
The importance of education, training and awareness has been made clear time and time again by regulators. They expect everyone in an organisation to have an appreciation of the importance of data protection compliance.
Employees should be ‘in the know’
Regulators expect a product development team to know what “privacy by design” means and how it should be incorporated into product workflows. A marketing team should know when they have a legal right to send emails to customers (and when they don’t). IT departments are expected know what good security looks like. HR teams should be ready to respond to requests from individual members of staff in relation to their personal information.
If the regulator’s expectations are not met by an organisation then that organisation will not be compliant with data protection law, including the GDPR.
If your product development team doesn’t understand its responsibilities, non compliant products will be released which could lead to customer complaints. If your marketing team sends out marketing emails to individuals when they have no right to do so, a complaint could be made to the regulator. If your IT department does not understand what good security looks like there could be a data breach which has to be notified to the regulator. And if your HR team does not respond to an information request from an individual, a claim could be made against your organisation by that individual.
In all these scenarios, there is a risk of bad publicity and fines resulting directly from a failure to train your staff. However, let’s not be too alarmist about all this. There are very positive reasons to train all your staff in GDPR compliance.