Printer Friendly, PDF & Email

How to create an effective data protection training program

Simon Blanchard

Simon Blanchard

Simon Blanchard (simon@dpnetwork.org.uk, linkedin.com/in/simonblanchard/) is a Partner at Data Protection Network Associates, based in the United Kingdom.
Listen to article
5 minute read

By Simon Blanchard

In any organization, big or small, our people are our greatest asset. From a compliance perspective, we might sometimes be tempted to think of our people as a risk. After all, a high proportion of data breaches and violations of data laws occur when employees make mistakes.

Many of these mistakes could be prevented with improvements to the training provided. Train people well and they’ll become your eyes and ears on the ground. An effective training program will equip people with the necessary knowledge and skills to switch a potential risk into a real advantage.

Data protection laws, like the European Union and United Kingdom General Data Protection Regulation (GDPR) and California Consumer Privacy Act, require organizations to provide adequate training and awareness activity for employees who handle personal data. I’d argue that we should go beyond “adequate” and tailor our training programs to help our people understand how these laws apply to their specific roles, whatever they are.

Research on training provided

The Data Protection Network’s Privacy Pulse Report of data protection and privacy professionals found that the message about the need for data protection training had landed.[1] Eighty percent of responders said their businesses had delivered data protection training within the last 12 months.

But is the quality and relevance of this training good enough for people to really get to grips with the data they use in their day-to-day roles? Is it sufficient to enable them to recognize weaknesses and change their behaviors?

The survey revealed that while some organizations provide training tailored to specific business areas or job roles, these were in the minority. The lion’s share of training was delivered through generic online courses.

Why should we adopt tailored training?

Data protection law is complex and nuanced. This complexity grows when you’re handling the data of people from different jurisdictions around the world. A vanilla “one-size-fits-all” generic training solution can only take you so far. This may be suitable for some, but more is needed for those who use personal data regularly in their roles.

People from various business areas need varying levels of data knowledge to do their jobs. Some business areas will have their own distinct data challenges. How data protection law applies practically to different roles will vary enormously. Marketing teams need a distinct skill set for operations, as do people in human resources (HR) or customer service teams.

What does “good” look like?

A great way to start is to collaborate with key business functions or teams to get under the skin of what they do with data and identify which areas of the data protection law are most relevant to their roles. Here are a few examples:

  • Marketing teams often need to understand core data protection principles, the conditions for legitimate interests and consent. They need to know about the right to object, the use of cookies, and how to compliantly approach profiling for marketing purposes. They must fully appreciate how data protection law interplays with legislation covering electronic marketing.

  • HR teams have a completely different set of priorities for how they compliantly handle people’s data. They need to understand how data laws apply to the range of data tasks they carry out for employment purposes and for recruitment, such as diversity, onboarding, conducting appraisals and personal development plans, handling health and sickness data, employee communications, and so on.

  • Procurement teams need to understand the difference between controllers, processors, and joint controllers. They must recognize what good supplier due diligence for data protection looks like.

  • Customer service teams need to have the proper knowledge to handle privacy-related queries from members of the public.

Consider the audience and judge what style of training delivery would work best. There are many options: a straightforward presentation, a specific online module, or a workshop-style session where participants don’t just come to listen but actively take part in group work. A workshop should get them to think hard about how the data protection principles and other aspects of law apply to their roles.

Wherever possible, include relevant examples, case studies, regulatory fines, and exercises to illustrate what good and bad practices look like.

Successful training will embed core messages and encourage people to make positive changes or at least be more diligent about their data handling and sharing of personal data.

Go the extra mile to help them manage personal data securely, responsibly, and ethically.

Getting the balance right

Clearly, bespoke training for everyone—especially in a big organization—could become too time-consuming and costly. It often works best to take a balanced and pragmatic approach when deciding which business areas or job roles would benefit most from tailored training.

It can pay to focus on the areas which have the greatest exposure to personal data risks. Target the training to influence and mitigate those risks.

Where do the biggest risks lie within your business? Is it marketing, sales, supplier management, or privacy rights requests? Not everyone needs to understand the intricacies of carrying out a risk assessment, such as a Data Protection Impact Assessment (DPIA). But are the people you want to conduct DPIAs equipped with the skills to do them effectively? Which roles or teams need to understand the complexity of international transfers?

If you are receiving growing volumes of subject access requests, the people responsible for handling them will need in-depth training on the nuances entailed.

The focus will naturally depend on the dynamics of the specific organization: the sectors it operates in, whose data is handled, the sensitivity of the data, and the activities undertaken.

Remember inductions and refreshers

Most businesses include an element of data protection training as part of their new starter induction program. Certainly, regulators would expect data protection training to be done swiftly before new employees are let loose to handle personal data.

Along with an ongoing program to raise awareness, regular refresher training is vital. It’s an opportunity to remind people of the core principles and considerations they need to keep top of mind.

It’s easy to let this lapse, but as we’ve seen from regulatory action, authorities often question what staff training was in place. Training can help you meet your GDPR accountability requirements.

Final thoughts

Making sure people have appropriate knowledge and skills is one of the best ways to reduce the risk of a data breach or other violations of data protection law.

In our experience, businesses gain huge benefits and peace of mind from taking the time to pass on specialist knowledge to others.

Just like any successful communication, it’s far more effective when you put your audience front and center and tailor the message to meet their needs.

Takeaways

  • Our people are our greatest asset. It pays to invest the time and train them well. With the proper knowledge, they can prevent a minor problem from turning into a big one.

  • Certain teams across the business will benefit hugely from bespoke data protection training tailored to meet the needs of their day-to-day roles.

  • We recommend that you focus your learning and development efforts on the teams with the greatest exposure to data risk.

  • Adapt the content and style of delivery depending on your audience. Whatever the format, try to make it engaging!

  • Don’t forget induction training for new employees and regular refreshers.

 
1 Data Protection Network, Privacy Pulse Report 2022, January 4, 2022, https://dpnetwork.org.uk/wp-content/uploads/2022/01/DPN-Privacy-Pulse-Report_2022.pdf.
This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

What to read next...

Data and compliance: A guide to being an information herder, Part 1

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2023 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings