GDPR Training Course
After a two-year grace period, the General Data Protection Regulations – GDPR – came into effect across the EU at the end of May 2018 and now there is a requirement for a GDPR training course. However, some studies show that despite ample warning, few businesses are ready for the change in legislation. Cordium, a consultancy firm, estimated that just 2% of financial organisations were prepared to deal with the changes GDPR brings.
GDPR is an expansive and complex piece of legislation. Uniting privacy legislation across EU member states, it provides a much-needed update to privacy rules with the hope of offering better protection to EU citizens. To offer more comprehensive protection, GDPR also applies to any organisation that handles the data of EU citizens, regardless of whether they have on-the-ground operations within a member state.
The thorough nature of GDPR mean that it would be hard for any employee without adequate legal training to understand its full impact. Thus, it is critical that all employees are trained in relevant aspects of GDPR so they can incorporate it into their daily work practice. Training should be mandatory for all levels of staff, even high-up managers or directors. As stipulated in GDPR, ignorance is not an excuse if a company is found to be GDPR non-compliant. Regardless, no one is immune to human error, regardless of job title.
Why is employee training necessary?
Data breaches are an increasingly prevalent phenomenon; it is rare a week goes by without hearing of some sort of breach on the news. Some of these breaches cannot be avoided, as they are the result of vicious cyberattacks. However, many are also the result of human error, or companies inappropriately using customer data. To prevent such attacks, or mitigate their consequences should they occur, it is highly advisable that all employees are trained in GDPR legislation.
It is also important to highlight the material costs of GDPR non-compliance. The negligent party faces fines of between €10-20 million, depending on the nature of the breach. Alternatively, they can be fined 2-4% of their global financial turnover. The exact nature of the fine will be decided by the country’s supervisory authority.
The data subject, too, may seek compensation from the negligent party. Data breaches but the data subjects at risk of health or insurance fraud, identity theft, or financial loss. If any damages, material or otherwise, are sustained, compensation can be sought. Alternatively, they may choose to take legal action against the negligent party.
GDPR does not stipulate any specific training requirements. This does not mean training can be ignored: rather, it means that those who handle EU citizens’ data are responsible for providing their employees with proper training.
What kind of training should be provided?
Given the broad nature of GDPR, it is hard to say what the “perfect” GDPR training course would be. One could argue that as many topics as possible should be included, but this could also be overwhelming for any attendees and leave them likely to forget the information that was presented to them. Assessment is a good idea, as it is more engaging than just listening to a lecture, though requires some level of organisation.
Here, we outline a comprehensive list of modules that can be included in a training course. Though there are some core components that will likely be common to any training course, many are specific to different roles within an organisation and thus will not be necessary for all to hear.
- Introduction to GDPR
To clear up any confusion, it is important to start out with a general description of what GDPR is. This should be general enough that it can introduce any course, regardless of attendees, and give a broad understanding of what the legislation is and what it sets out to achieve. Rather than focussing on the entire history of privacy legislation within the EU, however, it should just focus on what is needed to understand GDPR.
- Introduction to data protection – This should provide an overview of what data is and why it needs to be protected, as well as some of the ways by which this can be achieved (e.g. technical safeguards such as passwords and encryption).
- Where GDPR applies – GDPR protects the rights of EU citizens, regardless of where their data is being handled. Thus, highlighting the geographic scope of GDPR is important to all employees, especially in companies not primarily based within the EU.
- Why GDPR is needed – Employees may see GDPR compliance as a frustrating barrier to their workflow. To help alleviate these worries, explaining why GDPR is needed can be beneficial. Including recent examples of data breaches can be helpful at this stage.
- When GDPR applies – As with most pieces of legislation, there are many exceptions to GDPR. These situations are often rare, and many employees will never encounter them, though they should be made aware of notable or relevant exceptions to the legislation.
- GDPR definitions – Before continuing with the course, employees told what various terms mean in the context of GDPR (e.g. “data subject” or “consent”).
- Data Protection Principles
GDPR was established to protect the data of private citizens. Data protection is, however, a huge and complex field. GDPR lies out six core principles underlying data protection. Employees should be made aware of these principles, both as a means of understanding the core components of GDPR and to ensure that those handling data respect these principles.
- Introduction to private data – Employees should be given some guidance on what private data is in the context of GDPR. There are a number of categories of personal data, from identifiers to special data that is particularly sensitive. There are different rules for the different types of data.
