Hi, and welcome back to the IBPCIPM. My name is Ralph O'brien, and welcome back to course 8. Now course 8 training and awareness now. Now this part of the CIPM to do a section on training and awareness, mostly exam questions on this. I consider to be fairly easy, straightforward, I could use the word easy, but certainly straightforward. And therefore, I'm not going to spend a huge amount of time on this topic. I think, we're going to talk about training and awareness, this session is about training. And I think really where I see the exam questions come in is really about looking at the different types of training methods that we have. We're talking about the different types of training methods that we have and where would we use them? Which type of person might be more appropriate for? And how do we then create a training program? A training program that will be in use for any particular organization? And because obviously, they can't tell you what's right for you or what's wrong for you in the exam, we're using our MedForce One example. And that we consider different types of people in MedForce One, there's going to be a whole range of different types of training that's going to be useful for different people. There's going to be basics that everybody needs to learn. There's going to be people in the privacy team that needs to know a whole lot more. There's going to be technical people that need to know technical things, legal people that need to know legal things. Management that might just want to sort of a briefing or an overview. We really have to understand the various audiences here and what level of training they need? So what how can we actually do training? What types of training are there? Well, I mean, in terms of training, we're talking about face-to-face instructor led training perhaps. Well, we remote instructional training like we're doing now. Hello, I'll leave it to your own imagination, how good or bad your instructor is. Another reason, I don't like doing this type of training because you really have to evaluate yourself and actually how you are going about delivering this. And in these days of remote learning, this may well be the best option for a number of people. But we have to evaluate the pros and cons of different types of training. Whether they are instructor led or self lead, or we're going to do a computer based training course or a slide show for everybody. Or train them on the job, or we've got to have a dedicated data protection day. In fact, there is a dedicated data protection day in Europe, that's January the 28th. It's the commemoration of the signing of the Council of Europe's convention human right, there you go, data protection day in Europe. Not previously data protection day for us to make that kind of clear. And there is awareness days as well. So how do you and then keep the message there, posters, badges, pens, screensavers, notice board lunch 'n' learns, corporate comms, you name it. There's probably a thousand and one different ways that once we've got the message across, we need to keep it there. So we have to separate this idea of awareness. Keeping the message there from training, which is getting the skills gap if you like, filled. So we have to recognize the pros and cons. And I wanted just to spend a moment asking yourself what the pros and cons are of different types of training? If you're carrying out face to face training, what's good about that? What's bad about that? If you're carrying out remote training, what's good about that? What's bad about that? If you've got an instructor or you're doing it yourself, if it's computer based, if it's on the job, where are the pros and cons of these different types of training? I mean, one of the reasons you probably opted for a remote training like this is because its mass market. This video can go out to many, many people, whereas obviously, if I come to your building as a trainer, I can only talk to a group of 10, perhaps 20 of you at once. But then again, what you can't do through this medium is you can't ask me questions. You can't turn around and say, hey, I didn't quite get that, can you go over it again? Or there's this specific situation for me and my organization, can you help me with that? I'd love to, I'd love to be on top of that, I'd love to have that more interactive way of training. But this way of doing videos, just doesn't allow for that more interactive way. So we have to understand what the pros and cons are of different training of course, there's lots of pros of of me speaking throughout a video. The pros are, well, you can look at this whenever you like, turn me off, that's the postman, press the play button again. Make me fit into your life where you want me to fit into your life. Do it on a little different pieces, do it by its size. You don't need to one day in a room with the instructor talking to you all day. So there are different pros and cons of different training methods and I think it's worth understanding that. And not only that, but who in your organization, what audiences you might allow which ones for? I mean, when you consider the computer based training for example. Well, yes, that's good for teaching the basics to everybody across the organization. But if you're a privacy professional, you're going to want more, you're going to need more in order to pass the CIPM exam for example. You're going to need more in order to manage a privacy program that you're going to get out of an hours computer based training or a specific on the job training. So what sort of groups in your organization or in MedForce One we're going to need, what sort of training? Generally speaking, the privacy team, the privacy professionals, the managers might need, instructor led, might need qualifications. Whereas, your general staff might need them more on the