GDPR: One Year On
GDPR: ONE YEAR ON
With the anniversary of GDPR looming, so too are many GDPR training certificates expiring. Do you need to do more training? Different training? Or are you able to draw a line under the dreaded GDPR and never think about it again?
Unfortunately, GDPR is here to stay and the ever-increasing threat of data breaches and audits from the Information Commissioner’s Office (the ICO) means compliance should never be far from your mind. Last year, facing a hard deadline, many businesses in the UK were searching for easy, cost-effective ways to be ‘GDPR compliant’ in time for 25th May. But was it enough?
There are many elements to GDPR compliance but in my experience, training is by far the easiest and fastest way to genuinely reduce risk in your business and to prove to the ICO that when you have a data breach (and you will), you take the protection of your client and customer information seriously. Be of no doubt – staff training will be your best defence.
Does it matter what type of training you do?
In a word - yes. Not all training is equal in the eyes of the ICO as Leave EU found out recently. Not only have they been issued two fines, they’re now facing a further ICO audit specifically looking at the types of training which was made available for staff.
Ironically, the House of Commons was heavily criticised by MPs for the provision of what they call ‘ludicrous’ GDPR training from an independent company. The ICO ruled that the training had to be updated, tailored to suit the jobs MPs typically carry out and redone by all those that had already completed it. Truly a case of buy cheap, buy twice.
What type of training will meet the requirements of the ICO?
First, let’s be clear: GDPR training isn’t optional, it is a mandatory requirement of GDPR compliance. But how do you know if you’ve chosen the right type? Unfortunately, the ICO haven’t set out straightforward guidelines for us to follow. However, from our experience with data breach investigations and decisions and audits made by the ICO, we have been able to put together a list of key points that we now know are important to the ICO and that you should bear in mind when choosing training.
1. Training MUST Be Relevant
The ICO states that it is essential that GDPR training is pitched at an ‘appropriate’ level. Bespoke data protection training should be provided or undertaken depending on the job you have. For example, a solicitor wouldn’t do generic online training designed for an employee in a large warehouse. It wouldn't give the solicitor any real or helpful information on what their risks and responsibilities are, it is likely to be a waste of their precious time, and it wouldn’t stand up to scrutiny before the ICO. When considering what ‘appropriate’ means, make sure all training content actually matches the responsibilities and work environment of the learner.
2. Training Must Be Refreshed Annually
This is pretty basic, and in line with most other compliance regulations. Put a date in your diary when your training expires and make sure you update it in 12 months. You’ll be surprised at how much you have forgotten in the meantime.
3. Tests Are Good
The ICO has advised that appropriate training will include assessments with minimum pass marks. Does your training have this? Unfortunately, a quick lecture from your friendly IT manager talking about data protection legislation is unlikely to count as appropriate training. Make sure there is a test or an assessment included in any training you choose. This will also help you identify staff members who are struggling with the topic and may need extra support or guidance.
4. Evidence Is Needed
The ICO will look for evidence of training, usually in the form of a certificate of completion or a test pass mark. Ensure you have one for every staff member and keep a record of these centrally, so you have them to hand in the case of a data breach investigation.
5. Compliance Reporting Is Essential
The ICO states that accurate reporting on GDPR training levels will be critical to future GDPR proofing. Businesses must make sure that GDPR training compliance reports are available and provided to the senior management team, so they are aware of staff training compliance levels and can take appropriate action where failures exist. You are also likely to be asked for this training report during a data breach investigation or ICO audit.
6. Certifications Demonstrate Excellence
The ICO states that during their audits they will look for evidence of recognised and relevant external accreditations. Not only will this assist you in front of the ICO, but it will show your commitment to GDPR and demonstrate to your clients and customers that you are dedicated to keeping their information safe.
All in all, it’s a lot to think about when reviewing annual GDPR training. However, it really is an investment worth making as in my experience, putting in place ‘appropriate training’ is the closest thing you can get to a get-out-of-jail-free card.