Posted on 13.6.17 by Christian Mancier
Cyber-attacks resulting in data breaches may dominate the headlines, however, the majority of data breaches actually occur due to human error as a result of employees simply doing something they should not be doing – be it a dropped memory stick, sending something to the wrong e-mail address, not following a firm wide policy on encrypting data or not taking care of paper files whilst out of the office.
Whilst staff training has always been an important element of Data Protection compliance, the forthcoming introduction of the General Data Protection Regulation with effect from May 2018, will make staff training even more essential given fines under GDPR for non-compliance can be up to €20m or 4% of global turnover.
Also, companies will now be required to evidence their compliance with GDPR and therefore staff training and the recording and monitoring of staff training will be a vital aspect of evidencing that your organisation is complying with the GDPR.
The following are my top tips for staff training:
1 – Staff must understand the GDPR
Employees need to understand the financial and reputational risks to the organisation, as well as the risk of potential disciplinary action or even dismissal if they were responsible for a data breach which harms the organisation’s business.
When the risks are combined with the rationale behind the GDPR, employees can then start to understand the significance of data protection laws, why there are certain policies and procedures in place and why they need to comply with these policies.
Tip 2 – Training has to be relevant
All training needs to be specific to the organisation concerned. This is so employees can relate the policies and procedures an organisation has in place around GDPR compliance to their day to day roles.
This can range from the importance of hard to crack passwords involving lower and upper case letters, numbers and symbols, which are changed on a regular basis and are only used for your organisation, to confidential waste destruction and encrypting data in e-mails and attachments through to keeping paper files secure and confidential when out of the office.
Tip 3 – Provide training face to face
Whilst online training is a viable option, I personally question to what extent this is fully absorbed by employees who are perhaps more likely to see this as a “box ticking” exercise, and also to what extent the employees can relate generic online training information to their day to day roles.
From the training sessions I have run, employees have often asked pertinent questions, and often benefit immensely from the dialogue that flows from those questions to the point they find it significantly easier to relate the training and issues that have arisen for discussion to what they do on a day-to-day basis.
Tip 4 – Ensure staff are able to identify breaches and red flag situations.
One of the new aspects of GDPR will be an obligation to report data breaches within 72 hours to the Information Commissioner’s Office as well as potentially notifying individuals who have had their data compromised. There is currently no such obligation on the private sector and it is this compulsory reporting and notification to individuals that brings significant financial and reputational risk to any organisation.
Staff need to be able to identify when a potential breach has occurred, how they report that potential breach internally to the organisation’s Data Protection Officer and within what timescale. Given employees will often be the first to be aware a breach has occurred, there has to be a clear policy on reporting the potential breach so the organisation can comply with its reporting obligations.
If training is relevant to what a particular organisation does in practice then these “red flag” situations become easier for employees to identify and pass on to the appropriate person to handle correctly going forward, significantly reducing the potential risk of a non-compliance.
Tip 5 – Start the training now – and make sure it continues
Whilst May 2018 make appear to be a long way off, there is a significant amount of work to be done by an organisation’s senior management team and Data Protection Officer between now and then. Given there is no sign of any introductory grace period for the new GDPR rules to settle in before enforcement action starts, organisations need to be fully up to speed with GDPR compliance by May 2018, if not before.
The more advanced an organisation is along the road to GDPR compliance the lower the risk of breaches occurring once the GDPR rules come into play.
However, organisations can’t simply do training with employees and then forget about it. Training needs to continue so it includes new members of staff. Staff should be trained on GDPR issues as part of their induction before they are let loose with customer and employee data, as well as continued training to those who have been trained previously to really drive home the message and perhaps pick up on issues that have arisen through internal reporting procedures that could have been avoided and use them as real life examples employees can relate to.
To speak to our team about all matters relating to data protection contact us on 0161 930 5101, e-mail email@example.com or fill in our enquiry form and we will call you straight back.
Our blogs as well as other useful content are posted regularly via our socials. Please like/follow: