This is a guest post written by Patrick O'Kane, the author of the great new book, "GDPR - Fix it Fast! Apply GDPR to Your Company in 10 Simple Steps." I wrote the Foreword to this book and highly recommend it!
Staff training is a crucial part of protecting data privacy. One recent study found that human error is the leading cause of data breaches, featuring in 37% of data breaches. Providing staff training is an important part of avoiding GDPR fines.
Despite its importance, staff training is perhaps the most under-emphasised part of any GDPR project. Companies have been busy fixing their processes, working on their information security and updating their customer consents; however, there seems to be seems to be little attention paid to how staff training will need to be revamped in order to keep your company in line with the requirements of GDPR.
These are my 3 tips on staff training:
Tip 1: Teach all staff the basics on Data Protection
All employees need some basic knowledge of data protection. Sometimes we can get lost in the minutiae of GDPR and can forget that our first line of defense needs clear and simple explanations about their data duties.
Typically general-employee training will include:
- A brief explanation of GDPR and why it is necessary to protect privacy
- A description of the fines and reputational damage that can occur if the company does not comply
- An explanation of the primary principles of the GDPR and how they apply to the activities of the company
- Information on the main points of your company’s Data Protection Policy and where the policy can be found, and
- Information on where to get additional information and answers to questions
- Remember that people are most affected by training when they understand two things: (1.) Why the training is important to them and (2.) What they need to do in response to the training.
Tip 2: Give more detailed training on data protection to the employees that need it
Some staff will need specialty knowledge on the different areas of GDPR. For example:
- Call Center /Customer Facing Staff – Your call centre staff will need a working knowledge of the Right to Erasure and the Right to Data Portability because customers may ask to assert these rights and there are strict time limits for response.
- Marketing Team – Your Marketeers will need to understand the new rules on consents.
- Data Analytics Teams – If you have any employees that are carrying out Big Data analytics then they will have to understand the new rules on profiling.
- Senior Management – Senior management in areas such as HR, Legal and Sales need solid training on how GDPR affects their areas so that they may cascade this knowledge down.
- Human Resources - The Human Resources team will need training on how to handle employee data, including employee subject access requests and handling job application data.
- Board – You should advise the Board about the new fines under GDPR.
Tip 3: Make it engaging
- Keep it short – Try and keep individual sessions to one hour or less. Being lectured to will not engage an audience for long. This is data protection after all….
- Mirror your audience – Find out who your audience is beforehand. If it is a room of 22-year-old sales gals and guys, then you will want to use language and examples that appeal to them. Alternatively, a presentation to the Board will require a more formal tone.
- Make it practical – The worst training session I ever sat through was one where the speaker just read out legal cases that related to the Eight Data Protection Principles. I will never get that day back. Don’t make the same mistake. Make sure you give your staff examples of how the GDPR applies to them.
With a little bit of preparation, your training can teach people what they need to know if a way that will help them to protect the company.
Patrick O’Kane is a noted data privacy expert and lawyer (barrister). He is the Data Protection Officer for a Fortune 500 US company. He helped lead a major GDPR implementation project across a group of 30 companies, and has written a book on GDPR entitled “GDPR - Fix it Fast.” www.gdprfixitfast.com