Your Guide to GDPR Compliance: Training your employees

This is it! The last post of our GDPR series and the good news is that this step should be relatively easy to do, but does involve a lot of tracking and communication. I’m talking about privacy training for your employees. There is no point in fulfilling all the steps of GDPR compliance only for one of your employees to mishandle your customers’ personal data by mistake or fall victim to a cyber attack resulting in a data breach. That’s why it is important that your staff understands the requirements and changes the Regulation brings as it will certainly affect their work and your organization as a whole going forward.

As we’ve talked about data protection by design and default, we need to create a privacy-first culture in the organization. That’s why as part of helping the organization to become GDPR compliant, the Data Protection Officer has to raise awareness and provide training to staff involved in data processing operations. For example, knowing the correct procedures to identify a customer caller, recognizing a phishing attack, not changing or modifying specific information, following security and passwords policies, etc. With the rising number of data security breaches that occur, you definitely want your employees to fully know how to protect personal data if you don’t want your company’s reputation to suffer.

The Regulation doesn’t specify what this training entails so it is up to the Data Protection Officer’s discretion to choose the appropriate training.

We’ve got a couple of tips for you (you can find some more here : IT Governance):

• Don’t make it depressing. Regulations always sound depressing. The GDPR is a good thing. Frame it by how they are personally concerned, how this protects them, and how they should return the favor for others. They will hopefully take this not only more seriously, but also more positively.
• Make sure it is relevant. Your employees need to know the logic behind the key points, but they don’t need to know every boring detail. Make sure they understand the logic, and whatever is relevant to their own activities. Otherwise this will be just buzzwords and jargon going over their heads.
• Keep it engaging and fresh, keep it short. Refresh it from time to time. Make sure this is not just a “ticked-off” check-box. Make sure when employees join they have initial training but also when they change responsibilities. A yearly refreshment sounds to us like a reasonable rythme.

At Platform.sh, our teams followed this excellent GDPR training by Troy Hunt but you can find other options such as GDPR training and staff awareness course by IT Governance and Get GDPR ready by IAPP.

Hey, this GDPR series is a great start too! We tried to explain in the simplest language possible what the GDPR is all about, the logic behind it, and what you can do to be sure you are compliant. So make me a required reading for all your staff :) !

As I’ve already said in my previous posts, just because the GDPR came into effect on May 25, the journey isn’t over. It will just take a new road with all its challenges. And with everything this road brings along it is essential to be paved with knowledge, training and awareness.