Training the Modern Workforce Live is a weekly show discussing training and talent development solutions and best practices. Hosted by Allogy CEO Colin Forward, each episode features an informative conversation with a prominent guest in the training world.
Watch the full video interview above, listen on any of the platforms below, or continue reading to see the full transcript (edited for clarity).
Click a Link Below to Listen to Episode 11 on Your Preferred Platform
About Training Director Marla Berry, International Association of Privacy Professionals (IAPP)
Marla Berry is the training director at the International Association of Privacy Professionals (IAPP). At IAPP, Marla oversees the development and delivery of privacy training products, including those designed to support candidates in their preparation for IAPP’s certification exams. Her previous experience includes nearly 20 years as a web and software developer, having worked for an educational publisher and a tech startup. She has a BS in mathematics and a BA in studio art from the University of New Hampshire and is a Certified Information Privacy Technologist (CIPT).
Adam Wagner: Hello, everyone, and welcome back to Allogy’s podcast, Training the Modern Workforce Live, the weekly show discussing training and talent development solutions and best practices. Each episode, we’ll talk about a different training topic, and make sure to keep your eye out for our special guests and interviews from top training professionals.
With me, as always, I have Colin Forward, CEO of Allogy. For the last decade, Colin has provided major U.S. hospitals and federal agencies with distance learning solutions. He studied mobile technology at the University of Central Florida while earning a degree in computer science and his MBA.
And joining Colin this week is Marla Berry, the training director at the International Association of Privacy Professionals. At IAPP, Marla oversees the development and delivery of privacy training products, including those designed to support candidates and their preparation for IAPP certification exams. Her previous experience includes nearly 20 years as a web and software developer, having worked for an educational publisher and a tech startup. She has a BS in mathematics and a BA in studio art from the University of New Hampshire and is a Certified Information Privacy Technologist.
This week, we’re going to be talking about data privacy and the rising demand for privacy professionals. We’ve got some great questions on deck already, but feel free to ask any questions that may come up in the chat, and we’ll get to as many as we can.
All right, Colin, over to you.
Colin Forward: All right. Thanks, Adam. And thanks, Marla, for joining us this week. Privacy as an industry is going through just really rapid growth, and training—as we’ve seen, especially in the last year—is important for any industry but especially one where they’re trying to onboard a lot of new people and pick up a lot of new skills really rapidly. So, with you at the center of a lot of that going on for privacy professionals, I’m very excited to have this conversation with you today. Thanks again.
Why don’t we start off with you just telling our audience a little bit about IAPP?
Marla Berry: You bet. So the International Association of Privacy Professionals: we are the largest and most comprehensive community for information privacy professionals. We provide a lot of resources for our professionals, and our mission is to define, promote, and improve the profession of privacy globally.
So the IAPP got started about 20 years ago in 2000. We’re still a fairly young profession in the course of things. Twenty years is not a long time for our professional association to be around. And we’ve seen—I think, in particular, in the last five years—just really incredible growth in the profession, so much so that there’s actually a perceived shortage of professionals. We don’t have enough privacy professionals to meet current demand, and that’s only increasing.
What Exactly Is a Privacy Professional?
Colin Forward: So can we talk a little bit more about what makes someone a privacy professional? Because I think a lot of people probably assume that that just means cybersecurity, but is there more to it.
Marla Berry: So security is certainly a part of privacy, but privacy is also about how data is collected and used. So, there are concerns around consent—just not collecting or processing data without the consent of the user. It’s what that data is used for, and have you been transparent about what you plan to do with that person’s data? Obviously, security is a big piece of it, but there’s a whole lot more that’s focused on data and how that data is actually used and stored and who it’s shared with.
So privacy professionals have to both be aware of the law—there are laws around the world that restrict and govern how data is used—and they have to be able to stand up teams that have responsibility for privacy within the organization. It’s really about mitigating that risk. And some of the legislation actually comes with the potential for enforcement action if you’re not in compliance and some pretty steep fines. And I would guess that most of our audience today has seen just some of the fines that have particularly been put forth on some of these major tech companies who collect a great deal of personal information and sometimes do more with it than they should.
How Does IAPP Train Organizations for Privacy Law Compliance?
