Feb 07

Training and awareness

DPOrganizer’s GDPR Requirements Series

27# Training and awareness

Sadly, everything must come to an end and with this last post, this series too. Anna and I have covered a vast amount of topics, and naturally, a lot of requirements. This post will cover an implicit requirement of the GDPR, to carry out data protection training and awareness. You could say that they are appropriate organisational measures, and they are expected by supervisory authorities, like the ICO.

The main idea is that all the requirements, data protection policies, procedures, measures in place, etc, are transferred into the organisation in day-to-day work through timely and consistent training and awareness campaigns. The aim is to improve compliance by knowing how to act in different circumstances and that the organisation is aware of the processing operations.

Let’s begin by talking about training. Who should receive it? It depends on a multitude of factors, like the nature and context of the processing and the relationship between the person and the processing. There is of course no limit as to whom should receive it. For example, it could include your employees and the training can vary depending on the division. It could also include contract workers, business partners, other contractors, and data processors (and their processors). All employees could receive general training in the policies, privacy notices, data subject request procedures, and the incident response plan. Selected employees should receive in-depth training based on their roles and responsibilities. So, the short answer is that there is no answer; the circumstances will dictate what’s appropriate.

The training program could combine various types of training, for example, formal education, e-learning, conferences and seminars, etc. The main focus of the training could be the GDPR and how the data protection policy implements its requirements, if the policy is exhaustive enough. Other supporting policies (e.g., InfoSec policies, HR policies, vendor policies, data retention and destruction policies) and low-level documents (manuals, procedures, guidelines) could also be the scope of training. The important part is that the training is relevant for the person and that it’s updated to reflect the legal landscape, policies, best practices and business processes. All trained persons could be tested, to ensure that what’s being taught is followed. As for the topics, it should include the data protection principles, incident management, and data subject requests.

Now onward to awareness. Needless to say, training is a part of awareness. But awareness includes other things as well, like newsletters, posters, handouts, etc, or even a road show. If the organisation uses newsletters then it could include news or a heads-up about data protection like incident management, retention times or data subjects’ rights. There could be a poster over how the organisation handles data protection in the reception and entrance. Here is an example of an infographic from the European Data Protection Supervisor.

Training and awareness, and their outcomes, should be documented, thus ensuring provability of accountability. As a matter of best practice, different metrics like key performance indicators should be used to analyse and refine the training and awareness.

All of the above could be structured in a training and awareness plan, to facilitate that it is carried out and improved. It should also include how you continually assess the needs of the organisation’s needs in terms of training and awareness campaigns.

Thank you for following along this series on GDPR requirements. As all things must come to an end, so must this. If you have any questions on the content of this series, data protection or privacy, you can contact me via mail at albin.thelin@nulldporganizer.com, or you can reach other privacy professionals over at the community called Watercooler.

Have a good rest of the week!

See more related posts »

Related blog posts