Our recent webinar, ‘Preparing your workforce for the GDPR’, covered the training challenges of the new data protection regulation. Meeting the General Data Protection Regulation (GDPR)’s requirements affects significant parts of many organizations. Liz Hornby and Kate Nichol, both Principal Consultants at Eukleia, hosted this interactive session to outline how firms should equip their workforce with the knowledge of what they need to do and what to avoid in order to comply with the GDPR.
At the end of the session we welcomed questions from attendees regarding GDPR training, and we have highlighted the key questions, with answers from Kate Nichol, below. Please note that as a training company, we are unable to give advice on how the GDPR might apply to your situation and we strongly recommend you seek independent legal advice. As a starting point you may wish to refer to the website of the Office of the Information Commissioner.
Q: How do you proactively regulate GDPR compliance in an organisation?
Kate: GDPR compliance should certainly be part of the annual compliance monitoring/ Internal Audit review programme. In addition, some organisations are signing up to voluntary Codes of Conduct, as a way of demonstrating compliance.
In any case, organisations should keep records of the steps they have taken to ensure GDPR compliance e.g. their initial impact analysis and any changes implemented e.g. to the customer journey on a website.
In relation to higher risk employee roles, you might even consider GDPR compliance as an appropriate performance objective.
Q: Do you have any recommendations on communication and engagement?
Kate: The most important aspect of engaging employees is to show them how learning applies to them, both as consumers and as employees handling customer and colleagues’ data.
Case studies can include:
- Fictitious examples, e.g. “You or a colleague leave files containing personal data on public transport” or a vishing example
- Real life cases from within your organisation: what happened and how they were resolved. These can be really valuable as a training tool, especially if those involved are willing to share their story
- You can also convert examples of external disciplinary cases e.g. the example of someone accessing data out of curiosity who did now know this was not legal
In terms of communications, we recommend, for example:
- A tone from the top message to show that senior management are genuinely committed to compliance – this can be done as an all staff email or as a preface to formal training
- An “introduce the Data Protection Officer” session or email
- Depending on the size of your organisation and the resources available, a media-style campaign with posters and job-aids and/or video
- Having the issue as a standing agenda item at team meetings
- Lunch and learn style sessions with GDPR Champions or Compliance
- Setting up a dedicated section on your intranet site
We also touch on the subject of engagement in our blog ‘GDPR: time to get started’.
Q: Will one size fit all organisations, or will organisations take different approaches?
Kate: At the awareness level I think it is a one size fits all, because the issues and the themes are very common across all types of organization. However, when you are getting to the scenarios, that is when it becomes more firm-specific. That is when you have to look at the types of situations, clients, the type of data you are likely to handle. For instance, the type of data that a bank might have would be very different to that of a doctor’s surgery or a hotel. Our off-the-shelf course is written so that the scenarios can be easily adapted, and we would work with you to ensure that the scenarios would make sense for your specific organisation.
Q: How will the GDPR impact upon the information held on social media if at all?
Kate: It is likely to have a significant impact, as all social media providers collect and process personal data. The coverage of the Cambridge Analytica investigation highlights some of the potential issues.
Q: If we subscribed to social media some years ago, what actions might we now reasonably expect organisations to take in order to comply with GDPR?
Kate: Many organisations are taking the opportunity to contact customers whose data they already hold and confirming how that data is used and/or seeking “opt-ins” for marketing and/or data research use.
Missed the webinar? You can access the recording here.
We recently released a course which aims to get all learners in an organisation up to speed with the GDPR. The course aims to increase employee awareness of the reputational, operational and financial risks associated with data protection and helps employees take appropriate action to help counter these risks.