The General Data Protection Regulations, better known as GDPR, came into effect on the 25thMay 2018 and GDPR training is now required. However, even at the end of the two-year grace period, according to a survey conducted by Cordium, just 2% of financial organisations felt that they were ready to deal with the new privacy regulations.
GDPR unites privacy legislation across the EU. It also applies to any company based outside of the EU that handles the personal data of EU citizens. Thus, GDPR is extensive and complex. It would be near-impossible to task any employee without formal legal training to interpret these laws, though it is essential that all employees dealing with personal data understand GDPR and can implement it in their daily work routine. Human error is not an acceptable excuse if a data breach does occur.
Organisations involved in data processing are tasked with ensuring their staff has adequate training. However, the legislation itself gives little information about what form this training should take. Here we outline some recommendations for a core common training course, suitable for a broad range of employees.
What happens if employees aren’t trained?
If employees are not adequately trained, and a data breach follows, there could be severe consequences. Not only has the data subject’s privacy been breached, but their data could then be sold on the black market. If the data subject sustains either material or non-material damage because of this, they may seek compensation from the controller.
The controller may face additional consequences: fines of up to €20 million, or 2-4% of the controller’s financial turnover, can be levied against them. There are few guidelines regarding such fines; aside from setting limits, GDPR does not advise supervisory authorities on what fines should be paid for specific violations.
If the breach is particularly severe, legal action may be taken against the controller.
So what is an ideal GDPR training course?
GDPR courses will vary depending on the needs of the individual employee. However, there are some core elements of which every employee should be aware.
Ideally, training would be regular and also require some level of assessment to ensure information has been retained and can be applied.
- Introduction to GDPR and the Geographic Span of Where it Applies
It is logical to start with some time spent on introducing the legislation. This takes a broad view of GDPR, and should form the basis of any course regardless of who is taking it. However, the course should not focus on the history of GDPR and data protection in the EU. Instead, just present information that’s relevant to current events and policies.
- GDPR terminology – GDPR terminology is a common source of confusion. After introducing the legislation, define some key terms (e.g. “controller”, “processor”, “data subject”).
- Where GDPR applies – Though GDPR is an EU legislation, it applies anywhere the data of EU citizens is being handled. Thus, any employee that handles such data should be made aware of the geographical scope of GDPR.
- The need for GDPR – Though it may seem obvious, many may see GDPR as an “unnecessary” hurdle when dealing with data. Thus, it is important to emphasise why GDPR is needed and the consequences for personal privacy if it is ignored.
- Introduction to data protection – This can include a brief overview of the mechanisms of data protection (e.g. physical and administrative safeguards), as well as means of integrating data protection into the daily workflow.
- Applicability of GDPR – There are some situations in which GDPR doesn’t apply (e.g. when there is a threat to national security). Though rare, employees should be made aware of these situations so they know how to deal with them when they arise.
- Principles of Data Protection
The protection of private data is the primary principle underlying all of GDPR. Thus, it is important that employees gain a thorough understanding of the nature of private data, and the means to protect it, via training. There are several Principles of Data Protection outlined in GDPR, detailed briefly below.
- What is private data?– There are many categories of private data, ranging from typical identifiers such as name and address to “special categories” of data, such as race or gender. These data classes are handled differently and their different treatment should be explained.
- Lawfulness, fairness and transparency – The first Principle of Data Protection, employees must ensure there is a legal basis for processing data and that such processing is done in a fair and transparent manner. This can involve providing adequate information to the data subject before processing begins.
- Purpose limitation – Data should only be processed for the pre-defined use, as agreed with the data subject. However, there are some exceptions to this rule.
- Data minimisation – Only data required for the pre-arranged purpose should be collected, and no more.
- Accuracy – Any data collected should be accurate and precise.
- Storage limitation – Data cannot be held indefinitely. Unless it is medical data, it should not be held for longer than needed to properly process the data.
- Integrity and confidentiality – Data must be protected from unauthorised access and not be shared with unnecessary individuals.
