In any organization, big or small, our people are our greatest asset. From a compliance perspective, we might sometimes be tempted to think of our people as a risk. After all, a high proportion of data breaches and violations of data laws occur when employees make mistakes.
Many of these mistakes could be prevented with improvements to the training provided. Train people well and they’ll become your eyes and ears on the ground. An effective training program will equip people with the necessary knowledge and skills to switch a potential risk into a real advantage.
Data protection laws, like the European Union and United Kingdom General Data Protection Regulation (GDPR) and California Consumer Privacy Act, require organizations to provide adequate training and awareness activity for employees who handle personal data. I’d argue that we should go beyond “adequate” and tailor our training programs to help our people understand how these laws apply to their specific roles, whatever they are.
Research on training provided
The Data Protection Network’s Privacy Pulse Report of data protection and privacy professionals found that the message about the need for data protection training had landed. Eighty percent of responders said their businesses had delivered data protection training within the last 12 months.
But is the quality and relevance of this training good enough for people to really get to grips with the data they use in their day-to-day roles? Is it sufficient to enable them to recognize weaknesses and change their behaviors?
The survey revealed that while some organizations provide training tailored to specific business areas or job roles, these were in the minority. The lion’s share of training was delivered through generic online courses.
Why should we adopt tailored training?
Data protection law is complex and nuanced. This complexity grows when you’re handling the data of people from different jurisdictions around the world. A vanilla “one-size-fits-all” generic training solution can only take you so far. This may be suitable for some, but more is needed for those who use personal data regularly in their roles.
People from various business areas need varying levels of data knowledge to do their jobs. Some business areas will have their own distinct data challenges. How data protection law applies practically to different roles will vary enormously. Marketing teams need a distinct skill set for operations, as do people in human resources (HR) or customer service teams.
What does “good” look like?
A great way to start is to collaborate with key business functions or teams to get under the skin of what they do with data and identify which areas of the data protection law are most relevant to their roles. Here are a few examples:
HR teams have a completely different set of priorities for how they compliantly handle people’s data. They need to understand how data laws apply to the range of data tasks they carry out for employment purposes and for recruitment, such as diversity, onboarding, conducting appraisals and personal development plans, handling health and sickness data, employee communications, and so on.
Procurement teams need to understand the difference between controllers, processors, and joint controllers. They must recognize what good supplier due diligence for data protection looks like.
Customer service teams need to have the proper knowledge to handle privacy-related queries from members of the public.
Consider the audience and judge what style of training delivery would work best. There are many options: a straightforward presentation, a specific online module, or a workshop-style session where participants don’t just come to listen but actively take part in group work. A workshop should get them to think hard about how the data protection principles and other aspects of law apply to their roles.
Wherever possible, include relevant examples, case studies, regulatory fines, and exercises to illustrate what good and bad practices look like.
Successful training will embed core messages and encourage people to make positive changes or at least be more diligent about their data handling and sharing of personal data.
Go the extra mile to help them manage personal data securely, responsibly, and ethically.
Getting the balance right
Clearly, bespoke training for everyone—especially in a big organization—could become too time-consuming and costly. It often works best to take a balanced and pragmatic approach when deciding which business areas or job roles would benefit most from tailored training.
It can pay to focus on the areas which have the greatest exposure to personal data risks. Target the training to influence and mitigate those risks.
Where do the biggest risks lie within your business? Is it marketing, sales, supplier management, or privacy rights requests? Not everyone needs to understand the intricacies of carrying out a risk assessment, such as a Data Protection Impact Assessment (DPIA). But are the people you want to conduct DPIAs equipped with the skills to do them effectively? Which roles or teams need to understand the complexity of international transfers?
If you are receiving growing volumes of subject access requests, the people responsible for handling them will need in-depth training on the nuances entailed.
The focus will naturally depend on the dynamics of the specific organization: the sectors it operates in, whose data is handled, the sensitivity of the data, and the activities undertaken.
Remember inductions and refreshers
Most businesses include an element of data protection training as part of their new starter induction program. Certainly, regulators would expect data protection training to be done swiftly before new employees are let loose to handle personal data.
Along with an ongoing program to raise awareness, regular refresher training is vital. It’s an opportunity to remind people of the core principles and considerations they need to keep top of mind.
It’s easy to let this lapse, but as we’ve seen from regulatory action, authorities often question what staff training was in place. Training can help you meet your GDPR accountability requirements.
Making sure people have appropriate knowledge and skills is one of the best ways to reduce the risk of a data breach or other violations of data protection law.
In our experience, businesses gain huge benefits and peace of mind from taking the time to pass on specialist knowledge to others.
Just like any successful communication, it’s far more effective when you put your audience front and center and tailor the message to meet their needs.
Our people are our greatest asset. It pays to invest the time and train them well. With the proper knowledge, they can prevent a minor problem from turning into a big one.
Certain teams across the business will benefit hugely from bespoke data protection training tailored to meet the needs of their day-to-day roles.
We recommend that you focus your learning and development efforts on the teams with the greatest exposure to data risk.
Adapt the content and style of delivery depending on your audience. Whatever the format, try to make it engaging!
Don’t forget induction training for new employees and regular refreshers.