The UK’s supervisory authority, the ICO, states:
“The GDPR requires you to ensure that anyone acting under your authority with access to personal data does not process that data unless you have instructed them to do so. It is therefore vital that your staff understand the importance of protecting personal data, are familiar with your security policy and put its procedures into practice. You should provide appropriate initial and refresher training.”You should train all staff who have any connection with personal data, such as in these jobs or areas:
- Mail clerk
- IT engineer
- Marketer or social media consultant
- Customer service representative
- Product developer
- Assistant or anyone else who sends external emails to more than one person
- Member of board of directors
Following are ten tips for training your staff and helping them be good stewards of personal data.
1. Understand that one size doesn’t fit allEvery organization is different, and standardized online courses are unlikely to offer the scope of training that an organization requires. What makes more sense is to have training customized for your organization and then further customized for individual staff functions within the organization.
If customized training is out of budget for you, then you may want to start with standardized training and then supplement with bespoke training relevant to particular functions within your organization (such as marketing or IT).
2. Assess individual learning stylesAssess the learning styles of each area of your workforce and decide the most appropriate medium for learning. Millennials might prefer customized digital training, for example. The board of directors, however, may benefit from face-to-face training as part of a board away day (annual sessions with training and team building exercises tailored for a company’s board members).
3. Develop engaging trainingWorkshop style training in small groups is likely to engage staff much more than lecturing to them. In workshops, you can group different staff functions (such as HR, IT, customer service, and marketing, for example) so that they can discuss the issues relevant to their function. This enables each group to process deeper questions and concerns before sharing with the wider workshop any issues that are relevant to the whole organization.
Some elements of face-to-face training are useful to gain the buy-in of individual staff. You want to help them appreciate the importance of data protection within the organization. What you don’t want is staff who view the training as a tick box exercise without an understanding of the consequences of non-compliance with the GDPR and the role that they can play in that non-compliance.
Staff generally have differing levels of knowledge and experience in relation to data protection matters. The ability for them to be able to ask questions and have them answered individually is invaluable.
If the budget in your small organization doesn’t permit customization of training or face-to-face training, more affordable standardized online courses are, of course, better than nothing.
4. Teach the basics to all staffAll staff need to know the basics when it comes to the GDPR and data protection. This basic level of training should include an overview of these types of information:
- The necessity of the GDPR in protecting personal data
- The consequences, such as fines and reputational damage, that can result if staff don’t comply with data protection laws
- The ways in which the principles of the GDPR apply to your particular organization
- Your organization’s data protection policies and the location of hard copy or online documents
- Practical tips on securing personal information (such as creating strong passwords, locking computers, and safely opening emails from unknown senders), sharing personal data, and recognizing and respecting data subject rights
- Information on where to obtain additional information and answers to questions
5. Provide detailed training per functionAfter staff understand the basics of data protection, you should offer more detailed training for different staff functions. For example, you may want to consider training in these areas:
- Customer services: These employees need to recognize DSARs and know who to pass them to within the organization for the DSAR to be responded to appropriately.
- Marketing: Employees in this department need to understand the rules around direct marketing, lawful grounds for processing (such as consent and legitimate interests), and profiling/automated decision-making.
- Product/service development: Everyone in this area must understand the principle of privacy by design and the need for data protection impact assessments (DPIAs).
- Senior leadership: Everyone “up the ladder” must understand the importance of embedding a culture of privacy in the organization and the risks of not being compliant.
- Procurement personnel: Employees who are responsible for engaging data processors must understand the GDPR’s due diligence requirements and the need for a Data Processing Agreement with data processors
- Human resources: The HR staff need to understand the lawful grounds for processing for employee data, be able to recognize and deal with DSARs, and know the privacy rules about job applicants.
6. Train on internal systems and proceduresIf employees know what the GDPR says but don’t know how to deal with it in practice, the organization is open to risk. To mitigate this risk, you must train employees on your internal systems and procedures for complying with the GDPR.
Here are a couple of examples to illustrate this point:
- A staff member who opens the mail and receives a DSAR must know who to pass it to in order to ensure that it’s dealt with properly.
- If a data breach occurs, the staff member who discovered the data breach should know exactly who to contact within the organization to ensure (among other issues) that employees who are appropriately trained are:
- Containing the breach
- Dealing with the affected data subjects
- Making any necessary notifications
7. Reinforce training with reminders around the workplaceIn addition to holding regular refresher training, anything you can do to regularly reinforce the message of GDPR compliance with employees is a good thing. Here are a few examples:
- Provide reminders about past training. Pin a poster in the staff break room, for example.
- Appoint data protection champions within different staff functions. Champions are responsible for answering questions from other staff and demonstrating best practices within that function.
- Offer rewards. Give refresher quizzes (both online and in person) and awards for individual or team compliance.
8. Spread out training across multiple sessionsThe GDPR is a large and complex area for employees to comprehend. Rather than try to cram all the information into one session, hold a series of shorter sessions. Studies have shown that people learn, retain, and act on information in a more effective way when they receive it in smaller chunks.
Having more than one training session also allows staff to attempt, between sessions, to implement what they have learned in their working environments. And, they have time to formulate meaningful follow-up questions.
You also need to build GDPR training into new-employee onboarding courses.
9. Encourage a culture of opennessEmployees must feel comfortable, and without fear of retribution, about reporting data breaches and any other circumstances that aren’t GDPR-compliant. When employees are tempted to hide data breaches, it leads to larger repercussions for the organization, such as fines for failing to notify within the prescribed time limit.
Or, if an employee is tempted to hide a DSAR after not dealing with it as quickly as required, the organization may also face larger repercussions: The data subject who sent the DSAR may complain to the supervisory authority. If the organization is investigated, it could be fined.
10. Adopt a culture of privacyWhy train your staff to consider data protection matters if a culture of privacy doesn’t exist throughout the entire organization? If you tell your staff to do one thing but senior managers dismiss the need for data protection or the board of directors shows noncompliance (for example, by failing to appoint a data protection officer (DPO) when required or to let the DPO operate independently), your staff won’t adopt data protection in practice.
As Elizabeth Denham, the UK Information Commissioner, said:
"Arguably the biggest change is around accountability.
The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.
It means a change to the culture of an organisation. That isn’t an easy thing to do, and it’s certainly true that accountability cannot be bolted on; it needs to be a part of the company’s overall systems approach to how it manages and processes personal data.
But this shift in approach is what is needed. It is what consumers expect. The benefit for organisations is not just compliance but also providing an opportunity to develop the trust of its consumers in a sustained way.”