Human error could be responsible for as many as 90% of data breaches. Training your staff effectively is the most significant way to prevent them. It combats non-compliance with GDPR and related data protection laws and as a result protects your business. With data protection training specifically geared towards the way your company handles data you’ll stand a much greater chance of avoiding breaches and potential fines as a result. In addition to general training that is suitable for all staff you may also want to consider looking at modules aimed at those employees who shoulder the key data protection responsibilities within your organisation.
In this article we highlight the ways data protection training can minimise the chances of you failing to comply with GDPR and consider how training can protect your business from the financial penalties under GDPR and the associated damage to your commercial reputation.
We'll cover the following:
Why does data protection training matter?
Training staff to understand data protection principles and the consequences of failing to comply with the rules is crucial for a number of reasons:
- Training demonstrates compliance – GDPR’s accountability principle requires you not just to comply with applicable regulations but also to demonstrate compliance. A coherent, well-documented programme of training for staff is the best way to demonstrate compliance. If a data breach occurs and the ICO investigates, being able to produce comprehensive staff training records will work in your favour. If you aren’t able to show you’ve invested in training it’s likely to be an aggravating factor when the ICO comes to decide on any financial penalty.
- Reduction of human error – If we analyse ICO interventions since the advent of GDPR it’s clear that human error accounts for a high proportion of data breaches. Staff training encourages all employees to take data protection matters seriously and impresses on them the repercussions of a breach. As a result it can reduce the chances of mistakes being made.
- It makes compliance easier – When staff can recognise for example, what constitutes a data protection request and understand the time limits for responding to such a request it’s more likely that the request will be dealt with quickly and in accordance with the rules. And when employees are aware of GDPR principles such as data minimisation and data retention they can apply the principles in the course of their day-to-day work, ensuring that a culture of compliance is fostered across your organisation.
How to design a data protection training programme
We have well-established data protection training programmes that have been built and developed around businesses of all sizes and in a wide range of industry sectors. However, our data protection and privacy law solicitors will always tailor their training to the business concerned. If you have a data protection officer (DPO) in place we will usually work closely with them to develop training that’s proportionate to your GDPR compliance requirements and deals specifically with the type of issue that is likely to arise in the course of your specific data processing activities. In addition we’ll develop training targeted at different employees depending on their role and their level of exposure to data protection issues in the course of their work.
We’ve learned through our training work that it’s sometimes difficult to motivate employees when it comes to data protection training. And it’s fair to say that the subject can be uninteresting and dry if it’s not properly contextualised. We’ve spent a lot of time making our training materials accessible and engaging so that staff come away with a practical understanding of how the technical legal issues apply to the work they do every day.
The basics of staff training
Training for all staff should aim to make data protection compliance second nature across the business. It should cover the main issues around GDPR, including:
- Handling requests
- Data sharing
- Information security
- Personal data breaches
- Records management
- Data breach escalation
- The risk of investigations, fines and claims for compensation
While it’s important that all staff get a broad overview of data protection issues it will often be necessary to drill down into more technical areas with specific departments and teams. This will depend on the regular data processing activities of these employees and the kinds of issues and risk levels they are likely to encounter.
Certain staff members must have a deeper understanding of data protection law. Your data protection officer (DPO) for example should have a level of knowledge that enables them to raise awareness – throughout the organisation – of data protection law as it develops. For peace of mind and to avoid the need to employ their own DPO many of our clients ask us to discharge the DPO functions on an ongoing basis.
To meet ICO expectations you should have dedicated resources available to deliver training to all staff. Using our team is one way to cost-effectively achieve this.
Establishing a data compliant culture through training
The ICO now expects businesses to encourage a culture of data protection and information governance awareness. Tailor-made staff training is the most obvious way to achieve this and demonstrate to the regulator, if required, that your organisation takes data protection seriously. But training should really only be viewed as the cornerstone of a data compliant culture. You should also keep data protection at the forefront of employees’ minds through awareness campaigns, regular email newsletters, team briefings and internal handouts and posters. Importantly staff should always know who they can speak to directly if any data protection issues arise.
When to carry out data protection training
You shouldn't think of training as a one-off session. As data protection law evolves so too will the responsibilities of your staff. Comprehensive data protection training should be delivered every two years and more regularly if a change to the law impacts your activities or indeed your data processing activities themselves change.
The ICO recommends that data protection should form an integral part of induction training for new staff. And that it should usually take place within a month of any employee joining the business. In addition, to encourage data protection by design (the idea that data protection issues should be addressed carefully before any new product is launched or system designed) staff embarking on any new business initiative should receive appropriate training before the project begins.
Data protection training is crucial to ensuring you stay compliant with GDPR and other data protection laws that apply to your business. While training of this type is available from many outside sources, our training is delivered by qualified and regulated data protection lawyers, specialists in their field and greatly experienced in delivering training to all kinds of businesses.