Colin Forward: Yeah, I mean, for those who don’t know, it sounds like you’re referring to things like GDPR, the European privacy law; CCPA, the new California legislation. And from some of the names I recognize in the audience, there are some folks that are under those laws and also under HIPAA. So can you talk a little bit about how IAPP is helping people prepare for compliance under those new regimes?
Marla Berry: Yeah, there’s actually a lot of ways we do that. We publish a great deal of articles to ensure that our members have the most current information. So every day we’re contributing articles for our members, we’re producing white papers, all the way through to formalizing recognition of someone’s knowledge through our certification programs.
So the IAPP initially stood up certification programs back in 2004. We have a couple of different flavors, if you will, of certification. The certified information privacy professional, focused on jurisdictional law; the certified information privacy manager, which is focused on operationalizing privacy in an organization; and certified information privacy technologist, which is interestingly where we’re really focused on technology professionals there who have a great deal of responsibility when it comes to privacy. We’re also working on a certified data protection officer certification, which initially we’re going to launch focus for the Brazilian market, as they have recently passed a piece of legislation called the LGPD.
And Colin, to your point about audience: the GDPR was really one of those pivotal moments in privacy and data protection. That law passed in 2016, and its reach goes far beyond the European Union. Anybody who intentionally offers goods and services to the European Union or monitors the behavior of individuals in the EU has obligations under that law. So that was one of the things that really spurred tremendous growth in the profession.
That law didn’t go into force until 2018, but that really spurred the demand of our members for education and a need for us to distribute that education broadly. So the certification programs I mentioned, we have training programs that accompany each of those, and they’re informed by what we call a job-task analysis. We’re actually reaching out to people to understand what do they need to do to be successful in their roles. That informs the certification and then informs the training we develop.
Colin Forward: Yeah, and as the title of the podcast indicates, this is something that you’re doing in multiple countries right now. You mentioned Brazil. I understand that you’re growing in Europe and Asia as well now. So can you talk about some of the challenges with trying to cover that much ground for a nonprofit like IAPP?
Marla Berry: Sure. I think going back to the GDPR example is a good one, at least from a training perspective, back in about that 2015-2016 timeframe. While we offer some training directly, we have instructors—we call them faculty—who are IAPP members, and they’re typically lawyers or consultants; they are experts in the field.
Back in the day, before COVID, we delivered in-person training—primarily in the States, which is where we’re located, and in Europe—and again, that was partly in response to GDPR. We do have an office in Brussels. But there’s only so much we can do on our own to get that training where it needs to be for our members.
So we made a decision in roughly that 2016 timeframe to find a way to scale the delivery of instructor-led training. And we made a decision to start reaching out to informing relationships with channel partners so that we could extend and provide our members globally, truly globally, with an instructor-led experience so that we could educate them in the way they needed to be educated, just to support them, to support the profession.
How Does IAPP Coordinate with Channel Partners to Provide Optimal Training?
Colin Forward: So this idea of channel partners is something that we work on a lot with Allogy, especially when we’re supporting a group that does really distributed training operations. So can you describe a little bit about what that looks like? Is the content really closely held? Are you equipping those channel partners, or are you depending on them to bring the information that’s most relevant and contextualized for their local audience?
Marla Berry: It’s mostly the former, but let me talk about that briefly. So the training team at the IAPP, one thing they do is have a team of instructional designers, and we’re developing that training. So we develop the curriculum. We develop the training. Again, it’s based on the outline of content that is serving the body of knowledge for the certification program.
When we form those relationships with our partners, one, we’ve got some requirements. For their instructors, we expect that they’re going to be certified in the content they’re delivering. So that gives us and our learners confidence that they know the content. We also expect them to deliver our training programs.
So we have developed those following very closely to the curriculum and body of knowledge that is used for certification. We work very closely with our subject matter experts to inform that training. And you can imagine the landscape is volatile at best. So we are revising that training at least once a year, and that aligns with changes that are made in the certification.
But we’re often finding ourselves in a position where that training needs to be updated more frequently. There was recently a case called Schrems II. Now, I’m not the privacy expert, but the results of that potentially affect the transfer of data from the EU to the United States. So we needed to address that change rapidly in our training program.
