that could be a potential privacy issue. These are your eyes and ears on the ground. Now, I realize you may be thinking, that's a great idea, but you don't understand my organization, there's no way anyone is going to take time out of their regular job to get trained up on privacy, why would anyone do that? Fair enough. But I've found some techniques that help get folks interested and willing to put in the time and commitment to participate. One option is to tie completion of your program, to advancement in the organization. This will take executive buy-in, but if you've convinced them how important privacy is to the overall company mission, they will likely back you on this. The idea here, is that employees would have to be invited to participate in the program, based on their manager's recommendation. Successful completion of the program, could be a requirement for promotion. Another option is to tie completion of the course to a bonus or employee recognition program. Consider working with a local university or college to develop the course and see if your employees could even coursework credits. Ask the CEO to send out an email to encourage folks to participate. The bottom line is, get creative. However you decide to draw folks in, you're going to need to develop a program that people feel is worth the time away from their day job. I suggest creating a three to six month long course, that covers the issue of privacy generally, and then walks through your company's privacy policies, procedures, and philosophy. Provide reading materials and host meetings, where the participants can discuss and debate real privacy issues occurring in your company. You may even want to add a component of the course that requires the students to spot a privacy issue in their organization and work with the member of the privacy team to develop a solution. Once you get your first class of participants through the course, the work does not end. Part of making this a program that others want to join in the future, is creating a valuable experience for participants. Make sure you treat people who have completed the course as valued alumni. Recognize them at company-wide events, develop a monthly newsletter that helps current and past champions stay up-to-date on privacy news and events in your community. Ultimately, you want these people to stay up-to-date on privacy issues and remain engaged, so that they can help spot issues in the organization the privacy team might not otherwise learn about. Lastly, nurture your community of champions, and your relationships with other teams across the organization. Over time, you will develop a network of individuals throughout the organization who can help identify privacy issues and support the culture of privacy you are creating.