The importance of GDPR training

The importance of GDPR training: image 1

As even the most remote tribe, in the deepest, darkest corner of the Amazonian rainforest is aware, the GDPR is coming. Although it doesn’t come into force until 25th May 2018, it was adopted back in April 2016. In that time, it’s been written about, discussed, advertised, debated, and generally waved in everyone’s face. If, even in spite of all the warning, you’ve still not prepared then…well…there’s not much help I can offer you now – may the ICO have mercy on your soul.

For everyone else, I want to discuss GDPR training – specifically, why it’s so important that you, and every member of your organisation, are trained to understand what it is, what it requires, and why.

However, before we get going, allow me to address the elephant in the blog. iHasco sells eLearning courses, and I just so happen to have written iHasco’s GDPR training course. Now, whilst I’d love for you to all go out and buy my course, this blog isn’t about that, it’s about making sure that you and your organisation are fully prepared for what is a massive regulatory change. As you’ll see, in this blog I put forward my argument for why GDPR training, in general, is so important – not why my training is so important. There are many perfectly sub-standard good training courses available, not just my clearly superior course. Now that’s been addressed, let’s move on.

The Fancy Alarm Analogy

You may be thinking to yourself – “I’m responsible for Data Protection at my organisation, and I understand the GDPR, so there’s no point training everyone else”. Now that’s all well and good. You, personally, may have attended seminars, read blogs and industry guidance, or even completed training yourself. You may have implemented GDPR compliant policies and procedures and helped foster a work environment focussed on data privacy. You may very well be el numero uno when it comes to data protection and the GDPR, but this all amounts to nothing if nobody else understands the importance of, or reasons why, you’ve made all the changes you have.

Imagine you’re in charge of security at your organisation, and you install the world’s greatest alarm system. It’s some serious state-of-the-art equipment, offering solutions to problems you didn’t even know you had; it’s got facial recognition and can distinguish between staff, visitors, and intruders, locking all doors and windows automatically if it detects a burglar; it’s got silent alarms which it automatically triggers, alerting both you and the police; it can be controlled remotely from anywhere in the world; it tracks all the objects in the building so that if they are stolen, it knows where they are; and it can isolate and lock-down individual rooms, trapping an intruder until the police arrive. This is the alarm system of your dreams. With it you’ll never need to worry about security ever again.

Now, this security system is so large and all-encompassing that there’s not one aspect of the organisation which it doesn’t affect in some way. You’re going to have to delegate at least some of the responsibility for this alarm system to other people. These people are now going to need to be trained in its use – maybe they don’t need to know everything but they definitely need to know the basics of the system.

“If they’re only responsible for a small part of the security system, they only need to know how to do their job and nothing more”. Sure, that’ll work for a while, maybe it’ll work indefinitely. But remember, we’re talking about humans here – humans lose concentration, forget, or are just plain lazy. If the small part of the system they’re responsible for has wider implications for the whole system then they need to understand how important their small role is, and how what they do fits into the wider scheme of things.

Like this amazing alarm system, the GDPR is also massive and all-encompassing, affecting most, if not every, aspect of an organisation. It’s also something that other people will, at least in part, need to be responsible for. If they don’t know what they’re doing, or don’t understand how important their role is, then they’re much more likely to get it wrong. And if mistakes can be avoided, you should make every effort to do so, because…

Getting it wrong is costly!

The GDPR doesn’t mess around. If you don’t do everything you can to protect people’s personal data you’ll find out just how much it means business. For the most serious breaches of the regulations, the ICO (who’re responsible for enforcing the GDPR in the UK) can fine your organisation up to €20 million, or 4% of your annual global turnover.

As your organisation’s GDPR guru, you may well have done everything you can to set up systems, procedures and policies which ensure compliance with the regulations. But, as we all know, people are often resistant to change – especially if they feel the change is unnecessary or just “more bureaucratic red-tape”. All it takes is just one person trying to save time, forgetting their responsibilities, or trying to make an ill-fated stand against “the powers that be meddling in their day-to-day work, making their lives harder” for the ICO to be alerted and launch an investigation.

Now, an ICO investigation won’t necessarily end in a fine, even if a breach has occurred. If you can demonstrate that you have done all you can to comply, then an investigation is more likely to result in them offering help and providing steps to ensure you comply in the future.

Proving that you have provided training to all members of staff goes a long way in demonstrating your commitment to GDPR compliance.

But it’s not all about avoiding punishment…

There are some genuinely positive reasons why you should make absolutely sure that you (and everyone else at your organisation) are following the GDPR.

For a start, the very reason for the GDPR’s existence is to give control back to individuals over their own personal data – that’s not just some mystical “individual”, that’s all of us, you included. This could well mean an end to persistent nuisance calls and creepy targeted adverts – unless you consent to these, of course.

If you’ve been paying attention to the news, you’ll almost certainly be aware of the trouble a certain social media company has got into regarding their lack of care for their user’s data. Public confidence in this company has since plummeted, their CEO – at one time a potential candidate for US President – is now considered a liability (although “liability” seems to be a requirement for US President nowadays). Making sure that everyone complies with the GDPR is simple, yet the confidence it inspires in the public is immeasurable.

Also consider the logistical benefits. By regularly auditing and checking the data you hold – culling everything you no longer need to keep – you’ll reduce the amount of data you have stored, making things like Subject Access Requests, data amendments, or data transfers that much easier.

But if none of that is enough to convince you of the importance of providing staff with GDPR training, consider this…

The GDPR requires it.

One of the duties of a Data Controller, Processor AND of a Data Protection Officer is to ensure that “the appropriate data protection training [is given] to personnel having permanent or regular access to personal data”.

Supervisory Authorities are also tasked with creating binding agreements for organisations which ensure that everyone receives adequate training.

So, even if you weren’t convinced by my robust and rousing arguments in favour of GDPR training, it doesn’t matter. You have to do it anyway.