How your company complies with GDPR has a lot to do with how aware your individual employees are. Your staff doesn’t need to be reminded of the importance of privacy, but they may need better training to understand exactly how to live up to the expectations of data controllers today. We’ll look at three ways to get more out of your training communications.
The more eyes you have on the problem, the more likely the company is to understand it. This is not about lecturing employees, but about asking them to participate in data protection on a regular basis. When employees fall down on their responsibilities, it’s often for a good reason. As they work through new processes, they should feel free to ask questions, raise concerns, and learn the way they want to learn.
This is also a good time to start a dialog about how employees want to learn. We recommend in-person or e-learning courses where there’s a set structure, but some employees do have the skills to master the material on their own. You’ll get a better response if you don’t try to pigeon-hole employees based on blanket generalisations.
Better training also means more time devoted to the matter. Not only do leaders need to develop programmes that address various issues, but the staff also needs time to absorb it all. For better results, try tackling one thing at a time and only when the training programme has been thoroughly vetted.
Remember that change takes time too. Bad habits and misconceptions are generally not solved over the course of one session. The key is to impart that it’s not just IT that has to worry about compliance — it’s every department that handles the data.
From third-party data to reporting to department sizes, your company is unlike any other. Presenting materials that are designed for your general industry may be helpful, but there’s a bigger danger that the information won’t feel relevant to employees.
There are a couple of major caveats here when it comes to customizing your curriculum. If you have a small staff, you’ll obviously have more flexibility to adjust as you see fit. However, it’s also likely that you’ll have more to covers, as a small staff is usually asked to wear multiple hats in their individual positions. If you outsource your training program, it will also cost more per head.
Larger organizations will usually have more time to spare, and their training costs will be more reasonable across the board. However, it’s also difficult to address individual concerns at this level, which can lead to unspoken resentments spread out across the company.
Tailoring your training should also mean setting reasonable goals to see whether the measures are working. For instance, when you assess your vulnerabilities, you might look for at least a 25% reduction after the training. Or you might set a goal to eliminate phishing schemes within the company. If you’re not currently keeping track of those numbers, now is definitely the time to start.
An employee that can quote the General Data Protection Regulation isn’t the goal here. You’re looking to change how employees react in order to avoid potential privacy violations or data leaks. So if your marketing team decides to profile people based on their income, there’s an alert that goes off in everyone’s minds that this project might need a data protection impact assessment (DPIA).
Or if someone in your admin department gets an email with their boss’s name as the sender, the first instinct is not to open it but to verify the email address. A good training programme is essentially connecting the dots between the dry language behind the law and the frenetic activity that your employees face on a daily basis.
Concrete ways to assess behavior come in a variety of forms. You might try to ‘trick’ employees by sending out fake emails to see who opens the wrong file. Or you can also try role-playing. Whether you work with sensitive data once a year or every day, this can be a great way to change how people react in different situations.
Training works best when people have relevant issues to discuss. You might have the staff talk through a past task to see if it could have been handled differently. For example, if the department manager decided that data mapping wasn’t necessary for a third-party migration, they might provide reasons why they made this choice and whether they would still make the same one today. Or the staff could talk about upcoming projects and how they apply (or don’t apply) to GDPR.
The real value behind better training is that you’re taking accountability for your role as a data controller. This is what the Data Protection Authorities are primarily looking for when it comes to compliance. It doesn’t mean that no mistakes are ever made or that no one ever raises a dispute. It does mean that you took multiple steps to keep people protected.
Training first starts with employee awareness. When people know where data comes from and where it goes, they have enough background to evaluate whether certain actions are appropriate. When laws change, it becomes easier to put those changes into context and limits confusion when getting everyone up to speed. It all boils down to more effective operations and more evidence in your favor (in case you ever need it).