Interview: GDPR training expert, James Foster

The General Data Protection Regulation (GDPR) has the power to leverage huge financial penalties against organisations that fail to implement the proper safeguards when dealing with personal data.

In worst case scenarios, a data breach can see an offending organisation fined up to €20m or 4% of annual turnover, so it’s understandable that bosses do all they can to shore up IT system defences, thus promoting the transparency, accountability and control that regulators seek.

But a purely technological approach to GDPR compliance is not enough; people have to be fully on-board and empowered to take care of personal data if organisations are to fully meet and surpass data security standards in the digital era.

James Foster is a GDPR Solutions Specialist at Sponge, an industry-leading custom digital learning provider. We spoke to James to discover more about the most common mistakes in the essential area of GDPR training.

What’s the cause of the majority of data breaches reported by organisations today?

The ‘oops factor’ is by far and away the biggest cause of data breaches. Yes, human error – not malicious cyber-attacks – is behind the vast majority of breaches reported by organisations.

The last two years has seen a 75% increase in the number of breach incidents self-reported to the UK regulator, the Information Commissioner’s Office (ICO). The cases compromised individuals’ sensitive personal data including medical, financial and employment details. A deeper dive into the figures for the past year reveals that of those cases where the type of breach is specified, 2,124 were attributed to human error, while only 292 were due to cyber attacks.

The report, by global provider of risk solutions, Kroll, concludes: “Our analysis of incidents reported to the ICO in the UK shows that people are still the critical factor, and investment in training staff, either to follow correct procedures or to spot phishing attacks before they click on the link/email, offers the best return for helping to prevent data losses.”

It’s been six months since the introduction of the new GDPR legislation – how are organisations shaping up?

It’s just as well that GDPR came along on 25th May to fix things, right? Wrong! Legislation alone is ineffective unless there are robust strategies in place to ensure that everyone that touches data within an organisation knows how to handle it correctly. But, six months on, it seems that many businesses are still failing to include training in their GDPR compliance policies, despite the risks.

What’s the most effective measure organisations can put in place to prevent data loss?

A new survey of 1,000 UK office staff found that 47% don’t know if their companies are doing anything to comply with GDPR – so there’s obviously no training happening there. And 44% said they had seen confidential documents printed out.

Meanwhile, another recent survey of 600 US and EU firms found that over a quarter (27%) haven’t yet made a start on their GDPR implementation phase. So, no prizes for guessing what the most effective measure organisations can put in place to prevent data loss is. Businesses require effective and ongoing training for employees!

What are the biggest mistakes being made when it comes to GDPR training?

  1. Doing nothing: Ignoring the need for staff training places your organisation at greater risk of a breach and subsequent reputational meltdown. GDPR places a responsibility to embed data protection “by design and default”. As part of this, “regular and refresher training is a must”, according to Elizabeth Denham, Information Commissioner.
  2. Forgetting the audience: Rolling out the same GDPR compliance training to everyone means no-one gets the training they need. High risk data users need a different approach to the general workforce. Segment the training, so high risk employees get bespoke, blended learning and the rest learn the key points of GDPR in an engaging way, such as Sponge’s GDPR learning game, GDPR Sorted.
  3. Overwhelming everyone: Handing out wordy documents with every GDPR dot and comma to all workers and saying ‘remember that’ is a recipe for failure. Instead, focus only on what they need to know about GDPR for their jobs, and which behaviours related to data protection are most important for them.
  4. Once a year: Annual GDPR training isn’t enough. GDPR compliance requires continuous learning and reinforcement opportunities, to avoid potential costly lapses. Continuous learning helps people to apply their training daily, keeping the company safe and contributing towards a data safety culture.
  5. Ticking a box: With GDPR training, don’t tick the box, think outside the box! Don’t give it the usual compliance training treatment (i.e. dull) – employees won’t engage, and they won’t learn. To be effective, GDPR training has to be memorable, so ‘rebrand’ it as a learning experience that they want to do. For example, the GDPR Sorted game is achieving remarkable early results (based on 15,000 employees in 26 countries):
    • Completion rate over 90% in some organisations
    • 16% of players played it in their own time – even on a Saturday night!
    • 339 people played the game more than 10 times
    • 27% of people played the game multiple times
    • 27 minutes average playing duration
  6. In isolation: GDPR learning loses effectiveness when it’s delivered in isolation or is bolted on as a ‘p.s.’. For maximum impact, build a GDPR learning campaign with preparation, activation and sustain phases. Use a mix of learning activities so there’s something for everyone. It’ll increase engagement and help people to understand the wider picture, too – for example, how it fits with other training such as cyber security.
  • Beyond the fines, what’s the fall out when organisations get it wrong?

GDPR is here to stay. Data protection is a global requirement and organisations can’t afford to make the training mistakes we’ve highlighted, especially with record fines being handed out. Beyond that, there’s arguably the bigger issue of organisational reputation; two-thirds of people in the UK still don’t trust organisations with their data. So, it’s definitely time to start the fix.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.