The importance of education, training and awareness has been made clear time and time again by the Information Commissioner, Elizabeth Denham, who is the head of the regulator responsible for policing compliance with the GDPR in the UK. Denham has expressly stated in her many speaking engagements that she expects everyone in an organisation to have an appreciation of the importance of data protection compliance.
Employees should be ‘in the know’
Denham expects a product development team to know what “privacy by design” means and how it should be incorporated into product workflows. A marketing team should know when they have a legal right to send emails to customers (and when they don’t). IT departments are expected know what good security looks like. HR teams should be ready to respond to requests from individual members of staff in relation to their personal information.
If the regulator’s expectations are not met by an organisation then that organisation will not be compliant with data protection law, including the GDPR.
If your product development team doesn’t understand its responsibilities, non compliant products will be released which could lead to customer complaints. If your marketing team sends out marketing emails to individuals when they have no right to do so, a complaint could be made to the regulator. If your IT department does not understand what good security looks like there could be a data breach which has to be notified to the regulator. And if your HR team does not respond to an information request from an individual, a claim could be made against your organisation by that individual.
In all these scenarios, there is a risk of bad publicity and fines resulting directly from a failure to train your staff. However, let’s not be too alarmist about all this. There are very positive reasons to train all your staff in GDPR compliance.
What does a compliant company look like?
A company that is GDPR compliant regularly trains all its staff. It conducts training and refresher sessions on a regular basis. It incorporates data protection training into its process for onboarding new employees and when retaining contractors. A compliant company does not simply train its staff and then forget about data protection compliance – it embeds data protection compliance into company culture so that protecting personal information becomes second nature.
Think about how society views recycling. Years ago, recycling meant putting your rubbish in a bin. Nowadays, people feel guilty if they put paper in the normal bin, they are charged for using plastic shopping bags and they are encouraged not to use plastic water bottles and take away coffee cups. It is that change in culture that is required in relation to use of personal information.
The benefits of staff training in data compliance
Let’s discuss the benefits of such a change in culture:
- Your customers will trust you more. If you put the protection of personal information at the heart of your organisation and can show that you do this then potential customers will be more likely to use your products and services.
- Your products will be better. If you design products which respect the privacy of individuals then your products will be better received. By involving your customers in what you do with their personal information and giving them choice, they are more likely to feel good about using your product.
- Your employees will be more motivated to get involved. If your staff are enthused about data protection and you achieve a cultural shift in how the protection of personal information is viewed, your staff will become involved in making your organisation more compliant, rather then reluctantly attending another boring training session.
- The risk of fines and bad publicity is reduced. If your staff are trained, mistakes don’t happen, or they are spotted early when something can be done about them and before the mistake costs your organisation money.
- It makes things easier. It is much better if privacy is built into your products and data processes at the beginning. This makes life much easier. It is very difficult to undo how a product is designed or how data is used just to shoehorn in data protection compliance at the end of a product cycle.
How can you train your staff in data protection compliance?
Get someone in to do a training session
This is an easy option. You pay someone to turn up and roll out their standard data protection powerpoint presentation. You get the training box ticked, but you do have to get that person back periodically to train new staff and provide refresher training. This method could prove costly over time.
Show your staff a video
Another easy option, especially for those organisations with staff dispersed across multiple locations. It is, however, difficult to establish whether people are engaged whilst watching such videos. They cannot be tailored to the audience, but they are easy to roll out to new staff.