We provide our channel partners with not just the instructor materials, but we’re also providing their learners with those same materials we produce. We produce a textbook for each program. We produce a participant guide, which helps the learner as they’re being brought through that journey through instruction. We also produce what we call sample questions. Most of the individuals who take training do decide to certify, though some will just take training to build their knowledge. We produce all of those materials, and we have expectations that our channel partners are gonna provide those materials to their learners and that they’re going to deliver our program.
Now you talked about context: while we do provide contextual examples throughout the training, one thing both our trainers and the instructors at our partners bring is their experience. So they’ve got experience in the field of privacy and data protection, and we fully expect that when they’re delivering that training, they’re going to provide their own examples based on their experience to provide that critical context to the learners.
How Does IAPP Onboard Their Trainers?
Colin Forward: So I can imagine that that contextualization is really appreciated by the end-user, the learners in your programs. But with so much growth and the fact that you’re bringing on these distributed training partners, I imagine that there’s some emphasis on train the trainer operations, especially with the new changes that are rolling out every year, updates to the curriculum, and that kind of thing. So can you talk to me a little bit about what it looks like to onboard some of your trainers?
Marla Berry: Yeah, you bet, and it’s been an evolution as you can expect. These relationships are still fairly new for us. It’s about five years.
So, first off, we have our own faculty, as I mentioned before, and we have experience with onboarding our faculty. One thing we know about them is that they’re privacy experts. So they certify; we know they know the content; we know they have the experience. One thing our trainers might not have is experience as an instructor.
So we recently have started producing some materials that help our experts understand the basics of instruction. We also help them to understand the types of questions they might get during their instruction, especially where many of the people taking our courses are actually going to pursue certifications, so there can be questions about the exam.
We have kind of a mentor relationship with our more experienced instructors. And when we onboard somebody, we expect them to deliver a small portion of one of our classes, and then we evaluate them based on how well they’re able to impart knowledge in that classroom and manage the classroom.
It’s a little different for our channel partners. When we first started those relationships, we were able to support our channel partners by identifying people within our own privacy community who had expressed interest in training. So we were able to actually hook them up with established privacy professionals that they would then put through their own onboarding programs before they put them in front of a classroom.
Most of our channel partners, you would expect, they’ve got their own onboarding programs. They’re all pretty similar. There are some subtle differences. Now, we certainly expect those trainers, again, to be certified, and in an effort to help scale, we have 125 training partners right now in almost 40 different countries.
Colin Forward: That’s enormous.
Marla Berry: Yeah, it is. We’ve scaled very rapidly. To continue to support them in scale, their ability to deliver our training and identify trainers and onboard trainers, we continue to look at how we can mature the train the trainer program we have.
So some of the aspects of the train the trainer program we provide to our own instructors, we provide to them. So they get access certainly to the materials they need to certify. They get access to those best practices for public speaking and being an instructor. We also provide them with some contextual stories. So some of their instructors might not have the depth of experience with privacy and data protection. So we’ve worked with our own faculty and created contextual stories. We deliver those as videos in a portal to help those instructors understand the context, some contextual examples for privacy and data protection, and they bring those back to the classroom.
Colin Forward: So I have to ask: with so many different partners and the nature of your operation, your organization, changing so rapidly, what kind of instructional design lessons are you learning and having to incorporate into the way that you do things and the way that you support all of these different trainers?
Marla Berry: Explain a little more, Colin, what you’re asking, what you’re getting at.
Colin Forward: Yeah. So, I mean, one of the advantages of keeping the content centralized—so equipping your distributed training team with content—is that you don’t have to worry about them doing the instructional design. You’re more coaching them on training delivery.
But then, that seems like it would raise all sorts of different challenges when it comes to IAPP developing and maintaining that curriculum, especially for train the trainer and then also for the new programs that you’re rolling out. So has the way that you’ve developed content had to change over time as you try and keep up with a lot of this growth?
Marla Berry: So we certainly have evolved our approach some. I think that’s particularly so, though, with our online training. So we do have self-paced online training we develop as well. Obviously, the considerations there are on balancing text and voiceover and the associated level of effort to keep something that’s multimedia updated.
I would say, though, Colin, for our instructor-led training, we’ve had processes in place where we’re keeping really close track of any sort of legislative changes, of enforcement actions, and we are on a regular cadence—it’s usually once a year, sometimes it’s more frequently—of updating content within our training.
