Sam Pfeifle | Content Director, IAPP
No one wants a data breach. No one wants to be the latest ransomware victim, trying to figure out what bitcoin is so you can pay some guy in Romania to give you back access to your own data. No one wants to be THAT company.
So most organizations no doubt have some kind of security training in place. That’s important. They absolutely must make sure employees know to use different passwords on different platforms — to use a keyword manager, in fact — and not to click on links in emails unless they’re very, very sure they’re legitimate.
And, of course, you need people to set that policy and make sure all of those policy items are actually implemented, in addition to the technicians who set up firewalls and DLP solutions and manage security certificates. These are trained and certified CISSPs and the like.
But if organizations aren’t accompanying that security training with privacy training, they’re exposing themselves to significant risk of being THAT company embroiled in a privacy controversy.
Employees also need to know the rules around how date is collected, used, stored, and destroyed, especially with the looming coming into force of the EU’s General Data Protection Regulation (GDPR), which many are calling the most sophisticated privacy and data protection regulation in the world. And they need people to set that policy and see that it is carried out – or face significant penalties, including fines, but also triggering damage to brand and bottom line.
Specifically, organizations need privacy training that is mapped to a global standard for how privacy is effectively managed and implemented and addresses the three main areas of privacy oversight:
- Understanding what privacy laws and regulations the organization is subject to
- Managing the way policies for complying with those laws are communicated and audited
- Implementing that privacy compliance via technology and so-called “privacy by design”
Security training teaches your employees about access to data. They should know how to lock the doors to your organization’s house and how to provide only the proper people with the keys to the front door (and the combo to the safe, perhaps). Privacy training teaches them how to behave themselves while they’re inside. You don’t want them leaving dishes in the sink or the seat up, do you? How are they to know not to put their feet up on the coffee table or where the remote lives?
It’s important for employees to know that not all data is the same and that just because you have the data doesn’t mean you can do whatever you want with it.
That’s why organizations need Certified Information Privacy Professionals (CIPPs), who are trained to identify the regulations that apply to their organizations and oversee compliance with those laws. The International Association of Privacy Professionals developed the CIPP certification (which now comes in variations for the U.S., EU, Canadian, and Asian markets) more than a decade ago, and it is now the global standard for demonstrating expertise in privacy law and policy.
In fact, it is recognized as complying with ISO standard 17024:2012, the global standard for professional certification, by the American National Standards Institute (ANSI).
The IAPP supports this certification with training that maps to the same body of knowledge that ensures the training is based on the job of privacy, with real-world, daily application.
However, compliance is about more than knowing, understanding, and translating the law. Rather, compliance requires operations management, the construction of a privacy team that proactively ensures that privacy policies are actually implemented. That’s why the IAPP created the Certified Information Privacy Manager (CIPM) designation, which is also ANSI accredited.
The certification, and its attendant training, provides professionals with the “how” of privacy – what many are now calling “privacy on the ground.” When the GDPR talks about “Privacy by Design,” this is what it means. How can an organization “prove” that it is accountable for the data it collects, processes, stores, and destroys?
That is the job of the CIPM.
How do you ensure marketers understand the ad-buying network and what behavioral targeting really means and how vendors should be vetted? Who helps HR managers understand the sensitive nature of health data, even data as seemingly innocuous as how many steps someone logged in the corporate fitness challenge? Customer service reps should know how to spot scammers trying to acquire knowledge they might use to figure out security questions.
But someone needs to teach them that: the CIPM.
- Finally, there are those technologists on the frontlines. Someone needs to make sure the code does what the organization says it will do. Who makes sure the location settings in the app defaults to off, and pushes a pop-up to ask the user to turn on tracking?
CIPP: The “what” of privacy.
CIPM: The “how of privacy management.
CIPT: The “how” of privacy technology.
Each have been vetted against the most rigorous of standards. As organizations evaluate training and certification programs, they must as themselves these questions:
- Is the credential and body of knowledge based on a Job Task Analysis?
- Does the credential signify the completion of extensive training?
- Is the assessment related to the same body of knowledge?
- Is the program administered by a non-profit professional organization or non-governmental body?
- Does the credential require continuing education?
- Is the credential accredited by an independent, third-party assessor?
For the IAPP, the answers to all of these questions is “yes.” Organizations around the world have decided that the suite of IAPP certifications is the best way to ensure their staffs are ready for the data challenges of the Digital Age.
To learn more about how to become an IAPP Official Training Partner (OTP) please contact your Logical Operations representative.