logo text

Thursday, 16 May 2019

ICO highlights importance of staff training on data protection

The accountability principle of the General Data Protection Regulation (“GDPR”) which hadn’t been a feature of its UK predecessor, the UK Data Protection Act 1998 – puts new impetus behind the need for organisations to train their staff in data protection.

The principle requires organisations not only to be responsible for complying with the GDPR, but also to demonstrate their compliance by establishing appropriate technical and organisational measures. These include the implementation of a comprehensive training programme and data protection policies as well as the adoption of a “data protection by design and default” approach, among others.

A shiny new set of data protection policies is of limited use if staff who process personal data aren
t aware of them or trained in their implementation. After all, an organisations employees are pivotal in ensuring that the organisation complies with the data protection rules. Raising staff awareness of data protection issues is a fundamental part of an organisations overall data protection system and its compliance with the accountability principle and data protection by design and default obligations under the GDPR.

Staff training should build on your organisation
s data protection policies and guidelines as well as on the outcome of your data protection audit and data-mapping exercises. When staff are not trained in this way, it can lead to significant harm to the organisation, as Henry Ford indicated a century ago when he said, The only thing worse than training your employees and having them leave is not training them and having them stay.

In the worst cases, where a serious data protection issue has arisen and the Information Commissioner
s Office (ICO) has been informed, the regulator has made it clear that it will pay careful attention to any gaps in training and lack of awareness that it unearths.

In April 2019, the ICO tweeted,
Staff training is absolutely key. We will nearly always ask about this and will expect to see evidence that it has been delivered to an appropriate standard.

Our experience of assisting clients to handle data protection breaches and near-miss incidents is that insufficient training is almost always involved, with further training being required to remedy issues.

What should you do to improve your data protection training programme?

  • For a successful data protection programme, senior management need to demonstrate their commitment to a training programme and indeed to data protection compliance generally. If those at the top arent publicly invested in the importance of data protection within the organisation, its unrealistic to think that employees wont adopt the same attitude.
  • With this buy-in from the top, your organisation can ensure that it has a robust set of data protection policies and procedures in place.
  • The next step is to raise awareness of these policies and procedures, highlighting specific data protection issues that affect particular members of your staff and helping to address particular problems or challenges that they may face. This could include, for example, general advice-focussed training sessions on topics such as data protection compliance and data security. Alternatively, it could involve more bespoke, lengthier workshops on specific areas such as:
    • What to do if a breach occurs, sanctions for non-compliance and how to handle investigations and liaisons with the ICO and other regulators.
    • How to handle a subject access request (SAR) or other individual rights requests.
    • Handling human resources/personnel issues.
    • Ensuring that marketing and communication campaigns are compliant.
    • Challenges encountered by customer service agents when handling calls.
    • Compliance when outsourcing to third-party processors and cloud services.
    • Ensuring compliant international data transfers directly or when sub-contracting. 
    • Performing data-mapping exercises, data protection audits and data protection impact assessments (DPIAs).
    • Ensuring effective data retention and destruction.   
    Raising awareness is an ongoing process, so organisations should seek out their most creative teams to implement a data protection awareness campaign that engages staff effectively. Such a campaign should include not just face-to-face training and e-learning packages, but also targeted reminders via intranet messages, emails, newsletters or even posters in communal staff areas.
  • The other element of raising awareness is ensuring that staff who handle personal data are trained at appropriate levels in the organisations data protection policies and guidelines. This could be through instructor-led, face-to-face training and workshops, e-learning courses or a combination of these and other approaches. It may even be a good idea to include a quiz or test as part of the training to provide evidence that the staff member understood what was being discussed.
  • Finally, going back to the ICOs comment about evidence, organisations must track what training has been carried out and which staff have attended. It will also be important to know yourself – and to be able to demonstrate to the ICO on request – what your plan is for catching up staff who have been absent, such as new starters or those on maternity or other types of leave.
Here at Pritchetts Law, we are experts in data protection training. Not only do we provide training and workshops for our own clients in-house, but Stephanie is also a tutor on many public courses run by PDP, the leading provider of professional training courses in information management and compliance.

We regularly advise on data protection audits and data-mapping exercises large and small, as well as assisting organisations with DPIAs. We often uncover areas of potential non-compliance or near-misses that require bespoke data protection policies and guidelines, which we can follow up with bespoke data protection training and workshops if required.

If you need help with any aspect of training your staff in data protection, or indeed any other aspect of data protection compliance, please get in touch.

No comments:

Post a Comment