The central role of employee training for GDPR compliance
Integrating the GDPR into the daily life of a business is a far from obvious matter. Developing employees’ awareness of the GDPR and training them to apply it to their daily work is a key element of the process. Anca Draganescu-Pinawin explains why.
Employees are at the front line in the collection, processing and management of data. Without adequate training, often employees are not aware that they work with information that, under the regime of the GDPR, counts as personal data and is thus subject to special treatment. In order for employees to handle the information correctly, they have not only to adopt GDPR-compliant practices, but more fundamentally, they need to be able to identify the basic materials that the GDPR governs.
Moreover, the GDPR introduces a new dimension of reputational risk for businesses. If a company is found to be non-compliant, it not only faces the risk of heavy fines, but it can also lose the trust of its customers and partners. Employees are the guarantors of a business’ trustworthiness; and this being no trivial matter, it is imperative that employees’ practices be maximally robust. (For additional advice and insight on developing a GDPR-compliant data management strategy, please download our white paper: ‘GDPR Vade-Mecum’.)
As an example, a data subject calling to exercise their right of access will more likely than not simply call the main switchboard of the company. Hence, it is crucial that the employees receiving the call recognise it as being a SAR request and escalate it immediately to the right persons in the company. Otherwise, this may lead to a complaint to the supervisory authorities, as well as bad publicity. Recognising a data breach should also be within the capacity of most employees. But without appropriate training, requests may be misinterpreted and breaches may take time to be identified, leading to a failure to meet the requirements laid out in the GDPR.
Training means development of competence and competence is measurable, whence metrics. Providing training with measurable assessment will generate metrics. This in turn will allow businesses to track progress, identify areas for improvement, and demonstrate compliance when needed. Demonstrating compliance is a major part of the GDPR. Hence, being able to provide evidence documenting the progress of training and the level of competence of the staff will weight strong in the balance, should a company be challenged on its personal data management practices.
At the very least, all employees ought to have a basic training in the GDPR. That being said, a more in-depth and focused training should be designed for specific functions or roles that carry out specialised processing. For the training to be effective, a combination of different pedagogical approaches should be considered, including multichannel diffusion. Workshops, one-on-one trainings, interactive web courses, function-specific manuals, webinars, informational videos are a few possible options.
Finally, to preserve its prominent place, all training should be backed by constant awareness raising programmes, such as posters, meetings or recreational activities on Data Protection Day.
In sum, integrating the GDPR into the daily life of a business amounts to carrying out radical organisational change. Personal data need to be addressed in a manner that meets the imperatives of the GDPR and this all the way down to the level of the individual employee. The GDPR is meant to change the way that companies think about data, and this entails changing the way individual employees think about data. Sound training about the GDPR is the cornerstone of the new mindset that is required under the GDPR.
For further guidance on GDPR, please download our white paper, speak to your Novagraaf attorney or contact us below.
Anca Draganescu-Pinawin is IP Counsel at Novagraaf in Switzerland.