• United States




Start up your privacy awareness program: Events

Aug 18, 20166 mins

Holding events can be a effective cornerstone of any good awareness program. To keep privacy top-of-mind between annual trainings, awareness programs use informal, unscheduled mechanisms to remind your staff about protecting personal information.

students college lecture
Credit: Thinkstock

Every comprehensive privacy program includes a formal training component. In-person classes, computer-based training and webinars are some of the ways to fill this need. Formal privacy training most often occurs once a year. However, other initiatives being promoted by your organization probably have annual training as well.

To keep privacy top-of-mind between annual trainings, an awareness program should be created. Awareness programs use informal, unscheduled mechanisms to remind your staff about protecting personal information. Previously I discussed utilizing posters to promote privacy awareness, and over the next several blog entries I’ll discuss some more of my favorite approaches.

Privacy-focused events

Sometimes you have to do something special to get attention. Creating a privacy-focused event is can be that special something to grab your organization’s attention. An event does not have to be big to be successful; it just has to be something out of the ordinary.

For example, having someone from your privacy office attend and present at a departmental meeting, say within IT or marketing, will raise awareness within “small” groups. It’s limited effort for your team but a break from the ordinary for the department your visiting. That alone makes it memorable for them.

What to talk about

When participating in another department’s team meeting, it is vital that you discuss privacy in terms that are relevant to the attendees.

Maybe you want to explain a change in your privacy policy. When discussing this with IT, it would be appropriate to talk about the types of controls to protect information that they will need to implement to meet the new requirement. When you go to Marketing you may want to discuss what types of outreach programs the policy change enables that department to do.

Certainly there may be some new guidelines (restrictions) for the use of personal information. I find it best to explain these from a customer perspective. I ask the audience to picture themselves as a customer with their own information being used under both the new and old guidelines explaining the risks and benefits in each case.

Let’s think bigger

Sometimes you need to shout to get attention. Coordinating a bigger event will allow you to reach across your entire organization instead of just a department. While you can hold an event anytime, luckily there is a perfect time to do a large, full-day celebration of privacy.

Every January 28th, Data Privacy Day is celebrated around the world. Coordinated in the U.S. by the National Cybersecurity Alliance, Data Privacy Day’s charter is to “to create awareness about the importance of privacy and protecting personal information.” Data Privacy Day is a fantastic opportunity to run a full day of activities to raise privacy awareness in your organization. (Note: My company, Privacy Ref, Inc., is a sponsor of Data Privacy Day in the U.S.)

Awareness activities need to be engaging and fun

During a Data Privacy Day celebration, you can certainly have webinars, presentations, workshops and lunch-and-learn sessions. You can use the members of your privacy office team to lead these efforts. However, I would suggest minimizing the discussion of policy and procedure and focus these sessions on privacy in general. For example, including how employees can protect their own personal information always grabs attention.

I have found that privacy and security vendors (including Privacy Ref) are happy to provide speakers for these activities for their clients. Having an outside expert visit often draws a larger audience when compared to an internal speaker.

These traditional methods of sharing information are certainly effective, but not everyone will participate. So how do you improve engagement?

A privacy game

One way is to find a high traffic area and set up a “privacy game.” A good location is in or near the company cafeteria or in the building lobby.

The game can be something simple. I once was working with a team that set up a table where they had all sorts of documents. Each document contained different types of information. The game was for a participant to classify a number of documents according to the organization’s information categorization scheme. Get a few right and be given a low-cost prize.

This simple little activity always had a crowd watching. The crowd surged whenever a senior executive stopped by to play; everyone was waiting for them to make a mistake. Of course, the executive was always a winner.

The game provided several benefits. It increased privacy awareness. It re-enforced the organization’s information categorization structure. Most importantly, it demonstrated executive endorsement of the privacy program.

Hold a privacy fair

Another activity is to ask departments to participate in a privacy fair. In this activity, each department is provided a table where they demonstrate what they do to protect personal information. Visitors to the tables learn about the efforts going on in other parts of the organization, frequently finding ideas they can use within their own department.

You can even invite vendors to attend to discuss what they are doing with your company. They will also be happy to talk about products they have that enhance privacy and, possibly, give away samples.

I can only compare privacy fairs with the science fairs I attend when I was school. The contest between departments to have “the best” table can get very competitive. You can fuel this by allowing visitors to vote for the best. Giving the winner a trophy or a pizza party is a small price to pay for the rise in awareness this activity will provide.

Think out of the box

Sometimes you want the reminder to be subtle. One of the most effective approaches came from one of my team members when I worked at Staples. Her suggestion was to work with the staff in the company cafeteria to rename the menu to reflect privacy. Instead of eggplant parmigiana we had “encrypted eggplant.” Instead for buffalo wings, we had “firewall wings.” You get the picture.

It was interesting at lunch that day to hear the conversations at the tables turn to privacy. For limited effort here was another success in raising awareness. It worked so well that the second year the cafeteria staff undertook the renaming of the menu items themselves.

A word of caution

Holding events can be fun, effective and low cost. A critical success factor is to sharply differentiate the activities undertaken in these events from privacy training.

You should have classes that provide formal training to your staff on your organization’s do’s and don’t’s for the handling of personal information. The activities you provide in events should not revisit these topics, but provide a gentle, indirect re-enforcement of them.


Bob Siegel has extensive professional experience in the development of privacy policies and procedures, the definition of performance metrics to evaluate privacy maturity, and the evaluation of compliance. He has extensive experience with PCI DSS and Safe Harbor and has deep subject matter knowledge surrounding key laws and regulations regarding consumer privacy and information security.

Throughout his career Bob has worked with computer applications and business practices that guard personal information. In addition to developing these systems, he trained employees to use them properly and efficiently. As the collection of personal information has increased, he has developed new approaches to help his organizations protect their sensitive data (both electronic and paper-based).

Bob is a Certified Information Privacy Professional, awarded from the International Association of Privacy Professionals, with concentrations in US Law (CIPP/US), European Law (CIPP/E), and Canadian Law (CIPP/C). He is also a Certified Information Privacy Manager (CIPM) and a Certified Information Privacy Technologist (CIPT). He is a member of the IAPP faculty and has served on the Certification Advisory Board for its Certified Information Privacy Manager (CIPM) program as well as the Publications Advisory Board. He was also recently awarded as a “Fellow of Information Privacy” by the IAPP.

Most recently, Bob served as senior manager of Worldwide Privacy and Compliance for Staples, Inc., where his responsibilities included development, awareness, and compliance of global privacy-related policies and procedures for more than 60 business units in 26 countries.

A seasoned program management expert, Bob has a long record of accomplishments in business planning, information privacy, sales support, customer support, application development, and product management. He has helped executive teams convert strategic plans into programs with well defined, measurable outcomes. He also has created realistic program schedules and budgets, resolved critical path issues, managed risks and delivered results consistently on time and within budget.

Bob can be reached at

The opinions expressed in this blog are those of Bob Siegel and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.