The General Data Protection Regulation, better known as GDPR, came into effect on May 25, 2018 and part of the requirements for compliance is the provision of GDPR training to all employees who are required to handle the data of EU data subjects. Even though the end of the two-year grace period for complying with GDPR has passed, a survey conducted by Cordium revealed just 2% of financial organizations felt that they were ready to deal with the new privacy regulations.
GDPR unites privacy legislation across the EU. It also applies to any company based outside of the EU that handles the personal data of EU citizens. GDPR is extensive and complex. It would be near-impossible to task any employee with complying without providing formal training on the requirements of the legislation, and it is also essential for all employees who deal with personal data to understand GDPR so they can can comply with its requirements as they complete their daily work routines.
Organizations involved in data processing are tasked with ensuring their staff has adequate training. However, the legislation itself gives little information about what form this training should take. Here we outline some recommendations for a core training course, suitable for a broad range of employees.
What Happens if Employees Aren’t Trained?
If employees are not adequately trained and a data breach occurs or GDPR is otherwise violated, there could be severe consequences. Not only is it likely that a data subject’s privacy has been violated, if personal information is stolen it culd be used for a wide range of nefarious purposes. If the data subject sustains either material or non-material damage because of this, they may seek compensation from the controller.
The controller may face additional consequences: Fines of up to €20 million, or 4% of the controller’s financial turnover, can be levied against them. There are few guidelines regarding such fines, aside from setting limits. GDPR does not advise supervisory authorities about what fines should be issued for specific violations but a fine anywhere up to the maximum is a possibility.
If a data breach is particularly severe, legal action may be taken against the controller.
What is an Ideal GDPR Training Course?
GDPR courses should vary depending on the activities of individual employees or groups of employees. However, there are some core elements of GDPR that should be covered with every employee.
Ideally, training should be regular and require some level of assessment to ensure information has been retained and individuals know how GDPR principles must be applied.
- Introduction to GDPR and the Geographic Areas of Where it Applies
It is logical to start with some time spent on introducing the legislation. This takes a broad view of GDPR, and should form the basis of any course regardless of who is taking it. However, the course should not focus on the history of GDPR and data protection in the EU. Instead, just present information that’s relevant to current policies.
- GDPR terminology – GDPR terminology is a common source of confusion. After introducing the legislation, define some key terms (e.g. “controller”, “processor”, “data subject”).
- Where GDPR applies – Though GDPR is EU legislation, it applies anywhere the data of EU citizens is being collected or handled. Thus, any employee that handles such data should be made aware of the geographical reach of GDPR.
- The need for GDPR – Though it may seem obvious, many may see GDPR as an “unnecessary” hurdle when dealing with data. Thus, it is important to emphasize why GDPR is needed and the consequences for personal privacy if it is ignored.
- Introduction to data protection – This can include a brief overview of the mechanisms of data protection (e.g. physical and administrative safeguards), as well as the means of integrating data protection into the daily workflow.
- Applicability of GDPR – There are some situations in which GDPR doesn’t apply (e.g. when there is a threat to national security). Though rare, employees should be made aware of these situations so they know how to deal with them when they arise.
- Principles of Data Protection
The protection of private data is the primary principle underlying all of GDPR. Thus, it is important that employees gain a thorough understanding of the nature of private data, and the means to protect it, via training. There are several Principles of Data Protection outlined in GDPR, detailed briefly below.
- What is private data?– There are many categories of private data, ranging from typical identifiers such as name and address to “special categories” of data, such as race or gender. These data classes are handled differently and their different treatment should be explained.
- Lawfulness, fairness and transparency – The first Principle of Data Protection is employees must ensure there is a legal basis for processing data and that such processing is done in a fair and transparent manner. This can involve providing adequate information to the data subject before processing begins.
- Purpose limitation – Data should only be processed for the pre-defined use, as agreed with the data subject. However, there are some exceptions to this rule.
- Data minimization – Only data required for the pre-arranged purpose should be collected, and no more.
- Accuracy – Any data collected should be accurate.
- Storage limitation – Data cannot be held indefinitely. Unless it is medical data, it should not be held for longer than required to achieve the purpose for which it was collected.
- Integrity and confidentiality – Data must be protected from unauthorized access and not be shared with unauthorized individuals.
- Core Rights of the Data Subject
GDPR awards the individual whose data is being collected – the data subject – a number of rights. These must be respected, thus it is imperative that all employees that deal with the personal data of data subjects are made aware of them.
- Right of access – Data subjects must be able to access any data that has been collected, or obtain copies of the data from the controller and/or processor.
- Right of rectification – Should the data subject find inaccuracies in the data, they retain the right to correct their data.
- Right to object – After data collection, data subjects can object to how their data is being handled and halt further processing.
