This article is part of our collection on Tech and Innovation
Most staff will need to have a rudimentary understanding of the principles, but some will need more training than others.
Last updated: 21 Jul 2020 6 min read
When you consider that human error is the leading cause of data breaches, the need for appropriate staff training is fundamental to any data security policy. The UK regulator, the Information Commissioner’s Office (ICO) estimates that some 80% of data security incidents are caused by staff error. Under GDPR, all businesses are liable for hefty fines in the event of a serious data breach, and not training staff could expose companies to significant financial and reputational costs.
Gini Blake, founder and CEO at GDPR Associates, an organisation that supports businesses with GDPR compliance, says: “Most SMEs didn’t start their GDPR journey until the last quarter of 2017 and have left a lot of things to the last minute.
“You need to train all your people on what GDPR is about. So that includes understanding consent; what you can and can’t do with data; how long you can keep data; what you’re allowed to provide; what to do in the event of a breach; and what you do in the event of an information request from an EU citizen.”
Once employees understand the risks, they’re more likely to act with greater care and get behind the policies and procedures put in place to comply with the regulation.
Even if your organisation doesn’t require a data protection officer, the whole GDPR compliance process needs one individual to take charge of the process, and this person should also oversee the training to staff.
Kristy Grant-Hart, founder and CEO at Spark Compliance Consulting, says: “One of the major points is separating what level of training different people need.” All employees must understand the basic principles of GDPR and the risks to the organisation – from both a financial and reputational perspective – as well as the risks to themselves, which could result in disciplinary issues or dismissal if a data breach were to affect the business.
General employee training should include:
Basic training around the principles of GDPR is necessary, but it needs to be specific to the organisation concerned and the group of employees trained. A company’s revised data/privacy policies and procedures – that should by now be compliant with GDPR – needs to form part of that training and will be bespoke to that company.
Grant-Hart says: “Don’t overcomplicate it. All general staff should understand what is meant by personal data, how the company uses it and how they as employees in that company use it. They also need to know about red flags, identifying breaches and what to do and where to go if they see them. That is the basic training, and going over and above that for most people is unnecessary.”
Employees with duties such as marketing, sales, legal, HR, database management and computer security will need training most urgently, and the level of training will be more specific and specialist to make them aware of particular data protection requirements in their area of work. For example, call-centre or customer-facing staff need a working knowledge of the right to erasure and the right to data portability – customers may seek to assert these rights, and there are strict time frames required for the organisation’s response.
“Don’t overcomplicate it. All general staff should understand what is meant by personal data, how the company uses it and how they as employees in that company use it”Kristy Grant-Hart, founder and CEO, Spark Compliance Consulting
The HR team will almost certainly need coaching on how to handle employee data, including subject-access requests and job applications. Much of this will also depend on how reliant the business is on processing sensitive data.
But further to this, the organisation needs to ensure the appropriate GDPR and data protection training is part of all new employees’ induction process. There’s little point getting existing staff ready, only to forget training for new employees, says Blake.
There are various options available to businesses training their staff in GDPR.
Online courses tend to be the cheapest solution and the quickest to deploy; they may also be more appropriate for general staff. However, finding one that provides the right level of information to the specific employee groups within the business may be a challenge. Furthermore, a company will still need to communicate and train on its revised policies and procedures.
Some larger firms with creative and technologically skilled staff may create their online training courses in concert with an outside consultant. Patrick O’Kane, lawyer and London data privacy officer for a US Fortune 500 company, is the author of Apply GDPR To Your Company In Ten Simple Steps, and he says: “Developing a bespoke course takes time – usually between two to four months.” Given the urgency to train staff, this may not be an option for businesses who have yet to start. However, O’Kane says: “If it’s an introductory course, it may be assigned to all new employees for many years to come, making the investment more palatable.”
Face-to-face training can be very successful, and people tend to be more engaged with a human trainer than an online modular course. It also allows employees to ask questions that are specific to their own needs. For smaller organisations where sensitive data processing is not a core activity, it may be an option for the manager in charge of GDPR compliance to seek out the necessary training for themselves and deliver it to staff in-house.
It’s vitally important you maintain training records. O’Kane says if you don’t keep proper records, it’s almost as if you didn’t do the work. Section Article 5(2) of GDPR states that you have to demonstrate compliance with the regulation, which in effect means you must keep good records of all training sessions given to staff.
He says: “Make sure that records of the times and date of training are kept in a safe place, both for online and face-to-face training. Documentation can save the day if you’re ever investigated.” It’s also a means of holding employees responsible for what they should be doing.
As with any new regulation, organisations will be keeping a keen eye on how the regulator operates now that GDPR is active. Grant-Hart says: “If you’ve put in a good base of preparation and training at the outset, it’s probably worth reviewing your training once a year. Following 25 May, there will be a significant amount of clarification depending on what sort of actions the regulators bring.”
In the meantime, while smaller businesses are less likely to face immediate regulatory scrutiny than large corporations that process huge volumes of data, it’s worth remembering that GDPR applies to all firms – and there remains a sizeable number that have yet to roll out basic and sufficient training.
Tech and Innovation, Cyber Security