Staff training is a requirement of GDPR compliance. Rightly so, because human error is the leading cause of data breaches. Rather than just viewing training as a checkbox to tick for GDPR compliance it ought to be at the forefront of your organization’s data protection plans. Make human resources the metal strength of your GDPR compliance policy and not the weakest link in the chain.
So, who in your organization needs GDPR awareness training?
The simple answer is everyone.
Everyone in your organization should have a basic knowledge of data protection. We can sometimes get caught up in crossing the Ts and dotting the Is of GDPR, which means we don’t always see the wood for the trees.
What’s needed is a clear and simple understanding of data protection by all employees. Everyone should know why the organization needs to comply with GDPR. Furthermore, every employee should understand how this relates to their job role, even if all that means is that they know whose responsibility it is to deal with Data Protection issues.
Of course, some employees, will have more to do with GDPR compliance than others. Here are some key personnel areas to bear in mind for additional GDPR process training.
Customer Service/Front-line Staff
Customers and others are going to make Data Subject requests under the GDPR, seeking to obtain copies, request corrections to, or restrict processing of their personal data. This can take quite some time. An ill-informed or unaware member of staff could waste a considerable portion of that time through inaction or indifference. Such requests are often a response to dissatisfaction or aggravation and therefore may not be made through the expected or appropriate channels. All customer facing staff need to be aware of the procedures and the implications of not following them.
Marketing & Communications Staff
Even after all the fuss around the introduction of GDPR there are significant misconceptions among professional marketing and communications staff in relation to what can and cannot be done under Data Protection Regulation. Your marketing and communications staff and partners may need GDPR training.
In particular they will need to understand the nature of the personal data they are working with, the legal basis under which you have selected to process it and the implications of that decision. They will need this, not just so that they can adhere to it, but also so they can explain it to others who raise justifiable and not so justifiable concerns. These will undoubtedly include customers and potential customers. A demonstrable lack of understanding of the rules and how they are being applied in your company may be a greater source of reputational damage than non-compliance.
Finally, if the regulators detect, or more likely are in receipt of a complaint of, a breach of GDPR, it is to your Marketing and Communications representatives that they will probably address their concerns. It is essential, that they demonstrate a clear and considered approach to the use of personal data by your organization.
Human Resources, IT, Accounting and Data Analytics Staff
Employees engaged in Big Data analytics need to understand the GDPR rules on profiling. IT staff may be fully versed in the technical measures required to protect personal data, but are they equally well informed on the restrictions around processing?
The Finance function does not only process numbers, but customer and staff information and needs to be aware of their responsibilities under GDPR.
Employee data is personal data and is therefore protected under the GDPR. HR staff must know how to store this data correctly, how to handle data subject access requests and job application data.
Senior Managers & Board of Directors
Ultimately the owners and directors of your business are responsible if the company does not comply with the law, and GDPR is now the law. Ignorance of Data Protection law and its implications is not a defence.
GDPR training is vital for Owners, Directors and Senior Managers, who are both directly responsible for compliance and also for ensuring, in turn, that their employees and partners have adequate GDPR awareness training.