- Right to restrict processing – Data subjects can request that their data is not processed in a certain way or prevent further processing.
- Right to erasure – Data subjects can ask that their data is deleted by the processor at the earliest possibility.
- Right to data portability – Data subjects have the right to access their data in a digital format compatible with a variety of devices.
- Right to complain – If they are dissatisfied with how their data is being handled, or feel that their rights are not respected, data subjects have the right to complain to a supervisory authority.
- Right to be represented – When lodging complaints, data subjects have the right to representation by an independent, not-for-profit body.
- Responsibilities of the Controller
The controller – the body that oversees data processing – has a number of responsibilities under GDPR. These primarily relate to GDPR compliance, and maintaining the integrity of private data, though they also concern protecting the rights of data subjects.
- Transparency –The controller must be clear from the beginning about how they will process data, how it will be stored and for how long they will hold on to data.
- Modality of data – Controllers must ensure that data they collect can easily be transported to other organizations if needed.
- Accountability – The controller must be able to provide evidence that they are GDPR-compliant. This can come in the form of records, contracts and policies that have been put in place across the organization.
- Provide for the rights of the data subject – The controller must ensure that data subjects have the capacity to act on any of their rights as laid out by GDPR. For example, they must provide clear information to data subjects regarding complaint procedures.
- Collecting Data
It goes without saying that data should be collected in a GDPR-compliant manner, but what this entails can be confusing for staff. Thus, any staff member directly involved in designing data collection measures, or that collects data directly, should be trained on data collection.
- Providing information to the data subject – Before any data is collected, the data subject must be adequately informed about their rights, the purpose of processing data and how their data will be dealt with after use. If collecting in person, employees should be prepared to answer any questions the data subject may have.
- Automated vs manual collection – It is increasingly common that data subjects will submit data via online forms or similar digital means. This automated collection must follow the same rules as manual collection, though how data subjects are informed of their rights is different.
- Exemptions to the rule – There are some exceptions to the normal rules of data collection, e.g. when a data subject has already been informed. However, to avoid GDPR non-compliance, employees should be informed about how exactly to deal with these situations.
- Consent – It is imperative that all data subjects give informed consent when their data is being collected. Yet, some groups – namely children – cannot legally give informed consent. Thus, employees should be trained on the age limits of consent and when the consent of a legal guardian is required.
Storing and Processing Data – GDPR Password Requirements and Safeguards
After collection, data must be stored in a GDPR-compliant manner. This means that all necessary safeguards must be in place to prevent unauthorized personnel from accessing it – regardless of their intent. Of course, when data processing occurs, similar safeguards should be in place. It is also important for employees to continue to respect the rights of the data subject at this stage.
- Encryption – Encryption is a key technical safeguard when storing or transmitting data. It ensures that, even if unauthorized personnel access data, it cannot be read. It is imperative that those tasked with storing personal data use encryption.
- Passwords – Passwords are another essential component of the technical safeguards needed to protect personal data. GDPR password requirements are vague, though it is imperative that some system of password protection is in place and password policies are set.
- Physical safeguards – Though many will focus on technical safeguards, the importance of physical safeguards cannot be underestimated. These should be communicated to all employees, and include clear desk policies and locking cabinets containing physical data and securing portable devices.
- Administrative safeguards – Administrative safeguards can include having a clear chain of command when communicating data and also ensuring proper policies are in place to prevent data breaches.
- Legal basis for processing – For processing to be GDPR-compliant, there must a sound legal basis for it and other activities. There are six legal grounds for processing, including tasks of public interest and the attainment of prior consent.
- Maintaining records – As previously mentioned, data should be encrypted when it is being stored. Records should be easily accessible, accurate, and transferable to other controllers if necessary.
- Dealing with a Data Breach
Regardless of how good company policies are, data breaches will sometimes occur. This is especially true when considering the recent increase in cyber-attacks. Managerial staff within an organization should be trained on dealing with data breaches.
- Time frames – From the time a breach is discovered, the controller and/or processor has 72 hours to report it to a supervisory authority. Ideally, the supervisory authority will receive information on the nature of the breach, the type of data involved and how many people were affected within 72 hours.
- Supervisory authorities – GDPR stipulates that all member states have one or more independent supervisory authorities who oversee GDPR enforcement and deal with any data breaches, should they occur. These authorities will then decide the course of action, as well as any penalties that may be levied against the controller.
- Informing the data subject – If a data breach occurs, all those affected must be notified. Similarly to the supervisory authority, the data subject should be told about the nature of the breach, the information exposed, as well as any risks it poses to their privacy.
- Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) should be conducted in order to guide policies regarding data privacy. They should be conducted in alliance with the DPO (see below) and be comprehensive. DPIA should be conducted regularly to be kept up-to-date with recent technology advancements.
