The General Data Protection Regulations came into effect on May 25th 2018, and have since had wide-reaching implications for many companies both within and outside the EU. The need for GDPR was clear; existing laws were not robust enough to deal with the rapid changes in technology. The creators of GDPR sought to introduce regulations to reduce the risk of data theft to a minimum.
One of the most important aspects of ensuring that an organisation is GDPR-compliant is by implementing a rigorous and robust training program for all employees. Many data breaches occur due to employee negligence, such as leaving a laptop in a location in which it can be easily stolen or failing to lock important files in a secure drawer. Ignorance about basic IT safety practices may result in employees accidentally falling for phishing emails, which may result millions of files being stolen by a hacker.
Employees must understand their responsibilities under GDPR. The regulations require that all employees undergo training, although not necessarily to the same level. The amount of training that an employee undergoes may be tailored to their specific role. This article will provide some guidance on how to ensure employees are familiar with GDPR’s strict data security requirements and how they can fulfil their obligations to protect sensitive customer information.
Employees at organisations that handle the private information of individuals should understand their responsibilities under GDPR. This includes an overview of what types of organisations are required to comply with the regulations, an understanding of the scope of GDPR and whose data is protected, and how the application of GDPR may vary in certain scenarios. Employees will also benefit from being presented with definitions of basic concepts, such as data controller, data processor, data subject, and the different types of personal data.
GDPR outlines several core principles of data protection that guide the rest of the legislation. These include:
a) There are different categories of data, such as “identifiable data” or “special data”, and each class must be treated appropriately
b) There must be a legal basis for processing data, and processing must be done in a fair and transparent manner
c) Only the minimal amount of data necessary should be collected
d) Data should only be processed for a pre-defined purpose
e) Any data collected should be accurate and precise
f) There should be limits to the length of time for which data can be stored g) The integrity and confidentiality of the data must be protected
These principles should be presented to employees, and each concept fleshed out using examples and dialogue. Understanding these core concepts is essential if they are to properly perform their role in the organisation and ensure that consumer data always remains secure.
Some of the most significant changes introduced by GDPR are the new rights granted to data subjects. These rights include:
a) Right of access: data subjects must be able to access any data that has been collected, or obtain copies of the data from the controller and/or processor.
b) Right of rectification: should the data subject find inaccuracies in the data, they retain the right to correct any of the data.
c) Right to object: after data collection, data subjects can object to how their data is being handled and halt further action.
d) Right to restrict processing: data subjects can request that their data is not processed in a certain way or prevent further processing.
e) Right to erasure: data subjects can ask that their data is deleted by the processor at the earliest possibility.
f) Right to data portability: data subjects have the right to access their data in a digital format compatible with a variety of devices.
g) Right to complain: if they are dissatisfied with how their data is being handled, or feel that their rights are not respected, data subjects have the right to complain to a supervisory authority.
h) Right to be represented: when lodging complaints, data subjects have the right to representation by an independent, not-for-profit body.
Any employee that handles the sensitive information of consumers should have thorough understanding of these rights.
If an employee is working for a body that may be classed as a “data controller” (that is, an organisation that overseas the collection of data), then they must be made aware of the responsibilities of data controllers under GDPR. These responsibilities include:
a) Affording transparency with the data subject as to how they will handle their data b) Ensuring that data may easily be translated from one place to another
c) Providing evidence to the data subject that they are fully GDPR-compliant
d) Ensuring that they have the capacity to uphold the rights of a data subject
Similarly, in an employee is working for a data processor (a body which processes data on behalf of a data controller), then the employees should know the responsibilities of that particular organisation under GDPR:
a) The processing of data should be completed according to a pre-arranged contract with a data controller and must ensure that the rights of the data subject are respected
b) Adequate safeguards must be in place to protect the integrity of sensitive data
GDPR has introduced strict procedures which must be followed to ensure that data collection is performed in a safe manner that is fair to the data subject. Employees should be trained in the correct forms of data collection, and particular focus should be placed on the aspects of data collection most pertinent to that particular organisation (for example, do they call customers or send out emails as a means of data collection). Some of the most important aspects of GDPR-compliant data collection are outlined here:
a) The data subject should give their informed consent for their data to be collected, and they must be told exactly for what purposes their data will be used.
b) GDPR states that individuals under the age of 16 are unable to give informed consent, and consent must be given by a parent or guardian. However, GDPR allows individual EU states to lower this age of consent to 13 if they wish.
c) There are some special cases—such as a national emergency or criminal incident—for which the above rules do not apply and consent is not needed for data collection to take place. Employees should be aware of the particular circumstances in which these exceptions apply.
d) Organisations must choose the most appropriate basis for processing, and consider all viable options in determining which process is best for a given situation.
Data breaches may have disastrous consequences, and it is vital that an organisation has a contingency plan should a data breach occur. Employees should be familiar with this plan, and fully aware of what GDPR requires an organisation to do in the aftermath of a breach. Employees should be in no doubt as to what their role in handling a data breach should be, such as informing a supervisory authority of a breach or preparing breach notification letters to send to affected customers.
Performing a DPIA goes a long way in ensuring that an organisation is GDPR-compliant. These allow organisations to evaluate their current methods and policies, and highlight areas of improvements. Employees may benefit from being involved in DPIAs, or being presented with the final report, as it will allow them to understand their organisation’s particular strengths and weaknesses. They may also be used as a gateway to discussion of topics such as data security and cybercrime with employees, and the risks posed to data.
GDPR requires all large organisations to employ a data protection officer (DPO). Employees should be made aware of who this person is, their role within the organisation, how they may be contacted, and how they may interact with the DPO while performing their duties. It is highly likely that the DPO will be responsible for organising and performing all employee training courses.
Employees should be made aware of the penalties that may be levied against an organisation if they are found in violation of GDPR. The financial penalties are substantial; either €20 million, or 4% of the company’s global annual turnover-whichever is higher. The fine will vary depending on the nature of the breach and the organisation’s response. Employees should also be made aware that data subjects may seek compensation for a data breach, and prosecute the organisation responsible for the breach in the court of law. Furthermore, individual member states may apply the aforementioned administrative fines and states may choose to impose additional punishments, including jail time.
We have outlined some of the most critical aspects of GDPR that any employee training course should cover. All employees at an organisation that is subject to comply with GDPR should undergo training. Certain employees may require further training due to their roles in the organisation or how they interact with sensitive data.
It is recommended that training is held regularly, in short sessions. Employees should be engaged during the training course, and tested on their understanding of their responsibilities under GDPR. Certain aspects of GDPR, such as the rules surrounding data processing are more applicable in a day-to-day setting, and should be allocated more time. Employees should be served regular reminders on issues such as IT best practices and the dangers of cyberattacks.
It is important to keep a record of training sessions, such as who attended, what the session covered, and how regularly they occur. As employee training is a requirement of GDPR, auditors may need to see records of the training sessions.
Finally, it is easy to understate the importance of employee training. It is essential that an organisation has a well-trained staff to protect such sensitive data. Should a data breach occur, and investigators discover that it was the result of inadequate training, hefty fines would be incur, and the organisation face severe reputational damage. Although employee training may be costly in the short term, the benefits are worth the effort.
Copyright © 2019 ComplianceHome