- Core Rights of the Data Subject
GDPR awards the individual whose data is being collected – the data subject – is awarded a number of rights. These must be respected, thus it is imperative that all employees that deal with data subjects are aware of them.
- Right of access – Data subjects must be able to access any data that has been collected, or obtain copies of the data from the controller and/or processor.
- Right of rectification – Should the data subject find inaccuracies in the data, they retain the right to correct any of the data.
- Right to object – After data collection, data subjects can object to how their data is being handled and halt further action.
- Right to restrict processing – Data subjects can request that their data is not processed in a certain way or prevent further processing.
- Right to erasure – Data subjects can ask that their data is deleted by the processor at the earliest possibility.
- Right to data portability – Data subjects have the right to access their data in a digital format compatible with a variety of devices.
- Right to complain – If they are dissatisfied with how their data is being handled, or feel that their rights are not respected, data subjects have the right to complain to a supervisory authority.
- Right to be represented – When lodging complaints, data subjects have the right to representation by an independent, not-for-profit body.
- Responsibilities of the Controller
The controller – the body that oversees data processing – has a number of responsibilities under GDPR. These primarily relate to GDPR compliance, and maintaining the integrity of private data, though they also concern protecting the rights of data subjects.
- Transparency –The controller must be clear from the beginning on how they will process data, how it will be stored and for how long they will hold on to data.
- Modality of data – Controllers must ensure that data they collect can easily be transported to other organisations if needed.
- Accountability – The controller must be able to provide evidence that they are GDPR-compliant. This can come in the form of records, contracts and policies that have been put in place across the organisation.
- Provide for the rights of the data subject – The controller must ensure that their data subjects have the capacity to act on any of their rights as laid out by GDPR. For example, they must provide clear information to data subjects regarding complaint procedures.
- Collecting Data
It goes without saying that data should be collected in a GDPR-compliant manner, but what this entails can be confusing for staff. Thus, any staff member directly involved in designing data collection measures, or that collects the data directly, should be trained in data collection.
- Providing information to the data subject – Before any data is collected, the data subject must be adequately informed on their rights, the purpose of processing data and how their data will be dealt with after use. If collecting in person, employees should be prepared to answer any questions the data subject may have.
- Automated vs manual collection – It is increasingly common that data subjects will submit data to the subject via online forms or similar. This automated collection must follow the same rules as manual collection, though how data subjects are informed of their rights is different.
- Exemptions to the rule – There are some exceptions to the normal rules of data collection, e.g. when a data subject has already been informed. However, to avoid GDPR non-compliance, employees should be informed on how exactly to deal with these situations.
- Consent – It is imperative that all data subjects give informed consent when their data is being collected. Yet, some groups – namely children – cannot legally give informed consent. Thus, employees should be trained in the age limits of consent and when the consent of a legal guardian is an adequate substitute.
- Storing and Processing Data – GDPR Password Requirements and Safeguards
After collection, data must be stored in a GDPR-compliant manner. This means that all necessary safeguards must be in place to prevent unauthorised personnel from accessing it – regardless of their intent. Of course, when data processing occurs, similar safeguards should be in place. It is also important that employees continue to respect the rights of the data subject at this stage.
- Encryption – Encryption is a key technical safeguard when storing data. It ensures that, even if unauthorised personnel access data, it cannot be read. It is imperative that those tasked with storing personal data use adequate encryption.
- Passwords – Passwords are another essential component of the technical safeguards needed to protect personal data. GDPR password requirements are vague, though it is imperative that some system of password protection is in place.
- Physical safeguards – Though many will focus on technical safeguards, the importance of physical safeguards cannot be underestimated. These should be communicated to all employees, and include clear desk policies and locking cabinets.
- Administrative safeguards – Administrative safeguards can include having a clear chain of command when communicating data and also ensuring proper policies are in place to prevent data breaches.
- Legal basis for processing – For processing to be GDPR-compliant, there must a sound legal basis for it and other activities. There are six legal grounds for processing, including tasks of public interest and the attainment of prior consent.
- Maintaining records – As previously mentioned, data should be encrypted when it is being stored. Records should be easily accessible, accurate, and transferable to other controllers if necessary.
