GDPR – Your People Are Your Best Defence

The General Data Protection Regulation (GDPR) becomes law on 25th May 2018. Yet many organisations have not yet addressed one of the biggest risks: training their staff.

Elizabeth Denham, the UK’s Information Commissioner said: “Staff are your best defence and greatest potential weakness”. She also believes that “regular and refresher training is a must” for all organisations.

Despite the fact that a serious breach in data protection will carry a maximum fine of €20 million, or 4% of turnover (whichever is greater), according to a recent survey for the UK government only 20% of companies who are aware of the new GDPR laws have instigated staff training.

This leaves many companies potentially vulnerable: they won’t be helping their cause if a breach occurs and they are subsequently forced to admit that they haven’t trained their people.

So, your first priority is to provide all your current employees with GDPR training now. They need to understand what data needs protecting, how to do this and what their responsibilities are. Effective training will allow them to confidently spot risks and prevent data breaches.

Whilst it is tempting to leave training of your lower-level data users until last, simply because they don’t have special data responsibilities, this could prove to be a costly mistake. Anyone and everyone who deals with personal data is a potential risk to your business. So do not leave training “the masses” until it’s too late. Provide training that fits easily into their busy working day so they can learn and practise what they need to know and do.

And remember the 25 May is just the start. Good habits develop over time and the initial training you provide will require reinforcing and updating if a culture of compliance is to be built. Indeed, Elizabeth Denham referred to GDPR compliance as “an ongoing journey” and “an evolutionary process for organisations”. So ongoing training for GDPR should be seen as a necessity, not an option.

Any new recruits will also have to be trained on GDPR quickly, meaning such training should now be a part of your induction programme.

The good news is that providing GDPR training and refresher training does not have to be time consuming or costly. Online GDPR training is a time and cost effective way of delivering both initial GDPR training and the learning reinforcement that ensures your employees retain their knowledge over time.

Like any other responsible business, we are training our people to get them GDPR ready. If you haven’t yet, then it is time for you to act now!