It seems that the whole of Europe is gearing up for the EU General Data Protection Regulation (GDPR). A quick Internet search finds transparency advocates hailing a revolution in individuals’ rights, consultancies offering support to the unprepared, and even the UK’s Information Commissioner entering the fray with her myth-busting blogs.
Whatever the angle, the GDPR comes into effect from May 2018 and communication and training needs to be high on all companies’ agendas.
GDPR Training Needs
From a training perspective, it can be challenging to work out what employees need to know. For, although data processors’ core responsibilities remain broadly similar—to respect and protect personal data—the GDPR expands and refines the detailed requirements.
This is an appropriate moment to revisit the training needs of that population of learners who do not need to be experts in the GDPR but require a basic awareness of the topic and what it will mean for them. At LEO, we are currently updating our existing Data Protection eLearning course for clients who have already deployed it, and will be launching a new primer, and supporting infographic, on the topic before the end of the year.
In this blog, we discuss some ideas on topics to include in GDPR training and how to position them.
GDPR: New Joiners vs Existing Learners
For companies that already offer training, there are two possible approaches:
- Retrain everyone from scratch as part of the annual training cycle. Companies can refresh their existing material, or repackage the content in a new format. The advantage of this approach is that new joiners don’t miss out on the basics, while others can revisit previous messages and assimilate new ones
- Only give ‘full’ training to those in high-risk roles e.g. employees working in strategy, client relations or systems development and provide a synopsis of the changes to employees outside this group, via a short, focused communication, as part of a wider campaign
Now let’s consider what learners need to be told and some presentation and packaging issues.
Engage the Learner
When rolling out any training, it is crucial to stress the question of WIIFM or “What’s in it for me?” That way, there is a greater chance of engaging hearts and minds as well as transferring knowledge. This is true for both classroom and eLearning.
Unlike some more abstract topics, data protection has an obvious WIIFM. Personal data is data about you and me – just as we expect companies to which we entrust data to look after it, so do our customers and colleagues. It may also be worth emphasizing that the company welcomes GDPR, i.e. to present it not as a burden, but as an opportunity to do things better and improve client trust.
Keep the Legals Short
Learners rarely need chapter and verse on new laws: the name, scope and effective date should be enough. In relation to GDPR, it is necessary to emphasize the extended extra-territoriality and for some companies this will have a far-reaching impact. If existing training does not reference them specifically, the data protection principles and the rights of individuals should also be introduced at a high level.
But Don’t Leave Out the Essential Facts
One legal area that does need explanation, however, is the definition of personal data and sensitive personal data (and the implications of handling them). Remember, in the digital age, personal data now includes biometric data and digital identifiers, like IP addresses.
Learners need to know, without being made afraid, that there are significant changes in the potential penalties for non-compliance. They should also be reminded about the risks to reputation and potential loss of trust, with its effect on future revenues. The positive spin on this, of course, is that every member of staff can contribute to the company’s compliance efforts, just by being careful and following procedures.
Show Rights in Context
The GDPR confirms and extends the rights of individuals. As this is potentially rather dry content, the requirements and implications are best communicated using case studies, e.g. to illustrate the impact of the new consent regime on direct marketing and subject access.
Learners will also need to be aware of the rights of erasure and of data portability, as they are now more likely to receive inquiries about these.
Reinforce the Security Message
As they do now, companies must have systems and controls in place to protect personal data from harmful loss, damage and/or unauthorized access.
In our view, the message here should be that security is not a new requirement and that following the company’s policies, together with a dose of common sense, will go a long way towards keeping personal data safe. Remind learners that cyber-criminals are not always behind loss or theft of data—often, it is the result of carelessness or taking shortcuts to bypass procedures.
Encourage Breach Reporting
One of the best-publicized aspects of GDPR is the requirement to report serious data breaches to the Information Commissioner (and the individuals affected). It is essential that training covers:
- The types of incident that constitute a breach
- The need to report, and the mechanics for doing so
Most people are wary of coming forward to admit making a mistake. They need to be reminded that keeping quiet usually does more harm than good in the data arena.
Flag Your Implementation Plans
With more than six months to go to GDPR, most companies’ implementation will not be complete yet. However, this need not hold up training. Companies can introduce their GDPR Project, point out what is likely to change and remind learners, especially those in higher-risk roles that additional training is on the way.
Now is the time to get started.
- Consider your approach: is a new course or updating your existing one the way forward?
- A full curriculum for all, or highlights for most learners and detailed workshops for those in specialist roles?
- An infographic or other communication to give employees a taste of things to come?