Stating the obvious, training staff helps compliance by ensuring that your organisation processes personal data in line with applicable data protection regimes. Next to the general observance of the legislation, it is crucial to comply with the strict time limits for handling data breaches and data subject requests.
Not being able to keep within the prescribed limits considerably raises the risk of being reported to the supervisory authorities. This can lead to investigations that may go well beyond checking your processes for dealing with the reported requests and result in high fines, damage to your brand reputation, and possibly also being forced to stop processing personal data in case of severe violations.
Awareness is the foundation
The first step to avoiding such a nightmare scenario is to enlighten your employees about the importance of treating personal data with the appropriate respect, to only process data as far as necessary and to stay within the boundaries of the law.
Taking active charge of your data protection efforts has shown to promote trust in your customers since they feel that their data and their rights are in safe hands and having adequate processes in place will help you avoid common data breaches with severe consequences.
Basic data protection training among staff makes the work of your privacy team easier, since the people they talk to in course of their work know about the core principles and can provide relevant questions and answers. When talking to employees, the privacy team saves time by not having to explain the fundamentals, but can rather cut straight to the chase.
In addition, trained employees know when to reach out to inquire about advice, can prepare the relevant facts and are able to avoid the most common pitfalls. Data protection awareness across the organisation gives your privacy team a better overview of the processing conducted by the organisation.
How should staff get GDPR training?
Raising awareness about data protection is not enough. In order for people across your organisation to have a good grasp of the topic and its impact on how they do their jobs further training is required.
Explain the fundamental principles and use language that a layman can understand. For experts, it is easy to forget that the knowledge of people outside their field might be very limited. E.g. don’t assume that people know what constitutes a data subject request. There are many misconceptions and myths that can be harmful and should be cleared up.
Realise that not everybody needs to be an expert. Save time and resources by tailoring the training efforts in proportion to how a staff member is in contact with the processing of personal data. A security guard and a developer have different touchpoints with personal data. This should be reflected in the data protection training. So make sure to relate the training to an employee’s tasks for them to get a better understanding of how this affects their daily activities.
Repetition is key
Like any other training, hearing about a topic once is not enough. Train your staff continuously by offering activities to refresh the knowledge of your staff and give the opportunity to ask plenty of questions.
Training doesn’t/shouldn’t entail having to spend a whole day looking at a presentation in a stuffy room. People’s attention span is limited, especially if they might see the subject of discussion as a complication to their work. So, don’t present your staff with one big chunk of information but instead give bite-sized training modules.
How to maximise efficiency and impact
Use technology to adapt the training to your staff’s schedules. Videos and online courses are a great way for employees to learn. However, keep in mind that a standard course that doesn’t relate to your business might be too abstract. Staff might spend hours while still being unable to relate the studied material to their duties. So, if possible prepare your own training material. Use regular communication channels to promote data protection and to offer advice. Try to keep data protection in everybody’s minds by celebrating Data Protection Day, organising activities or maybe even create a Slack bot with a daily GDPR fun fact!
Don’t forget to evaluate the effectiveness of your training efforts. This could be done by quizzing them after completing training modules. Reward employees that complete their training and show interest in the subject. Invite them to be privacy champions in their department.
Celebrate wins to motivate your colleagues
Data protection doesn’t have to be a chore, so highlight and promote the positive impact of data protection for your business and for the individuals whose personal data is being processed. E.g. relate to how employees would like their personal data to be processed if they were a customer of the business.
Spending some time training your staff now will save you time and money in the long run and bring your organisation to the next level. It is normal that people resist adjusting to something new in the beginning and people don’t like changes – but they like habits and routines. So make data protection a habit and routine throughout your organisation.