Compliance and Privacy Training: The Ultimate Guide (2020)

Travis Good
May 21, 2020

Introduction

Training is a major component of employee development. Training takes a lot of different forms from sales training to workplace safety to sexual harassment to security and compliance. As the amount of training per employee has increased, the success of employee training, in terms of effectiveness and comprehension of training, has become more challenging.

Complicating this challenge, the tools used by enterprises to deliver and manage employee training, most commonly learning management systems (LMSs), have not kept pace with the work that employees do and the technologies employees use. As modern work has moved from email to chat, as technology has moved from on-premise to the cloud, and as tools have moved from web to mobile, employee training has lagged behind.

Effective training for a modern workforce using modern, cloud-based, and SaaS tools requires a fresh approach in 2020 and beyond. With a lens on compliance and privacy training, this guide covers the various compliance training requirements organizations face in 2020, why privacy and compliance training is table stakes for every company today, and how best to build an effective training program.

While the focus of this guide is on compliance and privacy training, the lessons contained herein are broadly applicable to employee learning and development.

Compliance vs Privacy vs Security

The terms privacy, compliance, and security are often used and the differences between them rarely appreciated. While the terms are related, they are separate and distinct. For smaller companies, these functions often overlap with employees having ownership and accountability across two or even all of them. As organizations grow, there is more separation between the functions and entire departments dedicated to each one.

Below is a summary table of how the functions are different from each other.

Function Work Streams Deliverables Budget
Privacy - Privacy official
- Privacy policies
- Privacy training
- Policies and procedures $
Security - Implementations
- Security ops
- Security training
- IT security procedures
- Many tools
$$$$$
Compliance - Risk
- Audit - internal and external
- Regulatory mapping
- Audit reports
- Risk management
$$

In practicality, the functions need to work together to create a functional privacy stack, also called an information security management system (ISMS), compliance program, or privacy program.

Each of the functions builds on the others. Privacy defines the policies and procedures for the ways data should be handled and protected, security implements controls and technology to meet the policies and procedures, and compliance verifies the chain from privacy up through security does not have gaps.

Privacy makes promises. Security implements those promises. Compliance validates promises are kept.

Ideally, these functions have boundaries to ensure separation of duties and to avoid conflicts of interest.

The following sections go into more detailed explanations of each function. 

Privacy

Privacy is the first step. Once a compliance DNA, or framework, is chosen or assigned to an organization, relevant controls need to be addressed with privacy policies and procedures. Given the dynamic nature of compliance regulations in 2020, privacy policies and procedures need to be revisited and kept up to date.

Security

Once privacy policies have been written and acknowledged by all employees, it is up to security to implement them. Security often falls under IT. Security is both in charge of configurations and security monitoring, with a plethora of new tools in the market and lots of noise from constant alerts.

With rapidly changing technology, especially services from cloud providers like AWS, Google, and Microsoft, keeping security configurations up to date is a constant challenge. 

Compliance

Compliance is about keeping promises. It’s about building trust. It is the best representation to the market, customers and partners that you have created and executed privacy policies and procedures. Compliance is largely about proof, and the collection of that proof can be a bane on both security and privacy.

Compliance, in larger organizations, is lumped into Governance, Risk, and Compliance (GRC). GRC, both the functional area and the product category, is associated with large, enterprise companies. In smaller organizations, formal GRC groups rarely exist; in these orgs, the functions of governance, risk, and compliance are divided between ops, IT, legal, and HR.

In modern technology companies, even larger ones, modern tools have been adapted to be GRC platforms. One notable example of this is Atlassian, which uses its own software products for GRC.

Why Compliance Training Matters in 2020

Compliance and privacy training have not been a high priority for many companies. This type of training used to be bolted on to existing, general-purpose training platforms. Privacy and compliance training were often, at least by employees, seen as a checkbox. There was little focus on comprehension as the main goal was to ensure proof of training for audits.

This all changed in 2017 and 2018 with the rollout of GDPR. GDPR, by putting the onus on the entire organization to implement data protection by design and default, forced companies to care about personal data in ways they have never been forced to before. It also forced companies to train members of their workforce in privacy and regulations, not simply security awareness. GDPR was a catalyst for similar regulations like CCPA in California.

GDPR and CCPA are extremely broad in their reach and coverage. Modern technology companies, which by definition cross borders, are now confronted with the specter of complying with multiple data regulations.

Take, for example, a data collaboration platform like Slack. Slack has a global reach. It also has customers across specific verticals like healthcare, financial services, and government. Slack, like most technology companies, has a page dedicated to attesting to their security and compliance posture. Slack lists the following:

  • ISO 27001
  • ISO 27017
  • ISO 27018
  • SOC 2
  • SOC 3
  • US / Europe Privacy Shield
  • CSA
  • HIPAA
  • FINRA
  • GDPR
  • FedRAMP

Complying with the above means constant, never-ending audit cycles. Audit cycles that require proof of relevant training of employees and contractors.

Below is an image of geographies and data protection enforcement. As you can see, the world is not uniform and complying across borders is extremely difficult.


The first step in building an effective privacy stack or compliance program is developing and adopting privacy policies and procedures. The second step, which is the actual implementation and execution of your policies and procedures, requires the training of employees. Unfortunately, this is just one more thing that companies have to do in 2020. And it is a lot harder for some companies than others.

Slack is a big company with lots of resources. Smaller technology companies often face similarly daunting compliance and privacy requirements without the resources to address them. 

Data regulations are the new cost of doing business; but, in cases where companies have few resources to dedicate to implementing privacy through training, the cost of doing business can be too high and corners can be cut. This exposes organizations to risk - risk from regulators and risks from customers.

And, this does not take into account data regulations that are currently being negotiated or have passed but are not yet implemented. Compliance, and the myriad of unique training requirements contained herein, has become a dynamic, many-to-many problem for companies.

Top of Mind for your customers

Privacy and compliance are not just top of mind for consumers and legislators. If you sell software or services to businesses, your customers are increasingly demanding you walk the walk, meaning you implement your privacy policies and procedures. They are likely asking you to prove it on a regular basis, either annually or quarterly.

And, they are likely wanting to see privacy and compliance as a core principle and competency across your entire workforce. Engineers and operations people may be implementing cybersecurity controls but enterprises expect all of your employees to be well versed in relevant regulations and privacy matters. It is unacceptable for sales and marketing people to punt on these questions. At Day Zero, one of the most consistent responses we get to our training is how excited customers are to be able to easily empower their entire company with knowledge of compliance and privacy, not just their IT groups.

Comparing Training Requirements for Compliance Regulations

The Internet, connected devices in our homes and in our pockets, and the rise of e-commerce have reshaped the global economy. Personal data has become the new global currency and many of the largest companies in the world, most notably Google and Facebook, run on products and services that leverage personal data. Google and Facebook are just the tip of the data iceberg. There are countless other products and companies that leverage personal data to make money.

This explosion of personal data and data products over the last 20 years have powered much of the growth of the Internet and connected services. But, the last several years have seen increasing public concern and governmental debate about personal data practices. Today, in 2020, privacy and data regulations are eating the world. There are over 100 unique data regulations across the globe and the penalties for not complying with these regulations are higher than ever.

How are companies adjusting to this new normal?

For starters, GRC platforms, the backbones of compliance programs, have failed to keep pace with the changes in work and technology. New, integrated risk management platforms are the new normal, though they are not widely adopted by small to medium size companies. Instead, small to medium-sized companies typically build their own mix of tools to track compliance operations, resulting in a hodgepodge of evidence sources and lots of work at audit time.

When it comes to privacy, even large enterprises with dedicated privacy people and budget are struggling to keep up with new regulations and training. They are also struggling to ensure their policies and procedures address the relevant regulatory controls. And those are companies with dedicated budgets for privacy, something most small to medium-sized companies do not have.

And, in cybersecurity, we are seeing an explosion of software tools and service offerings to fill gaps in implementations and monitoring of technology, especially on the cloud. The last several years have seen many security product acquisitions as large companies look to unify the disparate cybersecurity toolset into an integrated security platform. Small to medium-sized companies continue to deal with the exhaustion of alert fatigue, with very little signal to the amount of noise generated by disparate tools.

When did training get so complicated

When it comes to compliance and privacy training, the challenges facing all companies are daunting. The need to comply with multiple, and evolving, privacy and data regulations, coupled with the fact that each one has different requirements for training, leaves organizations struggling to meet all of the controls to which they attest compliance.

Additionally, training often falls across multiple groups within an organization, meaning that ownership for compliance training in totality is spread across multiple departments and individuals.

The specific content of the training is also dynamic. Security training is constantly changing as the relevant threats and technologies change. OWASP, which maintains lists of the most common vulnerabilities to be aware of, changes based on the market. Privacy training, based on regulations, changes as regulations and company policies change.

Compliance Training = Privacy Training + Security Training

Compliance, privacy, and security are not the same. And training for each is not the same. Understanding the differences is essential to ensure you cover all of your training requirements. Many companies skimp, unknowingly, because they think that each of these types of training are equivalent. They are not.

Privacy Training

Privacy training is focused on two broad areas - 1) the policies and procedures of your organization and 2) the relevant regulation and laws.

Policies are typically written to map to the requirements or controls to which an organization must adhere. While the specific language varies from company to company, they are relatively similar across companies in a specific sector. These are usually the basis of compliance programs.

Procedures are the workflows or steps that employees need to follow. They are mapped up to policies.

Training on regulations is informing employees about their legal responsibilities in doing their jobs. Often, these align tightly or 100% with policies so this type of training overlaps with policy training.

Security Training

Security training for employees is commonly called security awareness training. It involves training on security best practices, like password settings, personal firewalls and VPNs, and the use of 2-factor authentication. While not always a 1:1 to procedures, there should be alignment between security implementation and procedures.

Compliance Training

Compliance training is made up of both privacy training security training. It is what is required by the letter of the regulation, or regulations, to which you comply. It does not matter if it is HIPAA or GDPR or SOC 2 or CCPA, your employees should be trained in both privacy as well as security to meet the training requirements of these regulations.

