GDPR; Are your staff aware?

Fire!

In a well managed organisation every member of staff knows what to do when there is a fire. Even the visitors and new starters manage to find themselves following the correct route and getting to a safe place. They know this because staff are well trained on a regular basis, they respond to the alarm and out of habit use the safe routes to the muster points. It is a kind of 'muscle memory'.

Hopefully over the last year or so you have been getting your company ready for the advent of GDPR. By now your senior managers will be well aware of the changes that they have had to make and your plans should be well underway, but what about everyone else?

Breach!

Now that GDPR is upon us you are probably hoping that the same automatic reaction happens when a breach occurs. Will your staff be able to spot a breach? Will they know how to raise the alarm? Writing those new processes and procedures is great to evidence compliance and they will form a useful element of your 'records of processing activities' but will they be effective?

In the same way that a fire requires regular, repeatable training of staff so does data protection. If you are to truly implement 'data protection by design and by default' you need to get your staff to a position where they understand the importance of data, how it is put at risk and how to limit and mitigate your risk. Knowing about GDPRs principles and the data subjects rights is great, but it is not enough.

It may not be mandated by the new regulation, but there are clear benefits:

• An organisation that can evidence that staff have been well trained on a regular basis will mitigate risk.
• Keeping records of training in your 'records of processing activities' should increase the confidence of the supervisory authority if they have any cause to audit your organisation.

You need to train your staff.

Finance Director: 'What if we train our staff and they leave?'

Data Protection Officer: 'What if we don't train them and they stay?'

What would good training need to cover?

At www.knowledgezone.co.uk, we have determined that just training on the regulations isn't enough, you need to go deeper and in a more practical way.

Training on GDPR

GDPR is new and that there is new accountability, staff need to be aware of the possible impacts. The GDPR principles are the bedrock of data protection, they are the way your organisation should operate and staff should be aware of what they are and how they impact their role. Accountability is a key principle, your staff need to be aware that this is now new and that evidence of compliance is as important as compliance itself. Not being able to evidence will no doubt make the sanctions greater, so staff need to be aware of these too.

In addition to training on the principles, you should also be sure that your staff understand the rights of the data subject. They are the front line, the people who will need to recognise when data is being requested (subject access requests), they will need to know what a breach is and how to spot one.

Protecting Information Assets

GDPR is more than just a new law, it is a new way of working. Staff need to be aware of the risks to personal data inside and outside of the office, working on a train, in the coffee shop or even at home puts personal data at greater risk. Staff need to understand how to manage data now that GDPR is enforceable.

Cyber Crime

We all need to remain aware of the risks that cyber criminals pose, so your training should include making staff aware of the threats posed by cyber crime methods. Phishing, Malware, Smishing and Vishing are all valid ways in which personal data can be collected. Gather enough and a profile can be built and the whole organisations network can be breached.

Acceptable Usage

You may not have an acceptable usage or IT security policy, but you should be training your staff on best practice. Internet use and email use can lead to increased phishing attacks. Accessing and managing information, ensuring it is securely disposed of. Good practice behaviours such as clear desks and ensuring equipment is safely disposed of at the end of life.

Passwords and Security

In the same way that you protect the physical security of your offices, you also need to protect the information assets on your technology. Passwords and password security is the most basic behaviour which needs to be trained into 'muscle memory'. Disclosing passwords to others, or setting weak passwords makes your systems vulnerable, so staff need to be aware of the risks these pose.

Managing Records

GDPR requires that data subjects are informed about how long data is retained. This means that you will no doubt have created a good data retention policy, but do you have a process to put it into effect? If you do, do your staff know how data is managed throughout it's lifecycle? Data management is key to ensuring that data is protected and staff must be trained on how to manage their data, otherwise your policy will not be effective.

Assessment & Evidence

Any good training should also contain an assessment of the performance of the staff and training managers should be able to identify the staff who do not show a good understanding. Since the accountability principle of GDPR requires that we demonstrate compliance, it makes sense that a good training solution would provide annual evidence that staff are being regularly trained.

The Knowledgezone Solution

Knowledgezone have developed an online solution which is suitable for all of the staff in your organisation who come into contact with personal data. It has been developed by our GDPR Practitioner who has over 15 years experience in implementing compliance solutions across FTSE100 organisations. The training is accredited by the CPD Certification Service and it is very easy to deliver.

The training is available in a number of variants including versions for the Education sector and Membership organisations.

Being an online solution, the training can be delivered at your staff workstations, so there is no need to bring staff away from their job for a great length of time. The training takes around 40 minutes and it includes and end of course assessment. As the course and assessment are modular, they don't both have to be completed at the same time.

Excellent reporting is included which allows management to identify those who are having difficulties, plus it provides a very clear view of those who have not done the course and the grades of those who have. It is even possible to drill down into each assessment attempt to identify the sections of the training which are causing difficulty. The training report can be printed and is dated so that a clear audit trail is available.

The training costs ￡20 per person for an annual license and is much easier to implement, manage and evidence than a powerpoint presentation.

If you would like more information visit our website at www.knowledgezone.co.uk

About the author:

The Data Protection and Security Awareness course has been developed by Mark S Roebuck MBA, MSc. Mark Roebuck is a GDPR practitioner and a business consultant specialising in strategy, organisation design in particular with respect to GDPR compliance and target operating model development. He has been managing large change programmes across FTSE clients for over 15 years.