Whilst cyber-attacks resulting in data breaches dominate the headlines, largely due to the sheer amount of data that has often been compromised, the majority of data breaches occur due to human error – be it a dropped memory stick, sending something to the wrong e-mail address, not following a firm wide policy on encrypting data or not taking care of paper files whilst out of the office.
Whilst human error can occur on the part of third party contractors, the vast majority of data breaches due to human error occur as a result of employees simply doing something they should not be doing.
Whilst staff training has always been an important element of Data Protection compliance, the forthcoming introduction of the General Data Protection Regulation (known as the “GDPR”) with effect from May 2018, will make staff training even more important given fines under GDPR for non-compliance can be up to €20m or 4% of global turnover (up from the current maximum of £500,000).
In the digital age in which we live, the associated reputational damage arising from a data breach can be fatal to any business.
In addition, the GDPR will now require companies to evidence their compliance with GDPR (there is currently no such obligation) and therefore staff training and the recording and monitoring of staff training will be a vital aspect of evidencing that your organisation is complying with the GDPR.
So what are the top tips for staff training?
Tip 1 – Staff have to understand the GDPR
Whilst no one wants every member of staff to have as much knowledge of the GDPR as say the organisation’s Data Protection Officer, employees have to understand the risks to the organisation (both financial and reputation) as well as the risk to themselves (potential disciplinary issues, dismissal or redundancy if a data breach were to ruin an organisation’s business).
When the risks are combined with the rationale behind the GDPR (i.e. protecting individual’s data and information), employees can then start the process of understanding the significance of data protection laws, the care they need to take in handling personal data, why there are certain policies and procedures in place and most importantly of all why they need to comply with those policies.
Tip 2 – Training has to be relevant
Whilst a certain element of staff training has to be generic around the GDPR, it also needs to be specific to the organisation concerned. This is so that employees can relate the policies and procedures an organisation has in place around GDPR compliance to their day to day roles when they handle and deal with data as part of their daily working life.
This can range from the importance of hard to crack passwords involving lower and upper case letters, numbers and symbols, which are changed on a regular basis and are only used for your organisation (i.e. employees don’t use the same passwords for social media, online shopping accounts etc) to confidential waste destruction and encrypting data in e-mails and attachments through to keeping paper files secure and confidential when out of the office (and indeed simply questioning whether paper files actually need to be taken out of the office).
If employees can relate this to their day to day role then they take this in and it helps reduce the risk of future breaches.
Tip 3 – Provide training face to face
Whilst online training is an option, I personally question to what extent this is fully taken in by employees who are perhaps more likely to see this as a “box ticking” exercise and to what extent the employees relate generic online training information to their day to day roles and duties.
From the training sessions I have run, employees have often asked pertinent questions (actually quite good feedback for expanding internal policies over areas that may have been overlooked but are flagged from those “on the ground”) and employees often benefit immensely from the dialogue that flows from those questions to the point they find it significantly easier to relate the training and issues that have arisen for discussion to what they do on a day-to-day basis.
Tip 4 – Staff should be able to identify breaches and red flag situations.
One of the new aspects that GDPR will bring is an obligation to report data breaches within 72 hours to the Information Commissioner’s Office as well as potentially notifying individuals who have had their data compromised in a timely manner without undue delay. There is currently no such obligation on the private sector and it is this compulsory reporting and notification to individuals that brings with it significant financial and reputational risk to any organisation from when the GDPR is introduced in May 2018.
Whilst the aim will always be to educate staff to avoid data breaches, staff need to be able to identify when a potential breach has occurred, how they notify that potential breach internally to the organisation’s Data Protection Officer and within what timescale. Given employees will often be the first to be aware a breach has occurred, there has to be a clear policy on reporting the potential breach so the organisation can comply in a timely manner with its reporting obligations.
Additionally there may be situations that arise going forward where employees need to refer a matter to the organisation’s Data Protection Officer for a view on a particular matter that they may otherwise ignore, or respond to inappropriately when in fact it’s something that the Data Protection officer should be dealing with.
If training is relevant to what a particular organisation does in practice then these “red flag” situations become easier for employees to identify and pass on to the appropriate person to handle correctly going forward, significantly reducing the potential risk of a non-compliance issue in the future.
Tip 5 – Start the training now – and make sure it continues
Whilst May 2018 make appear to be a long way off, there is a significant amount of work to be done by an organisation’s senior management team and the organisation’s Data Protection Officer between now and then. Given there is no sign of any introductory grace period for the new GDPR rules to settle in before enforcement action starts, organisations need to fully up to speed with GDPR compliance by May 2018, if not before.
The more advanced an organisation is along the road to GDPR compliance the lower the risk of breaches occurring once the GDPR rules come into play.
However, organisations can’t simply do training with employees in the lead up to May 2018 and then forget about it. Training needs to continue so it includes new members of staff starting after this date Staff should be trained on GDPR issues as part of their induction before they are let loose with customer and employee data, as well as continued training to those who have been trained previously to really drive home the message and perhaps pick up on issues that have arisen through internal reporting procedures that could have been avoided and use them as real life examples employees can relate to.
By Christian Mancier, Partner in Corporate Commercial and Data protection specialist at Gorvins Solicitors.
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/