Compliance training requirements

The compliance training requirements for GDPR, CCPA, SOC 2, HIPAA, and HITRUST are listed in the summary table below and in detail further down.

For the purposes of the summary table below, we categorized training in the following ways:

  • Privacy Training - training on regulations and policies and procedures.
  • Security Training - security awareness training and security best practices.
  • Data Subject Requests - requests for information about data practices and requests for data rights defined by regulations (right to be forgotten, edit data, etc).
GDPR CCPA SOC 2 HIPAA HITRUST
Privacy Training Article 25
Article 39
1798.130
1798.135
164.530b1 0137.02a1
1301.01e
Security Training Article 25 CC1.4
CC2.2
164.308-5i 0101.02d1
0108.02d1
1325.09s1
1336.02e1
1301.01e
1308.09j1
Data Subject Requests Article 47 1798.130
1798.135
164.530b1

GDPR Training Requirements

Description
Article 25 Data protection by design and by default: An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
Article 39 Tasks of the data protection officer 1 (b): to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
Article 47 Binding corporate rules 2 (n): the appropriate data protection training to personnel having permanent or regular access to personal data.

CCPA Training Requirements

Section Description
1798.130(a)(6) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Sections 1798.110, 1798.115, 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.
1798.135(a)(3) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Section 1798.120 and this section and how to direct consumers to exercise their rights under those sections.

SOC2 Training Requirements

Section Description
CC1.4 Attracts, Develops, and Retains Individuals: The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives.
CC1.4 CC1.4: Provides Training to Maintain Technical Competencies: The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained.
CC2.2 Communicates Information to Improve Security Knowledge and Awareness: The entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program.

HIPAA Training Requirements

Section Description
164.308 (5)(i) Standard: Security awareness and training.Implement a security awareness and training program for all members of its workforce (including management).
164.530 (b)(1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

HITRUST Training Requirements

Section Description
0107.02d1 The organization has an information security workforce improvement program.
0108.02d1 The organization ensures plans for security testing, training and monitoring activities are developed, implemented, maintained and reviewed for consistency with the risk management strategy and response priorities.
1325.09s1 Personnel are appropriately trained on leading principles and practices for all types of information exchange (oral, paper and electronic).
1336.02e1 The organization's security awareness and training program will identify how workforce members are provided security awareness and training; identify the workforce members (including managers, senior executives, and as appropriate, business associates/partners, and contractors) who will receive security awareness and training; describe the types of security awareness and training that is reasonable and appropriate for its workforce members; how workforce members are provided security and awareness training when there is a change in the organization's information systems; and how frequently security awareness and training is provided to all workforce members.
0137.02a1 The organization formally addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and compliance requirements for its human resources security protection program (e.g., through policy, standards, guidelines, and procedures).
1301.02e1 Employees and contractors receive documented initial (as part of their onboarding within sixty (60) days of hire), annual and ongoing training on their roles related to security and privacy.
1308.09j1 The organization prohibits users from installing unauthorized software, including data and software from external networks, and ensures users are made aware and trained on these requirements.

Keeping Promises

All too often, companies will implement privacy policies and procedures without any thought to how they will be implemented. Your privacy policies are the promises you make about how you collect, use, and secure customer and partner data. Keeping promises builds trust. And it takes 10x longer to rebuild trust than to gain it in the first place. With intense competition in almost every market, breaking promises to your customers and partners is not a viable option.

Complying with your privacy policies requires an informed workforce. You cannot expect your employees to follow prescribed procedures without being educated about them. Educating employees about privacy and security does not work when that training is bolted on to check a box for an audit. We consistently see compliance training done, at best, at employee onboarding and annually. This does not work. And it will result in your company breaking its promises.

Execution to your policies requires continual, relevant training. Training should be delivered on a regular basis and should adapt to the role of the employee. In 2020, the stakes of data privacy and security are too high.

Mistakes happen, they always do. But having documentation of compliance training will show your company’s intent to keep its promises and the priority it puts on customer and partner data. As with all things compliance, documentation and intent are the fallback for interpreting actions.

Conclusion

Complying with the emerging number of global data regulations is not impossible; but, it does require an intentional compliance training program.

We hear constantly from front line workers, from sales to engineering, that want to know how regulations should be used to make decisions. Many feel scared they may be liable if they make a mistake or decision that causes a data breach. Employees deserve to know the regulations, privacy policies, and security best practices to make informed decisions in their day to day work.

One additional benefit of effective compliance training is that it helps to create a culture of privacy across your company. Building privacy into your culture minimizes the risk of data breach; and, in the case of a data breach, it minimizes the financial risk to your company.

The ROI on effective compliance training is clear. Both short and long term, compliance training delivers benefits in the form of reduced risk, better data management practices, and more informed employees.

If you need help getting started or just want to hire Haekka to take care of compliance training for your company, reach out and we’d be happy to do a free assessment of your current program or recommend a training approach.