Whilst cyber-attacks resulting in data breaches dominate the headlines, the majority of data breaches occur due to human error – be it a dropped memory stick, sending something to the wrong e-mail address, not following a firm wide policy on encrypting data or not taking care of paper files whilst out of the office.
Whilst human error can occur on the part of third party contractors, the vast majority of data breaches due to human error occur as a result of employees simply doing something they should not be doing.
Whilst staff training has always been an important element of Data Protection compliance, the forthcoming introduction of the General Data Protection Regulation with effect from May 2018, will make staff training even more important given fines under GDPR for non-compliance can be up to €20m or 4% of global turnover.
In addition, the GDPR will now require companies to evidence their compliance with GDPR and therefore staff training and the recording and monitoring of staff training will be a vital aspect of evidencing that your organisation is complying with the GDPR.
So what are the top tips for staff training?
Tip 1 – Staff have to understand the GDPR
Employees have to understand the risks to the organisation (both financial and reputation) as well as the risk to themselves (potential disciplinary issues, dismissal or redundancy if a data breach were to ruin an organisation’s business).
When the risks are combined with the rationale behind the GDPR, employees can then start the process of understanding the significance of data protection laws, why there are certain policies and procedures in place and most importantly of all why they need to comply with those policies.
Tip 2 – Training has to be relevant
All training needs to be specific to the organisation concerned. This is so employees can relate the policies and procedures an organisation has in place around GDPR compliance to their day to day roles.
This can range from the importance of hard to crack passwords involving lower and upper case letters, numbers and symbols, which are changed on a regular basis and are only used for your organisation to confidential waste destruction and encrypting data in e-mails and attachments through to keeping paper files secure and confidential when out of the office.
Tip 3 – Provide training face to face
Whilst online training is an option, I personally question to what extent this is fully taken in by employees who are perhaps more likely to see this as a “box ticking” exercise and to what extent the employees relate generic online training information to their day to day roles and duties.
From the training sessions I have run, employees have often asked pertinent questions (actually quite good feedback for expanding internal policies over areas that may have been overlooked but are flagged from those “on the ground”) and employees often benefit immensely from the dialogue that flows from those questions to the point they find it significantly easier to relate the training and issues that have arisen for discussion to what they do on a day-to-day basis.
Tip 4 – Staff should be able to identify breaches and red flag situations.
One of the new aspects that GDPR will bring is an obligation to report data breaches within 72 hours to the Information Commissioner’s Office as well as potentially notifying individuals who have had their data compromised in a timely manner. There is currently no such obligation on the private sector and it is this compulsory reporting and notification to individuals that brings with it significant financial and reputational risk to any organisation from when the GDPR is introduced.
Staff need to be able to identify when a potential breach has occurred, how they notify that potential breach internally to the organisation’s Data Protection Officer and within what timescale. Given employees will often be the first to be aware a breach has occurred, there has to be a clear policy on reporting the potential breach so the organisation can comply in a timely manner with its reporting obligations.
Additionally there may be situations where employees need to refer a matter to the organisation’s Data Protection Officer for a view on a particular matter that they may otherwise ignore, or respond to inappropriately when in fact it’s something that the Data Protection officer should be dealing with.
If training is relevant to what a particular organisation does in practice then these “red flag” situations become easier for employees to identify and pass on to the appropriate person to handle correctly going forward, significantly reducing the potential risk of a non-compliance.
Tip 5 – Start the training now – and make sure it continues
Whilst May 2018 make appear to be a long way off, there is a significant amount of work to be done by an organisation’s senior management team and Data Protection Officer between now and then. Given there is no sign of any introductory grace period for the new GDPR rules to settle in before enforcement action starts, organisations need to be fully up to speed with GDPR compliance by May 2018, if not before.
The more advanced an organisation is along the road to GDPR compliance the lower the risk of breaches occurring once the GDPR rules come into play.
However, organisations can’t simply do training with employees and then forget about it. Training needs to continue so it includes new members of staff starting after this date Staff should be trained on GDPR issues as part of their induction before they are let loose with customer and employee data, as well as continued training to those who have been trained previously to really drive home the message and perhaps pick up on issues that have arisen through internal reporting procedures that could have been avoided and use them as real life examples employees can relate to.
By Christian Mancier, Gorvins
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/