How to provide GDPR and data protection training for your staff?

Jan 3, 2018

Lately, an increasing number of companies have started figuring out different ways to comply with the soon approaching General Data Protection Regulation (GDPR). One of the major changes coming along with this is the obligation to demonstrate accountability and thus GDPR compliance. It’s not enough that right actions are carried out anymore but organisations must be able to demonstrate this as well, for example by being able to show documentation of these actions.

GDPR and data protection training for employees is one of the ways to demonstrate GDPR compliance and accountability. Ultimately, this is an efficient way to reduce organisation’s risk level. Several data protection and privacy violations are often caused by individual human errors that can have severe consequences for the whole organisation and their reputation.

Efficient and transparent processing of personal data is an effective way to achieve competitive advantage in today’s data intensive world. However, the general attitude towards the GDPR and data protection is unfortunately rather negative and the subject is brought up in the light of avoiding major fines of incompliance. Data protection training allows an organisation to stand out from the competition and build trust with the end users. It is about understanding and complying with the responsibilities of an organisation. One should remember that ultimately every one of us is a data subject. Therefore, training about data protection and the GDPR is also about understanding our own rights.

Currently, there are various ways to provide GDPR and data protection training for your organisation. Existing methods include class room trainings, seminars and e-Learning. Choosing the right method depends on the needs, size and role of the target group. Despite of this, the main goal of most organisations is to understand how GDPR affects them and therefore how to be GDPR compliant. Additionally, many organisations are looking for ways to use data protection knowledge as a way to achieve business advantage. Doing all of this in a way that’s also easy for the wallet doesn’t sounds too bad.

The hard reality is that there are only limited resources available. Sometimes making a choice between providing the necessary training for the whole organisation or focusing on a specific focus group must be made. This is especially the case with lower risk level organisations where training of the whole staff is not necessarily required. On the one hand, training individual focus groups can be considered effective when the nature of this focus group’s work is extremely risky in terms of personal data, like processing of sensitive data. On the other hand, training the whole staff of an organisation can assist in implementing a culture of data protection and reducing general risk level regarding data protection. Additionally, this can be interpreted as a safer option to demonstrate accountability and GDPR compliance. Organisations processing personal data on a higher risk level, have to focus on data protection training. Eventually all businesses, whether the business focuses on personal data or not, should take data protection training seriously because the GDPR affects all organisations processing and holding the personal data of individuals residing in the EU.

As of now, there are hardly any real guidelines or rules about determining what is the suitable level of GDPR and data protection training in order to achieve GDPR compliance. Not to mention, what’s the appropriate level of training in order to achieve adequate skills in data protection generally.

For smaller organisations investing on data protection training can be seen as a small price compared to the advantages it yields. Naturally, in larger organisations allocating the training for the right people becomes an interesting question. An obviously good rule of thumb is that the more one’s work is related to the processing of personal data, the greater the importance for a thorough data protection training is. Furthermore, groups whose responsibility over the business is significant (e.g. management) are one of the key areas in the organisation that require data protection training. Even though the nature of work might not be focusing on personal data, in terms of demonstrating accountability, it’s essential that the management of the organisation is well aware of the GDPR and its consequences. Responsibility over the business goes hand in hand with the responsibility about data protection. The size of the company might be a misleading measure while deciding the need for data protection training. A small company might be heavily involved with personal data (even without them realizing this), as a large company usually simply has more personal data due to obvious reasons. Instead of plain size, the amount of personal data in terms of its volume and nature should be considered, while making decision about the appropriate level of data protection training.

As demonstrated, there are no straight-forward rules about the adequate level of training but some basic guidelines should be considered when making decision about investing to GDPR and data protection training. Above all, data protection training should be seen more as an investment than as a mandatory cost.

Class room trainings are a great way to receive individually focused training for specific group’s needs. However, this can be a clumsy way to train larger groups. In this perspective, seminars might be considered more suitable for larger audiences. However, both of these options can be difficult to organise. E-learning is a suitable option for small start-ups, large multinational organisations and everything in between. It’s an agile way to train personnel in a flexible way and It provides for an option to demonstrate accountability, for example with an electronic certificate.  E-learning allows you to provide essential training for the whole organisation. Additionally, the training can be customized to fit the explicit needs of a specific focus group.

For easy and efficient GDPR and data protection training for your whole organisation, check out Privaon’s e-Learning training here. For more information about Privaon’s other solutions for data protection training, click here.



Ville Silvola, Marketing Specialist