The EU introduced the General Data Protection Regulations on May 25th 2018. GDPR is a landmark piece of data protection legislation, and has had wide-reaching implications for many companies both within and outside the EU. One of the most important aspects of ensuring that an organisation is GDPR-compliant is by implementing a rigorous and robust training program for all employees. Many data breaches occur due to employee negligence, such as leaving a laptop in a location in which it can be easily stolen or failing to lock important files in a secure drawer. Ignorance about basic IT safety practices may result in employees accidentally falling for phishing emails, which may result millions of files being stolen by a hacker.
The regulations require that all employees undergo training, although not necessarily to the same level. The amount of training that an employee undergoes may be tailored to their specific role. This article will provide some guidance on how to ensure employees are familiar withGDPR’s strict data security requirements and how they can fulfil their obligations to protect sensitive customer information.
What should be included in a GDPR training course?
Why is GDPR needed?
This should include an overview of the need for GDPR, who the legislation applies to, whose data is protected, and how it may affect the organisation’s practices. Definitions of basic concepts such as data controllers, data processors, data subjects, and PHI should be presented to the employees.
GDPR’s Core Principles of Data Protection
Several “core principles” of data protection are outlined in GDPR, which include:
- There are different categories of data and each category has appropriate methods and practices associated with it
- There must be a legal basis for processing data and processing must be completed in a fair and transparent manner
- Only the minimal amount of data necessary to complete a particular purpose should be collected
- Data should only be collected for a pre-defined purpose
- Any data collected should be accurate and precise
- Data should only be stored for limited amounts of time
- The integrity and confidentiality of data must be protected
Rights of the data subject
GDPR grants new rights to data subjects. These include:
- Right of access: data subjects must be able to access any data that has been collected, or obtain copies of the data from the controller and/or processor.
- Right of rectification: should the data subject find inaccuracies in the data, they retain the right to correct any of the data.
- Right to object: after data collection, data subjects can object to how their data is being handled and halt further action.
- Right to restrict processing: data subjects can request that their data is not processed in a certain way or prevent further processing.
- Right to erasure: data subjects can ask that their data is deleted by the processor at the earliest possibility.
- Right to data portability: data subjects have the right to access their data in a digital format compatible with a variety of devices.
- Right to complain: if they are dissatisfied with how their data is being handled, or feel that their rights are not respected, data subjects have the right to complain to a supervisory authority.
- Right to be represented: when lodging complaints, data subjects have the right to representation by an independent, not-for-profit body.
The responsibilities of a data controller
This is particularly important if the employee works for a data controller. These responsibilities include:
- Affording transparency with the data subject as to how they will handle their data
- Ensuring that data may easily be translated from one place to another
- Providing evidence to the data subject that they are fully GDPR-compliant
- Ensuring that they have the capacity to uphold the rights of a data subject
The responsibilities of a data processor
This is particularly important if the employee works for a data processor. These responsibilities include:
- The processing of data should be completed according to a pre-arranged contract with a data controller and must ensure that the rights of the data subject are respected
- Adequate safeguards must be in place to protect the integrity of sensitive data
Data collection under GDPR
GDPR has introduced strict new procedures for data collection. Some of the most important aspects of GDPR-compliant data collection are outlined here:
- The data subject should give their informed consent for their data to be collected, and they must be told exactly for what purposes their data will be used.
- GDPR states that individuals under the age of 16 are unable to give informed consent, and consent must be given by a parent or guardian. However, GDPR allows individual EU states to lower this age of consent to 13 if they wish.
- There are some special cases—such as a national emergency or criminal incident—for which the above rules do not apply and consent is not needed for data collection to take place. Employees should be aware of the particular circumstances in which these exceptions apply.
- Organisations must choose the most appropriate basis for processing, and consider all viable options in determining which process is best for a given situation.
Handling data breaches
Employees should be aware of the potential consequences of a data breach and be familiar with the organisation’s data breach response plan.
Data Protection Officer
Employees should be aware of the DPO’s role in their organisation, how the DPO may be contacted and how they may interact with the DPO during their regular work activities. The DPO may be responsible for running the employee training courses.
Penalties for non-compliance with GDPR
Employees should be made aware that the fines for non-compliance with GDPR are substantial; either €20 million or 4% of the company’s
annual turnover, whichever is higher. Data subjects may seek compensation for a data breach, and prosecute the organisation responsible for the breach in the court of law. Furthermore, individual member states may apply the aforementioned administrative fines and states may choose to impose additional punishments, including jail time.
GDPR Training: Summary
We have outlined some of the most critical aspects of GDPR that any employee training course should cover. Certain employees may require further training due to their roles in the organisation or how they interact with sensitive data. It is recommended that training is held regularly, in short sessions.
It is important to keep a record of training sessions, such as who attended, what the session covered, and how regularly they occur. As employee training is a requirement of GDPR, auditors may need to see records of the training sessions.