According to the study“Psychology of human error,” 88% of data breach incidents are caused by employees’ mistakes, and around 43% of people admitted they made mistakes at work that could have compromised the organization’s cybersecurity.
Although employees can be seen as the weakest link in the cybersecurity chain, they are also the greatest asset the organization can have. If trained properly, these types of incidents can go significantly down.
However, preventing personal data security incidents is not the only reason to invest in proper staff training. General Data Protection Regulation (GDPR) requirements are interlocked with different operations within every organization and are comprised of both privacy and security issues.
Every employee coming into contact with data processing activities, personal data or individuals, should be made aware of the organization’s GDPR requirements, their responsibility, and obligations.
Where to start with the GDPR training?
Employees should know the purpose and the goal of your privacy program and be trained for situations in which they could be required to act according to the GDPR and your privacy policies.
Every industry and organization has its own specifics and there is no single program or training that suits every business.
However, if looking for advice and a place to start, we have identified steps that can help you design and implement a successful privacy training.
1. Identify key departments and/or employees
Identify key departments or employees handling personal data, sharing data, or participating in data processing activities.
Your GDPR training should be comprehensive and include real-life situations they face in their day-to-day work and draw the outlines of your training based on that.
For example, data subject requests can be made verbally or in writing, through any channel, including social media, and to any person inside your organization.
The request does not have to be titled so it mentions the GDPR or specific right, as long as it is clear what data subject is requesting.
All requests sent to your organization to any employee are considered valid, so there is a high possibility marketing will have to recognize the request and take the next steps.
Make sure you include similar scenarios in your training so that every employee can identify the situation and know how to respond.
2. Know your industry
GDPR provides a margin of maneuver for the Member States to specify their rules and incorporate national and sector-specific requirements.
Define if specific industry requirements or national laws might apply to your organization and draw special attention to those areas.
3. Don’t forget the basics
Explain the importance of data privacy and data security and make employees aware of the possible risks.
Try to avoid legal jargon if it is not necessary or simply to make training easily understandable.
Equip your staff with a basic understanding of key concepts in a simplified way that will include:
- what is personal data and how to protect it,
- what are data subjects rights,
- what is considered a personal data breach, when to report it, how and to whom
- introduce them to GDPR principles
- explain lawful bases for personal data processing
- How to handle requests from individuals
- Introduce them to the importance of the role of a DPO
- give them clear instructions on data security practices in their workplace, how to protect their devices, how to update their passwords, and introduce them to possible security risks like phishing
4. Adopt a practical approach
It is extremely important to go through different scenarios during your privacy training and give employees clear examples and instructions on how to handle different situations.
Most employees will not recognize situations where they are processing personal data when you are speaking in general.
For example, if you try to explain to your sales department that they are not allowed to process personal data without a proper legal basis, they will probably agree with you.
At the same time, they will not connect this to sending cold emails to email addresses containing full names.
5. Use what is already available
There are a lot of available materials that you can utilize to create innovative privacy training and promote your messages, not only during the training but throughout the year.
There is no reason to start from scratch. Some data protection authorities have ready-to-print materials, including promotional posters, printable pdfs, and presentation templates.
Tailor your GDPR training according to organizational needs and use resources that will help employees understand their GDPR obligations.
6. Consider work dynamics in your organization
Since the start of the pandemic, a number of organizations have transitioned to some type of hybrid model of remote work, whether it is a split-week, at-will, week-by-week, or any other type.
Adjust training to work-from-home situations and use multiple channels, like online meeting platforms, to meet employees halfway.
You can also record your training and send the recording later on to everyone who attended.
7. Divide and conquer
If you are working within a larger organization, it is advisable to segment employees into groups and adjust the training accordingly.
One of the easiest ways to segment your employees into groups is by their workplace or departments. Since they will more likely find themselves in similar situations you can adjust examples and they can relate to your messages quickly.
8. Adjust and Repeat
Your work on privacy awareness is never done, just like your organization’s compliance journey is never done.
Use follow-up surveys so your co-workers can leave feedback and ask questions they did not get a chance to ask. Listen to your coworkers and use newly gathered information to adjust your training in the future.
Create training plans and regularly review your program to ensure that it remains up to date.
The role of the DPO in training: inform, educate and influence
One of the Data Protection Officer’s key responsibilities is raising awareness of potential data protection risks and conducting staff training.
However not all organizations are required to appoint a DPO, if your organization does not have this role filled out, it is possible to outsource staff training. Get informed about tailor-made, in-house workshops provided by highly specialized experts.
They can tailor training according to your needs, but it is still advisable to assign one employee to oversee the training and keep the records of who attended and when and make sure the training is conducted periodically, or when needed.
If employees circulate through your organization frequently, consider creating a short and quick introductory GDPR training accompanied by a recording of one of your previous training.