job or computer based training. What's best for each role, what's best for each role? There's a process here, there's a process here. Generally speaking, you're not going to be doing this as a privacy team, you're going to working with your HR team. Your HR team will have established a process for training, awareness and competency within your organization. And again, plan do check act, don't forget your plan do check act, right? Don't forget your plan do check act. So to me, we need to identify the roles, identify what roles have got some sort of data protection responsibility? And here's a hint for the exam question, all of them. Every role will have some sort of personal data responsibility for looking after that personal touch, even if it's just shutting the door at night, or not letting in rogue individuals to the company. But those people that deal with personal data on a day to day basis, obviously, they're going to need to know more. And then what competencies do they need for their roles? The management is going to need certain competencies to manage the business. The privacy team is going to need certain competencies in terms of their expert knowledge of data protection law. The customer service staff is going to need competencies in terms of understanding when to escalate and what they can deal with locally. So we need to identify those competencies. So once we've got the roles and the competencies instead of dating process, you've got individuals who we want to recruit to fill those roles. So we've got personnel within those roles. Do they have their competencies or not? Can we evidence those competencies? And there are many, many ways of evidence in those competencies. It doesn't have to be a qualification, it could be, we'll have demonstrated it on the job. They've done it before in a previous role. So there are many, many ways we can evidence there those competencies. However, where we can't evidence the competence where there is a competency gap. Well, we're going to need to provide training. There because it could even be a different action, you could fire them and recruit someone who is competent. [LAUGH] It doesn't have to be training, for example, in order to generate that competency. But generally speaking, we're talking about training here, the appropriate type of training for the appropriate role. So you're to provide that training. And then plan do check act. What most organizations don't then do is follow up. They don't say, well, has that training solved the competency gap? Does that people now know what we want them to know? Do they have those competencies now they've got on their training? What effect does that training take? You can quite often get evaluations of how good the training is, but very rarely how has that changed the individual? What is the individual doing differently? What does them now know, they didn't know before? How has that prepared the individual for their role? So evaluate the training and evidence that that person now has the competencies they were missing. And then you can create a training program. And the training program that plan do check act. To me, the plan do check act is to say, well, okay, let's go around the circle again, have we planned what training we need? Have we delivered that training? Are we measure in monitoring the effect of that training? Are we acting to improve our training process? And the wheel never stops turning, the wheel never stop turning. So finally, here we want to talk about who gets what training, who gets what training? And clearly there's going to be different needs here across the organization. The privacy team, they're probably going to need a bit more in depth training the most when it comes to data protection. Senior management, what do they need? They need briefing on the headlines, so they need to know the details, it's interesting. You're going to get customer facing roles. People who deal with the public, who are going to need to know about rights requests and what powers the individual have? And what rights the individual have? What they do if they get a complaint or request for access or to change their data. But IT at the back end, people like IT and security who are going to need to know about the more technical sides are security. And how to you know design systems with privacy in mind, that privacy by design PIIE processes, how to get third parties on board or second parties on board? I should say turn those third parties into second parties, get them signed up to a contract and make sure that you've considered privacy at the front end there. Then there's HR for the staff data operationally for whatever you deliver operationally. And then of course there's the marketing teams as well who's definitely got to know any needs to know the law about who they can and can't market to? And how to record consent and understand how to operate a website with cookie laws for example? And who they can and can't communicate with? And under what circumstances where marketing is legal? So finally, that's all stories we're going to go on training. Nice, I think most of the exam questions I've seen here are fairly obvious, whose responsibilities? Previously, everybody. What's the good and bad of different types of training? Which sorts of roles when we consider to use different sorts of training? You might get a question that says someone who works in the call center, you might not necessarily understand them on a week long face to face. Data protection training with an instructor, but you might do that for your data protection officer or your privacy manager for example. So the next section we're going to talk about is awareness. And we're going to talk about different awareness methods and how you're going to design a program to keep the message there once the people are trained.
