Principal Consultant, Liz Hornby, hosted an interactive session on preparing the workforce for the GDPR. The session outlined how firms should equip their staff with the knowledge of what they need to do and what to avoid in order to comply with the GDPR.
At the end of the session, we welcomed questions from attendees regarding GDPR training, and we have highlighted the key questions and answers below. Please note that as a training company, we are unable to give advice on how the GDPR might apply to your situation and we strongly recommend you seek independent legal advice. As a starting point, you may wish to refer to the website of the Office of the Information Commissioner.
Q: How do you proactively regulate GDPR compliance in an organization?
A: GDPR compliance should certainly be part of the annual compliance monitoring/Internal Audit review program. In addition, some organizations are signing up to voluntary Codes of Conduct, as a way of demonstrating compliance.
In any case, organizations should keep records of the steps they have taken to ensure GDPR compliance e.g. their initial impact analysis and any changes implemented e.g. to the customer journey on a website.
In relation to higher risk employee roles, you might even consider GDPR compliance as an appropriate performance objective.
Q: Do you have any recommendations on communication and engagement?
A: The most important aspect of engaging employees is to show them how learning applies to them, both as consumers and as employees handling customer and colleagues’ data.
Case studies can include:
- Fictitious examples, e.g. “You or a colleague leave files containing personal data on public transport” or a vishing example
- Real-life cases from within your organization: what happened and how they were resolved. These can be really valuable as a training tool, especially if those involved are willing to share their story
- You can also convert examples of external disciplinary cases e.g. the example of someone accessing data out of curiosity who did now know this was not legal
In terms of communications, we recommend, for example:
- A tone from the top message to show that senior management are genuinely committed to compliance - this can be done as an all-staff email or as a preface to formal training
- An “introduce the Data Protection Officer” session or email
- Depending on the size of your organization and the resources available, a media-style campaign with posters and job-aids and/or video
- Having the issue as a standing agenda item at team meetings
- Lunch and learn style sessions with GDPR Champions or Compliance
- Setting up a dedicated section on your intranet site
Related reading: 'GDPR: time to get started’
Q: Will one size fit all organizations, or will organizations take different approaches?
A: At the awareness level I think it is a one size fits all, because the issues and the themes are very common across all types of organization. However, when you are getting to the scenarios, that is when it becomes more firm-specific. That is when you have to look at the types of situations, clients, the type of data you are likely to handle.
For instance, the type of data that a bank might have would be very different to that of a doctor’s surgery or a hotel. Our off-the-shelf course is written so that the scenarios can be easily adapted, and we would work with you to ensure that the scenarios would make sense for your specific organization.
More from the blog: 'The Benefits of Blended Learning for Compliance Training'
Q: How will the GDPR impact upon the information held on social media if at all?
A: It's likely to have a significant impact, as all social media providers collect and process personal data. The coverage of the Cambridge Analytica investigation highlights some of the potential issues.
Q: If we subscribed to social media some years ago, what actions might we now reasonably expect organizations to take in order to comply with GDPR?
A: Many organizations are taking the opportunity to contact customers whose data they already hold and confirming how that data is used and/or seeking “opt-ins” for marketing and/or data research use.
Next Steps
We recently released a course which aims to get all learners in an organization up to speed with the GDPR. The course aims to increase employee awareness of the reputational, operational, and financial risks associated with data protection and helps employees take appropriate action to help counter these risks.