So the instructional design approach really hasn’t changed much. We’ve added, over time, a bit more active-learning elements to ensure the learners are engaged. That’s both with our virtual instructor-led as well as the self-paced. Although, the challenges with self-paced, they’re a little different.
But I would say we’ve been fairly consistent on at least the instructional design approach. We certainly continue to look at best practices and innovate where appropriate. But our biggest challenge is with content because it can change really frequently. And sometimes, the opportunity to respond puts us in more of a reactionary mode to meet the needs of our members. It’s very difficult to anticipate when legislation will actually pass.
Colin Forward: We have folks in our audience that are responsible for 100 end-users and some that are responsible for 1 million end-users. So given your situation with so many training partners and a number of learners on the other side of that, what does your instructional design team look like? Can you give us a sense of the type of resources that go into supporting this type of training operation?
Marla Berry: Sure. Of course, numbers, I’m not going to be able to tell you exactly. I’ve got a team of 15 folks. Some of them support operations; some of them support development. The development side, I would say, is just over half of that team. So we have people who oversee that team in terms of contributing to strategy and innovative approaches.
So we have a senior manager who really oversees all of the development of our training products. She has a manager under her who is very focused on our certification training. We have maybe four or five instructional designers. We have a writer. We have a quality person. So we run this all through quality.
Now, remember this, our team’s responsible for instructional design, but we also have very close relationships with subject-matter experts who are contributing to content and reviewing content for us. And we also publish textbooks.
So I have one member of the team whose sole focus is sourcing and developing textbooks with subject matter experts. On the operational side, we’ve got the products we need to get in our backend systems so people can actually order them. We have a manager who’s responsible for our faculty, so she’s gotta be sure that for the training we offer we’ve got the right instructors in the right place to meet demand—and that certainly can be challenging. And we have a couple of staff members who handle the logistics of standing up our public and virtual trainings. In each of those, we learned with virtual and COVID that that comes with its own challenges, certainly logistically, to coordinate all of that.
Colin Forward: Yeah, it sounds like you have a very high-performing team, but I think that’s great perspective for a lot of folks that think that they can just hang some PowerPoints on a website or something like that and call it a training operation. So, I mean, 15 people—that’s a lot of horsepower for a training team, but it sounds like you’re still achieving quite a lot.
How Has COVID-19 Affected Training, Now and for the Future?
You mention COVID, and you already mentioned that you used to do a lot of in-person training, so how have you had to adapt to the new reality? And now that things are starting to open up a little bit and vaccinations are rolling out, what does it look like going forward?
Marla Berry: Yeah, and that’s quite a question right there, isn’t it? So like most organizations, we responded to COVID by virtualizing the delivery of content. Now, that was true of our training. That was true of a lot of the products we offer. We offer conferences around the globe, and we had to switch even delivery of that content to a virtual model. With training, we had actually dabbled a little bit in virtual instructor-led training.
I would say, before COVID, the preference from our learners was for an in-classroom experience. I’m not sure where that’s going to go in the future. We’ve had success delivering our content virtually.
So a trainer and instructor who can deliver in the classroom can’t necessarily be successful delivering in a virtual environment. So we had to spend some time working with our instructors to give them some tips on how they could be successful with the virtual delivery.
Colin Forward: What do you think were some of the key takeaways there? What were some of the most important lessons for folks that are trying to transition into virtual delivery?
Marla Berry: I’ll tell you it’s put a different burden on my team, probably more so than the instructors. So one, you need to be sure that someone understands the technology, for sure, because if any of your learners are having difficulty with the platform, you need to help them out quickly so that they have a good experience with the training. And I think for those of us who have offered training programs, something as simple as the room being too cold for an in-person training will jade their entire experience with the training. So having somebody who’s knowledgeable about the technology who can be there to support your learners is critical.
We also learned we need a facilitator. So we encourage people to post questions throughout the training, but an instructor often has a very difficult time delivering training and trying to follow a QA window where the learners are asking questions. So the facilitator can actually work directly with the instructor to ensure that questions that require engagement from the instructor are being addressed in a timely way.
