Training personnel on relevant laws is an essential component of any company’s compliance obligations. Appropriate, periodic training of a company’s workforce and management on the applicable policies and procedures is necessary so that individuals understand what is expected from them, and what applicable laws require. It helps raise individuals’ awareness of the company’s ethical and legal obligations, and enhance their ability to understand and apply the policies and procedures adopted by the company.
Training is often required by law. Providing periodic training with respect to data privacy and security is a specific component of the data protection policies and procedures required under numerous laws, regulations, cases, consent decrees, and guidelines that form the legal privacy and security framework. For example, the Federal Trade Commission and State Attorneys General have interpreted the Federal and State Unfair and Deceptive Practices Act and are requiring that, as part of their data security plan, companies provide relevant, appropriate training to their personnel.
Initial training is necessary to instruct the workforce, contract employees, and for the management of the Company’s important privacy and security obligations under applicable laws with respect to the personal data of customers, third parties, and employees, and how these obligations are translated into specific policies and procedures that each individual must apply.
Refresher training helps ensure that individuals are constantly reminded of the rules and their own obligations. Some laws specify that training must be provided not less frequently than once a year.
We regularly assist companies in organizing training programs and training sessions so that they can comply with their training and enforcement obligations. For example, we have performed the following services:
- Develop personalized training programs, adapted to the specific needs, and the specific types of laws and regulations to which the company is subject;
- Make onsite presentations to company personnel as part of the company’s training program;
- Develop training materials or web-based training for use by the employees and contractors;
- Review and revise preexisting training materials, and supplement these materials with targeted, practical materials and courses that are better suited to the company’s actual practices and legal obligations.
Further, in addition to their obligations to provide adequate and periodic training, companies are required to enforce their policies and ensure that their personnel abide by their policies. This enforcement is accomplished through supervising the employees, monitoring their performance, and disciplining the infringers.
A delicate balance must be reached because while the company has the obligation to monitor its employees to ensure that they comply with applicable policies and procedures, it must concurrently do so while respecting the employees’ own right to privacy. While monitoring is permitted and even required, it must be commensurate with the company’s obligations, so that it does not become obtrusive or inappropriate snooping.
When the monitoring shows evidence of inappropriate conduct, the company has an obligation to discipline the infringers. Failure to do so would expose the company to claims of negligence or gross negligence, should personal data be lost, exposed, or mishandled. The enforcement agencies have conducted several actions against companies for their failure to appropriately train and supervise their employees. The companies that were found deficient were assessed severe penalties and in some cases, have been placed under the supervision of the applicable regulatory entity that is tasked with ensuring future compliance with the training and monitoring obligations.