GDPR: The Importance of Training
A recent EU Commission report has assessed that, two years after implementation, GDPR has successfully updated data protection law for the digital age, having given citizens powerful new rights. But its focus isn’t just on benefits for customers - it also suggests that businesses are benefitting from the opportunities to make the most of the digital revolution, and from adapting to use strong data protection as a competitive advantage.
The report indicates that businesses of all sizes have been promoting respect for personal data as a selling point in local and global markets, often supported by offering services with novel privacy or data security solutions. And these benefits are available to even the smallest firm.
Changes in regulation present challenges, but they often also bring opportunities – in new ways of working and innovation of current practices or USPs. Now that GDPR and the UK's Data Protection Act 2018 are firmly embedded, reviews and audits can double check that new processes are working well.
While best practice is continually evolving – even the ICO are regularly updating their Guide with revised positions and guidance – any firm can take advantage of the GDPR’s new rules by taking small steps to strengthen their approach to the use of personal data.
Ensuring GDPR is Embedded in Your Firm
There’s a lot of truth in the EU Commission’s report – in a world in which citizens are more aware of their rights than ever, it’s vitally important to make sure that process, procedure and customer outcomes are exactly right. It’s likely that Covid-19 has impacted efforts to audit GDPR this year, so what can firms do to help reflect how seriously they take protection of personal data to increasingly informed customers?
Training is essential, and it delivers a lot of benefits for minimum outlay.
Informed and confident staff will be more likely to notice and be prepared to act on any indicators of breaches, which could save firms the trouble of an investigation, and in the event of a finding, a large fine. Although it will likely be a number of years before we get a full picture of how the ICO deals with breaches, recent cases suggest that it is making full use of the stronger corrective powers that GDPR offers; in summer 2019 the ICO imposed fines on Marriott Hotel Group and British Airways of £99.2m and £183m respectively for breaches of the GDPR.
Regular training can also improve efficiency.
Staff that understand the background to the rules are more able to adapt their communications with customers in a compliant way. Take vulnerable customers, for example. Understanding how to record sensitive personal data – known as special category under the GDPR – and in which circumstances this information can and should be collected avoids breaches and improves efficiency. It also has the added benefit of instilling confidence in a customer who may be feeling fragile and that in itself goes a long way to improving brand loyalty.
Regular training also demonstrates compliance with data protection legislation.
This can come in very useful if the ICO investigate. Documenting staff training is useful evidence that reasonable steps have been taken to prevent breaches and to give the authority a good impression that the firm takes the rules seriously.
Repetition helps embed new learnings, so regular training is especially useful in smaller firms that may deal with some aspects of the new rules – such as new subject access request rules - only rarely. The last change to data protection law was in 1998, and so it’s understandable that old habits might die hard, but regular refresher training can help to reinforce the new practices, and avoid any complaints and potential action.
Training should be appropriate for the learner.
Some staff will need a good background in the whys and wherefores of GDPR – especially in the case of those with more seniority – and front line staff will need some easy to understand background to support learning the practical steps they’ll need to apply to customers in a variety of different circumstances. It’s equally important that staff are reminded of the obligation to speak up if they notice a potential problem or breach.
Our online data protection courses are able to be completed at the learner’s convenience. We have three courses covering data protection:
Our Data Protection and Information Security course delivers the background to applicable legislation and how to avoid security breaches.
Our Understanding Data Protection Regulation courses have two options