Cyber Security

This article is part of our collection on Cyber Security

SME Tools: getting the team on board with GDPR

GDPR compliance is crucial for any business, but many employees still feel disengaged from the process. Here’s how to help your team get to grips with the new data protection rules.

Last updated: 25 Jun 2019 5 min read

Share This

© Getty Images

The General Data Protection Regulation (GDPR) compliance deadline was 25 May 2018, yet recent research found that just over a third (37%) of small businesses are yet to comply with it.

The survey of 1,021 UK workers also revealed that 35% still send marketing emails without proper consent and more than one in four (27%) said they hadn’t secured their firm’s data in the event of a ransomware attack.

Failing to comply with GDPR can lead to fines of up to €20m (£17.6m) or 4% of annual turnover, whichever is greater. It’s imperative then that SMEs look to address the issue and key to this is having a compliant workplace culture. And this means involving employees in the process.

“Every company needs to look at their culture. This new mindset needs to become a fundamental part of their business and employees need to be trained in data security, just like they might receive health and safety training,” says Lawrence Jones, CEO of data hosting firm UKFast.

Give employees a reason to care

Data protection can be an unimaginative and uninspiring subject at the best of times, so employees need to be given a reason to care.

According to Sergio Afonso, founder and director of language translation company Absolute Translations, one way to get employees on board with GDPR is to make them see the importance of data protection from the perspective of the customer or consumer.

“Rather than just narrowly focusing on [your company’s] data, figure out where you fit in the wider GDPR process – often the biggest risk will be third-party data shared by customers,” says Afonso. “Getting our employees to resonate with the importance of data protection on a personal level – being consumers themselves – has helped motivate them to never accept non-vital data in their work with other businesses, protecting all parties involved.”

Delivering the relevant training shouldn’t just be a one-off occurrence either, says Jones. “Training needs to be updated regularly. A single training session as part of employee induction is going to be forgotten in six months’ time. It needs to be reinforced continuously,” he says.

Make learning accessible

According to Jones, training also needs to be fun. This can be achieved through interaction and real-life scenarios. For example, by showing employees video interviews with business owners who have previously been affected by data breaches, they are more likely to sit up and take note.

It’s also worth considering delivering training sessions in bite-size chunks, says Daniel Smith, director of growth marketing firm Doogheno and a director at, which is an online platform that provides courses for non-technical staff on online safety subjects. This includes GDPR and phishing – they’re typically delivered in three- to five-minute sessions.

“Every company needs to look at their culture. This new mindset needs to become a fundamental part of their business and employees need to be trained in data security”Lawrence Jones, CEO, UKFast

“If you just sit employees down in a room, you’re going to lose their interest very quickly. It can be disruptive to their working day,” says Smith. Psychology research backs this up – one study conducted by Microsoft suggests that the average attention span has shortened from 12 seconds in 2000 to eight seconds in 2013.

“Enabling employees to watch videos online at their own pace results in a far higher engagement level and more knowledge being retained,” he adds.

Another benefit of using an online platform to deliver GDPR training is that if employees forget about something in a few months’ time, they can always revisit it to refresh their memories.

Ultimately, employees are only going to show a willingness to learn about GDPR if the senior managers delivering the training show they’re committed too and believe in what they’re saying. If they do, then this attitude will trickle down to other employees.

Get accredited

Another way to show employees and clients that your company is taking GDPR seriously is to seek accreditation, says Jeremy Stern, founder and managing director of PromoVeritas, which specialises in promotional compliance. The company ensures that prize draws and competitions run by major food and drink brands are fair and legal.

“We anticipated GDPR about two years ago and set about the process of gaining ISO 27001 accreditation [relating to information security management],” says Stern. “The main reason for this was internal – we deal with a lot of consumer data supplied by clients.”

Stern adds that it’s important that employees view their own data as if it were their clients’. Doing so encourages positive personal security habits, which translates into better overall cyber security in the workplace.

“Training staff on how to protect themselves is training them to protect the company,” says Smith.

Checklist: what every SME employee needs to know

  1. You must have explicit consent from a client or customer to hold their data. You must also tell them how long you’re holding it for, who you’re sharing it with and how they can withdraw consent and have the data erased.
  2. You need to take measures to protect portable devices to avoid data theft when working remotely and using public wifi.
  3. Any breach must be reported to the Information Commissioner's Office (ICO) within 72 hours of the event occurring.
  4. You need to be aware of the consequences of failing to comply. As well as the financial penalty that can be incurred, arguably the longer lasting damage would be to an employer’s reputation and relationships with its clients.
Share This

Cyber Security