So why is staff training so critical for your data protection?

5 Oct 2018 01:48 PM

Blog posted by: Moyn Uddin - Chief Privacy Officer, Cyber Counsel, 05 October 2018.

Hand hovering over laptop keyboard

The much feared GDPR compliance date has come and gone. You have located the personal data your organization processes and ensured you have a lawful basis for processing it. You have published your privacy notices etc. Hopefully, as part of your readiness projects and programmes you have also provided your staff with at least some basic GPDR awareness training. Indeed, the UK Information Commissioner’s Office’s (ICO) guide “Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now“ lists raising awareness within the organization about GDPR as the very first step. But what does effective training for all your staff look like?

It is increasingly accepted that to be more resilient to cyber-attacks you need to deliver awareness training to all employees, as well as ensure your wider partner, adviser and supplier network is trained in handling your data. Everyone has a critical role to play in protecting your valuable and sensitive information. With the advent of the GDPR it has become essential to ensure your staff are fully aware of the differences, risks and the consequences of not protecting personal data.

This is where carefully selected and effective training that is appropriate for the target audience is vital. All too often organizations provide ‘tick-box’ online training which has little or no impact on behaviour change – we’ve all experienced it! With so much now depending on protecting personal data you need to consider a different approach to ensure GDPR training compliance. It needs be to relevant, short, targeted, and most importantly memorable and engaging. Start with asking: ‘So what do our staff really need to know about GDPR?’ and ‘How can we deliver this learning in ways that engage and interest our people?’ The objective must be to develop, change and sustain behaviours designed to ensure effective data protection and resilience.

Short bitesize, scenario-based training that makes GDPR personal is key. Putting the learner in the shoes of the ‘data subject’ and asking ‘What would you do if that was your personal data?’ really can make a difference. Or use real life examples of events and interactions such as accessing government services, online shopping, social media data sharing and stories behind real life security incidents and data breaches to make privacy and security matters real for the learner.

Combining this with innovative formats and techniques and with regular, short, simple refreshers and reminders (perhaps after a near miss or actual incident) will reinforce the learning and help sustain new behaviours.

In addition, the learning material, presentation methods and the content need to be modular, adaptable and part of a continuous learning model. Changes in personal and organizational behaviour should be monitored and good behaviours rewarded as much as repeated poor behaviours punished.

As Elizabeth Denham, the UK’s Information Commissioner has said, your staff really are your best defence and your greatest potential weakness. Your frontline staff are your most important data protection asset – please engage them to help them help you.