Staff and stakeholder awareness training is as an essential element of Data Protection and General Data Protection Regulation (GDPR) compliance. For many organisations it is seen as a tick-box exercise rather than an opportunity for embedding a culture of privacy within the organisation. To achieve full compliance, and truly reap the benefits of greater stakeholder awareness and improved data management practices, organisations should consider going beyond simple training to ‘managed-learning’.
One of the most common questions we receive is ‘who in our organisation requires GDPR training and how should we go about it?’. While we do not take a ‘one-size-fits-all’ approach, there are certainly some overarching themes which we find beneficial when discussing this topic.
Where personal data is involved, training is required
While this may initially appear a rather cynical view, one could certainly say this is the most prudent place to begin. If you are reading this post, it is likely that your organisation deals in personal data above and beyond internal business functions such as HR, so we will take this as a given. With that in mind, a good starting point is to provide blanket training on the basic principles of the GDPR. This should cover some of the more rudimentary topics such as ‘what is personal data’, ‘the role of data controllers and processors’, ‘lawful processing conditions’, ‘data subject rights’ and why should staff care in the first place. This is by no means an exhaustive list, but training all staff on those topics will help lay the foundations of the culture you are no doubt seeking to embed. There is an argument to be made that this would suffice in meeting the (admittedly vague) mentions of training encapsulated within the Regulation. As it stands, there are but two brief mentions of training within the GDPR, under Art.39 (pertaining to the role of the Data Protection Officer) and Art.47 (relating to the application of Binding Corporate Rules), both offer little guidance as to the scope of the training required and some may attempt to leverage this in favour of expedience, stopping the book there.
However, for those seeking to embed a genuine culture of data protection and make strides towards the GDPR’s loftier goals, we would suggest taking this a couple of steps farther. At the heart of it all, the GDPR is a landmark piece of legislation intending to place the personal data of individuals more firmly within their own hands. So when creating your staff training plan, placing particular emphasis on data subject rights is a wise decision. Not only will this ensure staff understand and are capable of escalating data subject right invocations as they arise, but it will also ensure forethought for such requirements when looking to build or refine organisational processes. That’s the beginning of a cultural shift.
Structure and segmentation
As mentioned, there is no ‘one size fits all’ here, but a logical continuation of the above would see sponsorship from the senior level. This can be as simple as highlighting the principles of the GDPR across all company communications, both internal and external. This will help emphasise the communal intention of abiding by the Regulation and will encourage staff to take their assigned training more seriously.
For all staff, we would encourage standard GDPR awareness training on topics such as those highlighted above. As we know, up to 90% of data breaches are caused by human error, and while training can only accomplish so much, it may result in the required pause before sending an email, downloading an unsecure USB or handing over a sensitive document.
For more involved roles, such as those working in Software, Marketing, Healthcare etc., more focused, role-based training is advised. This should be tailored to the more specific legislative requirements inherent to those roles. For example, software engineers should be provided with training on the concepts of Privacy by Design and Default, Data Protection Impact Assessments and Automated Decision Making. Other than highlighting your organisation’s appreciation for the forces at play, tailored training of this nature is likely to have greater uptake by staff. It sits with the organisation to remain cognisant of new, overlapping legislation and guidance and update their staff training accordingly. This can then be supplemented with awareness campaigns promoting the benefits of realising and respecting data subject rights. The goal, in an ideal world, it to consistently endorse the profile of data protection across the organisation.
Finally, to ensure that the above is retained and built upon over time, it is crucial to ensure annual refresher training for all. Given the ever evolving nature of this space, content is likely to change slightly over time (particularly for more involved roles). However, the core principles as outlined under Art.5 are not going away any time soon, and reinforcing it across your organisation is a sure-fire way to ensure development of a strong data protection culture. Substantive GDPR compliance requires organisations to make their commitment known to their staff, imbuing this objective from the top down. A perfect rendition may not yet exist, but knowing what training should be delineated to staff is an excellent way to begin. Both the regulator and your clients will likely agree.
Learn more about PrivacyEngine's built-in e-learning management system, as well as the other training features on our Data Privacy Platform.