- Dealing with a Data Breach
Regardless of how good company policies are, data breaches will sometimes occur. This is especially true when considering the recent increase in cyber-attacks. Managerial staff within an organisation should be trained on dealing with data breaches.
- Timeframes – From the time a breach is discovered, the controller and/or processor has 72 hours to report it to a supervisory authority. Ideally, the supervisory authority will receive information on the nature of the breach, the type of data involved and how many people were affected.
- Supervisory authorities – GDPR stipulates that all member states have one or more independent supervisory authorities who oversee GDPR enforcement and deal with any data breaches, should they occur. These authorities will then decide the course of action, as well as any penalties that may be levied against the controller.
- Informing the data subject – If a data breach occurs, all those affected must be notified. Similarly to the supervisory authority, the data subject should be told of the nature of the breach, as well as any risks it poses to their privacy.
- Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) should be conducted in order to guide policies regarding data privacy. They should be conducted in alliance with the DPO (see below) and be comprehensive. DPIA should be conducted regularly to be kept up-to-date with recent advancements.
- Privacy risks – To adequately protect data, employees must know of any risks facing it. These should be identified via regular audits of data processing within the organisation. Addition
- New types of processing – DPIA should be conducted regularly, especially given the recent advancements in technology. Such advancements may include new means of processing data. Each of these new technologies should be carefully evaluated before use.
- Prior consultation – If the DPIA indicates there may be some risk to data, the controller must consult with the relevant supervisory authority. They will then receive advice on how to deal with the situation, and act upon it before processing can begin.
Data Protection Officer
Each controller should appoint a Data Protection Officer (DPO) to oversee GDPR compliance within the organisation. The DPO should be the main point of contact for any employee in the company unsure of the correct course of action, or data subjects wanting to contact the controller regarding their own data.
- Roles of a DPO – There are three main roles of a DPO: educating, advising and supervising. The DPO should be able to effectively communicate GDPR to employees across all levels of the organisation, as well as offer advice on the best course of action when dealing with different situations. Thus, there must be clear channels of communication across the organisation to facilitate this.
- Monitoring compliance – Importantly, the DPO must monitor activities within the organisation to ensure there are no GDPR breaches – intentional or otherwise. The DPO must be able to act independently of the controller in order to achieve this task.
- The Role of the Processor
Though the controller oversees data processing, and uses the results of the process, they will often contract a third party to carry out the actual task. These processors must adhere to GDPR and also do their utmost to ensure data privacy.
- Data security – Similarly to controllers, processors must ensure that all data is adequately secured through a variety of measures.
- Data processing – Data must be processed in a GDPR-compliant manner. The same restrictions in how data can be used apply to both the controller and the processor.
- Contractual obligations– Any processing activities should be governed by a contract between the controller and processor that establishes all the details of processing. The contract must also ensure the continued privacy of the data, whilst providing the necessary information to the processor to process the data.
- Penalties for Non-Compliance
Without suitable penalties, it could be expected that the rate of GDPR compliance would be very low. Thus, there are a number of penalties in place to encourage compliance with the policies.
- Administrative fines – There are hefty penalties in place for GDPR non-compliance: fines of €10-20 million can be levied against the negligent party, or 2-4% of their global turnover. The exact amount paid in any one situation is determined by the supervisory authorities.
- Compensation for data subjects – As previously mentioned, data subjects have the right to seek compensation if they sustain damage from a controller’s GDPR non-compliance.
- Member State penalties – In addition to the fines described above, EU Member States also have the right to decide how the administrative fines will be applied in their country. They may also establish other penalties for non-compliance.
- Legal sanctions – In some cases, judicial remedies to GDPR infringements will be sought. Proceedings will be carried out where the controller or processor has an establishment within the EU. If that is not possible, proceedings will occur in the Member State where the data subject resides.
GDPR is a complex piece of legislation with far-reaching consequences. Thus, it is important that employees are adequately trained in relevant pieces of GDPR. Training should be brief and regular, and the contents of all courses should be kept up-to-date with recent advancements in the field.