- Privacy risks – To adequately protect data, employees must know of any risks facing it. These should be identified via regular audits of data processing within the organization.
- New types of processing – DPIA should be conducted regularly, especially given the recent advancements in technology. Such advancements may include new means of processing data. Each of these new technologies should be carefully evaluated before use.
- Prior consultation – If the DPIA indicates there may be some risk to data, the controller must consult with the relevant supervisory authority. They will then receive advice on how to deal with the situation, and act upon it before processing can begin.
Data Protection Officer
Each controller should appoint a Data Protection Officer (DPO) to oversee GDPR compliance within the organization. The DPO should be the main point of contact for any employee in the company unsure of the correct course of action, or for data subjects wanting to contact the controller regarding their own data.
- Roles of a DPO – There are three main roles of a DPO: Educating, advising and supervising. The DPO should be able to effectively communicate GDPR to employees across all levels of the organization, as well as offer advice on the best course of action when dealing with different situations. Thus, there must be clear channels of communication across the organization to facilitate this.
- Monitoring compliance – Importantly, the DPO must monitor activities within the organization to ensure there are no GDPR breaches – intentional or otherwise. The DPO must be able to act independently of the controller in order to achieve this task.
- The Role of the Processor
Though the controller oversees data processing, and uses the results of the processing, they will often contract a third party to carry out the actual task. These processors must adhere to GDPR and also do their utmost to ensure data privacy.
- Data security – Similarly to controllers, processors must ensure that all data is adequately secured through a variety of measures.
- Data processing – Data must be processed in a GDPR-compliant manner. The same restrictions on how data can be used apply to both the controller and the processor.
- Contractual obligations– Any processing activities should be governed by a contract between the controller and processor that establishes all the details of any processing. The contract must also ensure the continued privacy of the data, whilst providing the necessary information to the processor to allow the processing of data.
Penalties for Non-Compliance
Without suitable penalties, it could be expected that the rate of GDPR compliance would be very low. Thus, there are a number of penalties in place to encourage compliance with the policies.
- Administrative fines – There are hefty penalties in place for GDPR non-compliance: Fines up to €20 million can be levied against the negligent party, or 4% of their global turnover, whichever is higher. The exact amount of a fine in any one situation is determined by the supervisory authority.
- Compensation for data subjects – As previously mentioned, data subjects have the right to seek compensation if they sustain damage from a controller’s GDPR non-compliance.
- Member State penalties – In addition to the fines described above, EU Member States also have the right to decide how the administrative fines will be applied in their country. They may also establish other penalties for non-compliance.
- Legal sanctions – In some cases, judicial remedies to GDPR infringements will be sought. Proceedings will be carried out where the controller or processor has an establishment within the EU. If that is not possible, proceedings will occur in the Member State where the data subject resides.
GDPR is a complex piece of legislation with far-reaching consequences. Thus, it is important that employees are adequately trained in all relevant aspects of GDPR. Training should be brief and regular, and the contents of all courses should be kept up-to-date with any changes to the legislation and new best practices.
GDPR Training FAQs
Under the principles of data protection, how is it possible to tell if data collected is accurate?
What this principle means is that data has to remain unaltered from when it was collected, unless permission is given or a request is made by the data subject for the data to be altered. Therefore, this element of GDPR training should explain the mechanisms implemented to ensure the integrity of data and why they are important.
Is it really important that every employee is trained on data subjects´ rights?
It is important that every employee that deals with, or have access to, personal data is aware of data subjects´ rights and the processes for data subjects to exercise their rights. This is to prevent the unlawful alteration or destruction of personal data, and the unauthorized disclosure of personal data to a third party.
With regards to collecting the data of children, what is the GDPR age of consent?
The default GDPR age of consent is 16 years of age. However, EU member states have the right to amend this limit via domestic legislation – and many have. Countries such as Belgium, Denmark, and the UK are among nine member states that have set the age of consent at 13 years of age, six states have set the age of consent at 14 years of age, and three states have reduced the default GDPR age of consent by one year.
Are there exceptions to the data breach reporting requirements?
There are exceptions when it can be proven a loss of data, the unlawful alteration of data, or an unauthorized disclosure of data does not “pose a risk to the rights and freedoms of natural living persons”. In these circumstances, it has to be documented why there is no possibility that data subjects might suffer economic or social damage, reputational damage, or financial loss – an unlikely scenario in a data breach situation.
Is it essential for every organization to appoint a Data Protection Officer?
Only certain types of organizations, or organizations involved in certain types of data processing, “have” to appoint a Data Protection Officer. However, organizations who fall outside of this requirement are advised to delegate responsibility for GDPR compliance to an independent individual who can either be an existing employee or a third party.