GDPR Training in the UK and EU
The General Data Protection Regulation (GDPR), which comes into effect in May 2018 for companies in the UK, EU and throughout the world, is designed “to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.” (Source: https://www.eugdpr.org/)
However, data privacy and data protection for large global companies, including those in the United Kingdom (UK) despite Brexit, is similar to the fight against doping and the use of performance enhancing drugs in sport.
Organisations can have controls, procedures and tests in place, but breaches still happen, often without the relevant authorities and bodies being aware until after the fact, and criminals or cheats are often one step ahead of the controls.
The headlines around GDPR are striking – a company can be fined up to 4% of annual global turnover, or up to €20 million, for breaching GDPR – but rather than a scare-tactic, the legislation is an opportunity for companies in the UK, EU and elsewhere to improve how they report data breaches, and to strengthen their risk assessment processes along with the subsequent procedures on how those risks are mitigated against.
How Important is GDPR Training?
A critical component of the GDPR is training your employees. Training is a requirement under existing legislation, for example, principle 7 of the UK Data Protection Act mandates that employees be well trained, and the GDPR reinforces this.
How can employees be expected to comply with GDPR if you haven’t trained them on their responsibilities?
According to Jonathan Armstrong of Cordery, a UK-based legal consultancy, if you have a data breach, regulators will ask you about training. Hear more from Jonathan here: https://interactiveservices.com/gdpr-training-role/
If it’s a case that a rogue employee has mishandled data or done something they shouldn’t have with the data in question, companies will need to be able to point to training records to show that the employee in question was well trained and aware of their GDPR responsibilities.
GDPR training should not be limited to employees in the UK or Europe, any employee globally who is handling the data of an EU citizen must be trained.
Tactics for GDPR Training
Regulators will rarely state in detail what training is required, who needs to be trained, and how long the training should be, but it is widely recommended that all staff have a basic training on GDPR.
Particular attention should then be paid to employees working in higher risk areas with specific data handling requirements such as HR, IT, Marketing, Supply Chain and Procurement.
Any training longer than 30 minutes is superfluous. While the scope of GDPR is expansive, think about what your employees really need to know and what key messages you’d like them to take from the training. This should drive your training.
In terms of cadence, while all employees should get a full comprehensive training program in year 1, in years 2 and 3 you may be able to roll out an abridged version of the training, or offer a test-down feature where learners who show competence by successfully completing a pre-assessment do not have to take the full course.
Use scenarios that show the real-life application of GDPR. This will help learners see the relevance of the legislation and how it’s applied in the real world. If your training is a list of must-dos and requirements, it won’t resonate and your employees won’t remember it.
Finally, make sure that your training includes a robust assessment. This will give you the confidence that your employees know their GDPR responsibilities, as well as having a record for regulators should your company experience a breach.
While GDPR is not a silver bullet solution, in the same way that cheats in sport continue to find new ways of getting around the law, what GDPR will do is make sure your company is ready to minimise the impact of a breach and ensure the data within your company is handled with care and due responsibility.
The legislation is only as strong as the people in your company responsible for its implementation, so make sure your employees are well trained and know how to protect your business.