Despite the hype around GDPR in May of this year, when the EU’s new General Data Protection Legislation came into effect, many companies still do not have a robust GDPR programme or sufficient protection measures and processes in place.
As Jonathan Armstrong of compliance lawyers Cordery explained to Interactive Services, “I think there have been various surveys that have said that people were not ready for GDPR when it came in. That is certainly my experience. Some organisations have had a break and are starting again on their GDPR plan, and for others, they have been forced into action because of a breach. I think, for example, Ireland had 547 data breach notifications in the first month and the Information Commissioner’s Office in the UK had 1,792 data breach notifications in June alone. Often, when an organisation has an incident, the fact that its plan is behind schedule becomes even more concerning.”
If you do not already have a GDPR programme in place, now is the time. As you can see from the above figures, hundreds of data breaches are happening every month and you’re now legally obliged under GDPR to have both protective and remedial measures in place.
GDPR training is a big part of that. According to Armstrong, “It is important that everybody who could have access to personal data or receive a Subject Access Request has basic training. We find that role-specific training helps individuals focus on GDPR compliance so that, for example, the training for people in marketing will be different from the training to people in HR.”
An ideal GDPR training program has three levels:
Level 1 – Basic Training and Awareness
Every single employee in your organisation should, at the very least, have a basic awareness and understanding of GDPR. They should be familiar with some of the basic concepts like Data Controllers, Data Processors and Data Subject, as well as topics such as consent and privacy statements.
Employees should also know what your company is doing to comply with GDPR, to protect the data you store, and who to contact if they notice a breach or know of an incident that needs to be reported
This training should be appropriate to your business – for most B2B businesses that might be no more than 15 to 20 minutes in length.
Level 2 – Advance Role-Specific Training
Employees will handle different types of data and process data in different ways depending on what area of the business they work in.
Employees in HR will be handling the personal data of other employees as well as of potential recruits and candidates. For those working in Marketing or Sales, the data being handled will pertain to customers and prospects and will be used in very different ways.
Role-specific training is required so that employees in various different business units know exactly how data should be handled.
The functions where role-specific training is most commonly required are HR, IT, Marketing/Sales, Supply Chain, and Procurement.
Level 3 – GDPR Champions
The most advanced level of training is typically carried out in person by the Chief Data Protection Officer, a senior member of the Data Privacy team or specialist lawyers.
The goal of this training is to create GDPR champions in various parts of the business.
A GDPR champion is someone who takes the lead on GDPR compliance in their business unit, function or team. They liaise closely with the Data Protection Officer and are often also responsible for disseminating a culture of compliance through consistent, light messaging.
Jonathan Armstrong believes that “the purpose of Level 3 training is to make sure that the load on GDPR response and awareness is shared. Often in a crisis, organisations need to go beyond their data breach team. GDPR champions can function almost as “first aiders”, helping with triage and being given particular tasks. For many organisations, we have found that training for GDPR champions works well in conjunction with Data Protection Impact Assessment (DPIA) training so that those champions can take the lead on DPIAs from their work area.”
Where companies already have a robust and effective GDPR training program in place, the work does not necessarily end there.
Hackers are like dopers in sport, they’re usually one step ahead of the testers and know how to beat the controls that are in place without detection.
This means two things:
1. You need to train people on GDPR every year. It’s not enough to say, “We trained people last May at the GDPR deadline, so we’re good.” People need reminders and reinforcement so that the message sticks. Consistent training shows people that your business takes Data Privacy seriously. You also need to cover new hires, people who have moved role and who now need to take Level 2 training or people who have been promoted and require Level 3 training.
2. You need to consistently review your training and make sure it’s up to date. Even if the legislation itself doesn’t fundamentally change, there may be new case studies or scenarios that you can include, or interpretations of the legislation may evolve. Many training providers will include annual updates as part of their offering, in which case this requirement is covered.
Training should also be the core component of any remediation plan where a data breach has occurred. Needless to say, we hope that your company doesn’t suffer a data breach, but the numbers above show us that they’re still happening frequently. If it happens to you, a regulator will want to see that you have a comprehensive remediation plan in place and training should form a core part of that.
So, while May 25th, 2018 has been and gone, GDPR is not a thing of the past and it’s not something that you’ve “got away with” if you chose not to do anything about it. GDPR is here to stay and the more your employees are trained to handle data in appropriate ways and can protect your company from a data breach, the better equipped you will be to be compliant and avoid large fines and penalties should a breach occur.
For more information contact email@example.com
By Neil Cullen (Director, Compliance Learning, Interactive Services)