We modified our training delivery a little bit, too, to create more breaks. Our trainings run two full days in person, and expecting a learner to sit in front of a screen for two days in a pretty intense learning situation is just not a good scenario. So we broke our training out into four separate sections. That’s better for the instructor, and that’s better for the learners.
Colin Forward: And so that all sounds like synchronous training. You mentioned a self-directed option as well.
Marla Berry: Yeah, so back in the day, we actually distributed DVDs—if that dates me in this organization at all. But yeah, we offer self-paced eLearning. That’s modular content, and the learner has access to that content for as long as they need to. And we actually keep that content updated as frequently as our instructor-led content.
So, self-paced, there are a lot of knowledge checks and assessments worked in. But it’s essentially the same content optimized for self-paced delivery.
Colin Forward: So do you find there are differences in the training outcomes? Are there pros and cons for you running this organization, delivering these different types of courses?
Marla Berry: So I think it has to do with the learner preference. We have those learners who really liked the idea of self-paced training for just that reason: it’s self-paced. They can take the time they need to go through that training. We’ve made it modular so they can explore particular domain areas one at a time. We allow the user to go back and revisit that content over and over again. And they get those same supporting resources. They get a copy of the textbooks, so that they have that as a resource as well.
But then, I think there are those people who prefer that instructor-led experience where there’s a different type of interaction with the content because you have a subject matter expert delivering that training. We do incorporate into the self-paced training those contextual stories, for sure, and we also incorporate video snippets from instructor-led training into that self-paced program to help add some of that context from an expert immediately within the training.
Colin Forward: So it seems like the self-paced courses take a little bit more preparation, thoughtfulness, from an instructional design standpoint.
Marla Berry: Well, they do. And some of our trainings have been translated to serve our members. So we have training programs that have been translated into French and German. And understanding how to develop training to minimize the level of effort it’s going to take to translate and localize that content is also something our training team had to learn. It’s partly about minimizing voiceover in an area, perhaps, where we expect the content to change more rapidly. Making considerations about text on the screen because there are some languages whose character count might be much longer than, say, English. And accommodating that when we’re developing the training in English can be helpful when that product actually goes into translation.
It also means having pretty robust processes for tracking updates to also minimize the level of effort when that translation needs to be updated. But, for sure, developing an eLearning product is a whole different level of effort than an instructor-led program.
Colin Forward: Yeah, once again, I think that’s one of those things that people might take for granted—they think that they can just translate the in-person training into an asynchronous format and let people have their way with it. And as you’re describing, you’re just not going to end up with the same level of outcomes there. So that can be a hard lesson learned for some folks, I think.
What Does the Future of Training at IAPP Look Like?
Marla, you had mentioned when we spoke before about trying to get back to in-person training, and it’s not just a matter of doing things the way that we did a year ago. So what does it look like these days?
Marla Berry: I’ll be honest that we’re still assessing that. For now, our schedule’s wholly focused on virtual instructor-led delivery. Some of our partners have started testing the waters with instructor-led, and I think what we’re seeing happen is that they’re offering a hybrid. And part of why they’re doing that is there’s still a great deal of uncertainty about what the social distance rules are.
Some countries are still going into third lockdowns. And even if it feels as though things are moving in the right direction, they could schedule an in-person training and have to pivot really quickly back to virtual. I don’t think there’s anywhere in the world right now where we’re seeing our partners only offering instructor-led training, and even around the world, it has been mostly virtual delivery.
So we’re likely to follow that same model when we start offering trainings directly again, starting in a hybrid model where it’s part virtual, part in-classroom. One of our unique challenges is the IAPP, we’re not-for-profit, so when we offer our in-person trainings, we’re often counting on the generosity of our members to offer space within their organization for us to host a training. I think that is going to potentially be a barrier in the short term where so many of these organizations are still working remotely. So we’ll have to evaluate that.
One area we do hope to offer in-person training sooner than later—I mentioned we put on several events around the globe, those switched to virtual. Right now, we’re hopeful that the events we typically offer later in the year—one of them is our privacy security and risk conference, which I believe is scheduled to be in San Diego; and our data protection congress, which is always offered in Brussels in the November-December timeframe—we’re moving forward as though those in-person events are going to happen. And we always offer training with those events in person, which is a really phenomenal opportunity for our members to be able to train and then to experience the great content put on through the sessions offered in the conference.