- Lawfulness, fairness and transparency – One of the core Principles of Data Protection, this stipulates that there must be an acceptable legal basis for processing data, and such processing must be done in accordance with pre-agreed terms.
- Purpose limitation – Those in charge of processing data, the controller, must have a contract with the data subject that defines what the data will be used for. Without further consent, data cannot be used for any other reason.
- Data minimisation – Controllers should only collect the minimum amount of data needed to accomplish their task.
- Accuracy – Data should be accurate and precise.
- Storage limitation – After collection, data cannot be held indefinitely (though different rules apply for medical data). Instead, it should not be held longer than needed to accomplish the goals of processing.
- Integrity and confidentiality – Data should not be accessed by unauthorised personnel or seen by unnecessary individuals.
- Rights of the Data Subject
Under GDPR, the individual whose data is being collected (termed the “data subject”) has rights. Controllers have an obligation to respect these rights. As a result, it is important that anyone who has direct contact with data subjects are aware of these rights and know how to accommodate them.
- Right of access – After collection, data subjects must be able to access their data or obtain copies without undue delay.
- Right to object – Even after their data has been collected, data subjects can object to how their data will be used. They can also prevent further processing, but cannot undue any processing that has been done.
- Right to restrict processing – If desired, data subjects can request that their data is not processed in certain ways after collection.
- Right to rectify – If it is found that there was a mistake in data, data subjects can request it be modified.
- Right to data portability – This goes hand-in-hand with the right to access. Data subjects should be able to obtain copies of their data in easy-to-read, digitally compatible formats.
- Right to complain – Should a data subject be dissatisfied with their treatment by the controller, or do not feel that their data is being handled in a GDPR-compliant manner, they can complain to a relevant supervisory authority.
- Right to erasure – Also known as “the right to be forgotten”, data subjects can request that controllers delete all copies of their data.
- Right to representation – If the data subject lodges a complaint, they have the right to be represented by a not-for-profit body.
- Responsibilities of the Controller
The body that oversees the collection and processing of data, termed the “controller”, must be GDPR compliant to avoid penalties. They have a number of responsibilities that primarily relate to protecting data and the rights of the data subject.
- Modality of data –To complement the data subject’s right to portability, the controller must ensure that data is easily accessible and can be transferred on a wide variety of platforms.
- Transparency –From the moment that they engage with the data subject, the controller must ensure they are entirely clear about the purpose of data collection, how it will be processed and the duration of time for which it will be stored.
- Accountability –The controller must keep clear and detailed records of all the measures they take to be GDPR-compliant. They must also be able to demonstrate the policies they have in place to ensure GDPR compliance across the organisation.
- Accommodate the rights of the data subject –The controller is obliged to make sure that the data subject’s rights are being provided for and respected. Part of this involves informing the data subject of their rights before data collection begins.
- The Role of the Processor
The controller dictates how data will be collected and subsequently processed. However, they are not usually the ones responsible for the actual task of processing. Instead, a third party is contracted to carry out the process. Like controllers, processors must be GDPR compliant.
- Data processing – This involves any action taken on the data. The data subject’s rights must be respected in the same way that they are respected by the controller.
- Data security – Processors must ensure that, whilst the data is in their possession, it is safeguarded from unauthorised access.
- Contracts – The processor usually enters a contractual agreement with the controller that stipulates what they can do with the data. This must provide all the information necessary for the processor to carry out their job.
- Collecting Personal Data
Collecting data can be seen as the first step in data processing. This must be done in accordance with GDPR, so any employee involved with collecting data, either through designing surveys or speaking with data subjects, must know how to correctly collect data.
- Informed Consent – Before any data can be collected, informed consent must be obtained from the data subject. Some demographics, such as minors, cannot give consent, or must do so via a legal guardian. Thus, anyone collecting personal data – especially in these cases – must know what informed consent entails.
- Providing information – A large component of informed consent is ensuring the data subject has enough information to be able to decide whether or not they agree with how their data is being processed. Comprehensive information regarding how data will be used must be provided to the data subject before collection begins.
- Unusual cases – In some situations, data subjects will not have to give consent. This usually means that they have already given consent, though there are other cases that are exempt from the usual rules.
- Automated collection – Online surveys or monitoring software has become an important tool in data collection. However, it can be difficult to ensure an individual has given informed consent when collecting data in this way. If the decision has been made to automatically collect data, those involved should be trained in how to do this in a GDPR-compliant manner.
