The central role of employee training for GDPR compliance

Par Anca Draganescu-Pinawin,

Integrating the GDPR into the daily life of a business is a far from obvious matter. Developing employees’ awareness of the GDPR and training them to apply it to their daily work is a key element of the process. Anca Draganescu-Pinawin explains why.

Employees are at the front line in the collection, processing and management of data. Without adequate training, often employees are not aware that they work with information that, under the regime of the GDPR, counts as personal data and is thus subject to special treatment. In order for employees to handle the information correctly, they have not only to adopt GDPR-compliant practices, but more fundamentally, they need to be able to identify the basic materials that the GDPR governs.

Moreover, the GDPR introduces a new dimension of reputational risk for businesses. If a company is found to be non-compliant, it not only faces the risk of heavy fines, but it can also lose the trust of its customers and partners. Employees are the guarantors of a business’ trustworthiness; and this being no trivial matter, it is imperative that employees’ practices be maximally robust. (For additional advice and insight on developing a GDPR-compliant data management strategy, please download our white paper: ‘GDPR Vade-Mecum’.)

As an example, a data subject calling to exercise their right of access will more likely than not simply call the main switchboard of the company. Hence, it is crucial that the employees receiving the call recognise it as being a SAR request and escalate it immediately to the right persons in the company. Otherwise, this may lead to a complaint to the supervisory authorities, as well as bad publicity. Recognising a data breach should also be within the capacity of most employees. But without appropriate training, requests may be misinterpreted and breaches may take time to be identified, leading to a failure to meet the requirements laid out in the GDPR.

Training means development of competence and competence is measurable, whence metrics. Providing training with measurable assessment will generate metrics. This in turn will allow businesses to track progress, identify areas for improvement, and demonstrate compliance when needed. Demonstrating compliance is a major part of the GDPR. Hence, being able to provide evidence documenting the progress of training and the level of competence of the staff will weight strong in the balance, should a company be challenged on its personal data management practices.

At the very least, all employees ought to have a basic training in the GDPR. That being said, a more in-depth and focused training should be designed for specific functions or roles that carry out specialised processing. For the training to be effective, a combination of different pedagogical approaches should be considered, including multichannel diffusion. Workshops, one-on-one trainings, interactive web courses, function-specific manuals, webinars, informational videos are a few possible options.

Finally, to preserve its prominent place, all training should be backed by constant awareness raising programmes, such as posters, meetings or recreational activities on Data Protection Day.

In sum, integrating the GDPR into the daily life of a business amounts to carrying out radical organisational change. Personal data need to be addressed in a manner that meets the imperatives of the GDPR and this all the way down to the level of the individual employee. The GDPR is meant to change the way that companies think about data, and this entails changing the way individual employees think about data. Sound training about the GDPR is the cornerstone of the new mindset that is required under the GDPR.

For further guidance on GDPR, please download our white paper, speak to your Novagraaf attorney or contact us below.

Anca Draganescu-Pinawin is IP Counsel at Novagraaf in Switzerland.

Insights liés

Actualités et avis

MARADONA, une icône sur le terrain, mais également auprès des tribunaux

Le monde du football est en deuil depuis le 25 novembre dernier, jour où Diego Maradona, légende qu’on croyait pourtant immortelle, s’est éteint à l’âge de 60 ans des suites d’un arrêt cardiaque. L'un des plus grands joueurs de football de tous les temps, Maradona est également bien connu des professionnels de la propriété intellectuelle pour son litige de 2019 avec Dolce & Gabbana, comme l'explique Léa de Ladoucette.

Par Léa de Ladoucette,
MARADONA, une icône sur le terrain, mais également auprès des tribunaux

Réseaux sociaux, applications, … quelles procédures de réclamation contre l’usage de sa marque sur Internet ?

Lorsqu’un annonceur utilise une marque comme mot clé sans autorisation sur Google Adwords, ou qu’un utilisateur poste un Tweet, une publication sur Instagram, Facebook ou Pinterest, ou crée une chaine Youtube contrevenant au droit de propriété industrielle d’un tiers, se pose la question des voies de droits ouvertes au titulaire de la marque contrefaite.

Réseaux sociaux, applications, … quelles procédures de réclamation contre l’usage de sa marque sur Internet ?
Actualités et avis

Evolution de la pratique Suisse concernant la protection des indications de provenance protégées

« Contrairement aux marques, les indications de provenance n'attribuent pas les produits qui en portent la marque à une entreprise spécifique, mais à un pays, une région ou une localité. Les indications de provenance doivent donc être protégées contre les signes susceptibles de faire naître des idées fausses sur l'origine des produits »

Par Nathalie Codignola,
Evolution de la pratique Suisse concernant la protection des indications de provenance protégées

Pour plus d'informations ou de conseils contactez-nous

Confidentialité et cookies

Pour fournir la meilleure expérience possible aux visiteurs du site Web, Novagraaf utilise des cookies. En cliquant sur "Accepter" ou en continuant d’utiliser le site, vous acceptez notre politique de confidentialité, y compris la politique en matière de cookies.