Now, what that looks like, we’re not certain yet. We expect there’ll be social distancing requirements and at least smaller registrations, but we’re really optimistic that we’re going to be able to test those in-person waters, both with our conferences and with training in that fall timeframe.
Colin Forward: I imagine that’s a bit of a white-knuckle situation where you’re just moving forward with something you’re not quite sure if it’s going to come to fruition. It makes me wonder how much of the planning for, say, the event in Brussels is something that you’re doing. Including the training delivery, how much of that is handled internally versus how much of that is leveraging your training partners?
Marla Berry: So at our events, typically the IAPP is the one offering the training in conjunction with our conferences. So we’ll typically offer anywhere from two to four of our classes in the first two days leading up to the conference. And we’re pretty seasoned at that. We line up our faculty early. Our events team is amazing at what they do. And a lot of these plans are actually made, Colin, years in advance in terms of space. So we’re ready to go with a live event when it happens.
Colin Forward: So, I have to wonder, are you planning these events just assuming that you may have to scramble and put together a digital version, a remote version of it, or is this something where you’ve kind of got plan B in the works at the same time?
Marla Berry: Yeah, you can imagine we have to be prepared for everything, don’t we? So we’re moving forward as though they’re going to happen in person, and we just have to keep track of what’s going on in those countries.
So, for Brussels, we’ve been in communication with the venue. It’s been the same for the event we’re going to run here, hopefully, later in the fall in San Diego. So yeah, we’ve gotta be prepared for any contingency, for sure.
What Exciting Opportunities or Challenges Are On the Horizon for IAPP & Privacy Professionals?
Colin Forward: We’re coming towards the end of our time, and I’m going to throw a little bit of an open-ended question at you: so we’ve talked a lot about the different growth in Europe and even around the States, and in the previous conversation, we talked a bit about Asia. So there’s a lot on the horizon for you, but for you, in your position and with the team that you have, what would you say is the most exciting opportunity or challenge that you see on the horizon for your organization?
Marla Berry: I have to say that being on the precipice right now of three major economies potentially passing data-privacy regulation, that provides us with a great opportunity to serve our members. So we’re looking at draft legislation right now in China, India, and here in the States. And what’s happening in the United States is really spurred on by California passing the California Consumer Privacy Act and Virginia standing up a data protection law. The federal government might actually pass a comprehensive data protection law here in the United States.
And with each of those opportunities, our team’s ability to serve our members with training—it’s exciting. It’s an exciting time to be in privacy. And as I mentioned, it’s perceived that there is a shortage of privacy professionals, so much so that the National Institute of Standards and Technology not only has created a privacy framework, which our privacy program management training aligns really well with, but are also exploring what they need to do. What does the profession need to do to create a taxonomy of tasks, knowledge, and skills so that organizations can actually staff up and mitigate risk in the way they want to?
Colin Forward: I think you made a really strong case for anyone who’s listening and thinks that they may want to skill up the relevant folks within their organization and check out some of the services that IAPP offers. Can you share with the audience where the best place is to check out some of these resources?
Marla Berry: You bet. I would start right at iapp.org. On that, there’s a link to our resource center, which has a lot of phenomenal resources for those who are really interested in staying abreast of the news. We do have some email services. We’ve got one called the Daily Dashboard where we’re keeping our members informed of what’s going on that day in privacy and data protection so that they can stay on top of just the world of privacy.
Colin Forward: Excellent. I really hope that some of the folks in the audience check it out because I know that it is relevant to their organizations. And I want to thank you for spending the time with us today because there are very few organizations, I think, that are supporting such quickly, rapidly growing industries and skillsets. So, you’ve got quite a task ahead of you, and I appreciate the opportunity to learn from you today. So thanks for joining us, Marla.
Marla Berry: Thank you for having me, Colin.
Adam Wagner: Yeah, thanks, everyone. This was Training the Modern Workforce Live, presented by Allogy. If you’d like to explore previous episodes, subscribe to our YouTube channel or like us on LinkedIn and Facebook. And if you’d like to connect with one of our learning specialists to see how Allogy could help improve your training, head to allogy.com and schedule a demo.