- GDPR Password Requirements, Safeguards and Security.
This is the crux of GDPR – ensuring that, after data has been collected with informed consent, it is properly stored and safeguarded. This means protecting it from both accidental or deliberate breaches, and having measures in place to ensure that if a cyberattack occurs, the minimum amount of damage possible is done.
- Technical safeguards – Technical safeguards include, but are not limited to, passwords, encryption, and two-factor authentication. GDPR does not give details on any specific password requirements, though they are generally considered to be a core component of data security. The same goes for encryption – it is essential that some form of encryption is in place, but GDPR is lacking detail on the specifics.
- Administrative safeguards – Regardless of the other safeguards in place, in the absence of coherent and comprehensive policies that span the entire organisation data will often be vulnerable. There should be good channels of communication across the organisation, as well as policies in place to deal with a breach if it occurs.
- Physical safeguards – These are an often-overlooked but important means of protecting data. Safeguards such as a clear-desk policy, or ensuring that portable devices are safely stored in a locked drawer.
- Maintaining records – The nature of any data collected should be recorded, along with why it was collected and any legal basis for collection. Records should be kept in an easily accessible format.
- Dealing with a data breach
Data breaches are an inevitable consequence of the digital age. Whether they are the consequence of cyber-attacks or human errors, controllers must be ready to deal with the consequences of a data breach if one occurs. This is particularly true of higher, managerial staff within the organisation.
- Supervisory authorities – All EU Member States must assign one supervisory authority that oversees the enforcement of GDPR compliance. They are also the one that must deal with data breaches and decide the necessary course of action when one occurs. Supervisory authorities are also responsible for levying penalties against the negligent controller.
- Timeframes – After a breach is discovered, the controller or processor has just 72 hours to report it to the relevant supervisory authority. The report should contain as much information as possible.
- Data subjects – Usually, the data subjects that have been affected by the data breach must be notified. There are some exceptions to this rule, thus those who are involved in dealing with data subjects and mitigating the consequences of any data breaches must be trained in deciding the course of action to take.
- Data Privacy Officer
It is highly recommended that all controllers appoint a Data Privacy Officer (DPO). These are people tasked with ensuring GDPR compliance across the organisation, and should be the main point of contact for data subjects unsure about how their data is being used.
- Monitoring compliance – Any activity that involves private data must be highlighted to the DPO so that they can monitor its activity. Additionally, before any action is taken regarding collecting or processing data, it must be checked by the DPO.
- Other roles – Aside from monitoring activities, the DPO is also responsible for educating staff on the importance of GDPR and best practices to achieve compliance. They must also be able to communicate GDPR policies to all employees, and support employees in their roles.
- Data Protection Impact Assessments
A DPIA (Data Protection Impact Assessment) should be regularly carried out to ensure continued GDPR compliance within the organisation. Ideally, those carrying out the DPIA would be in close contact with the DPO to ensure that it accounts for all levels of organisational activity and is kept up-to-date with recent advancements.
- New technologies – The DPIA must be able to assess whether the practices employed by the controller are suitable given recent advancements in technology. This may include advancements in how technology is processed, collected, or even how cyberattackers can access data. Careful assessments should be conducted before any technology is used.
- Risks to data – The DPIA should be able to identify anything that threatens the integrity of private data. This will then enable those designing policies across the organisation to do so in a way that best protects data.
- Supervisory authorities – Should a risk be identified, the controller must consult with the supervisory authority before further processing can take place.
- Consequences of non-compliance
GDPR establishes a number of penalties that can be levied against the negligent body if they are discovered to be GDPR non-compliant.
- Fines – Administrative fines of €10-20 million, or 2-4% of the controller’s annual financial turnover, can be issued against the negligent party. The extent of these penalties is decided by the supervisory authority.
- Member state penalties – EU Member States can decide how exactly the aforementioned fines will be administered in their country. They may also decide to apply other penalties for GDPR non-compliance.
- Compensation and Legal Sanctions – The data subject has the right to seek compensation for material or non-material damage sustained as a result of GDPR non-compliance. They also have the right to seek a judicial remedy to the case.
GDPR remains frustratingly vague on its training requirements for employees involved in handling data. However, it is clear – even from the complexity of the document – that some degree of training is needed. This should be tailored to the needs of each employee and kept up-to-date. Ideally, training sessions will be short and occur at regular intervals. This keeps the information fresh in the minds of employees and helps to prevent incidents of HIPAA non-compliance.