• ISO9001 Quality Management
    Systems (QMS)
  • ISO14001 Environmental Management
    Systems (EMS)
  • ISO50001 Energy Management
    Systems (EnMS)
  • ISO45001 Health & Safety Management
    Systems (OHASMS)
  • ISO27001 Information security
    management systems (ISMS)

How can you make employees aware of the new GDPR data protection requirements?

16 Nov 2017

It’s vital to make everybody in your organisation aware of the new data protection requirements that the GDPR will bring. The majority of data breaches that occur are due to human error – sending information to the wrong email address, failing to encrypt data, and losing memory sticks or mobile devices.  Under the GDPR, penalties for such errors could be up to 20 million euros, so it’s imperative that each employee who has access to data understands and follows your GDPR policy. Key decision makers in your organisation must identify areas that could cause compliance problems under the GDPR so that resources can be allocated now.  Leaving preparations until the last minute could make compliance difficult.

“The majority of data breaches that occur are due to human error.”

1. Make all employees aware of GDPR data protection requirements

Everybody in the organisation must understand the implications of a data breach both to the organisation, to data subjects and to themselves. For the organisation, a data breach could incur GDPR penalties as well as loss of reputation.  For the data subject, the risks are immeasurable – a quick Google search reveals what can happen if personal data falls into the wrong hands.  For employees, failing to meet data protection requirements could mean disciplinary proceedings or dismissal.  Your organisation must be able to evidence GDPR compliance to prove that every necessary safeguarding procedure is in place.  GDPR aside, every one of us has a right to expect that our personal data is handled carefully – that’s the core message employees must embrace.

“For employees, failing to meet data protection requirements could mean disciplinary proceedings or dismissal.”

2. Give employees relevant training

It’s important to provide staff with a general overview of the GDPR data protection requirements. However, it’s even more important that the training you provide is relevant to your particular organisation and your employees’ roles.   In order to reduce the risk of data breaches, employees must be able to see how GDPR compliance is relevant to their day to day tasks.  This might include educating employees about the importance of hard to crack passwords and why passwords must be changed regularly.  Many people use the same password for all their accounts both at home and in the office!  You might talk about why confidential waste must be shred, how to encrypt data, why specific data is kept at all, how long data should be kept, or question why confidential data is taken out of the office.

“In order to reduce the risk of data breaches, employees must be able to see how GDPR compliance is relevant to their day to day tasks.”

3. Teach employees how to identify when a data breach has occurred.

The GDPR will make it compulsory to report serious data breaches to the individuals at risk and the ICO within 72 hours of discovery. Obviously, you want to train employees to avoid this happening but they still need to know how to recognise a data breach and what to do in the event.  If your training program is relevant to your particular organisation then that makes it easier for employees to identify and pass on their knowledge to the appropriate person (the Data Protection Officer if you have one) immediately.

“The GDPR will make it compulsory to report serious data breaches to the individuals at risk and the ICO within 72 hours of discovery.”

4. Training is better face-to-face

If your employees train online then you need to supplement this with face-to-face training. Online training isn’t specifically tailored to your organisation and to your employees’ roles, but only gives a generic understanding.  The ability to have a discussion, to ask questions and to learn from others is invaluable.  Moreover, the trainer can make adaptions to their course on the spot to address important points.

“The ability to have a discussion, to ask questions and to learn from others is invaluable.”

5. Begin training your employees today – and continue!

The more prepared you are today, the more likely you are to comply with the GDPR data protection requirements when they come into force in May. Training needs to continue beyond that date so that new employees are up to speed as well.  GDPR training could be part of your organisation’s new employee induction programme.  Employees who have received training need regular refreshers to keep their understanding clear and also to incorporate any issues they may have discovered since their previous training.

“The more prepared you are today, the more likely you are to comply with the GDPR data protection requirements when they come into force in May.”

REMEMBER: Cyber-security tools only work if employees use them correctly.  It’s important that employees are trained so that your organisation avoids data breaches and GDPR penalties.  Make sure they understand how to adapt their everyday roles to meet the GDPR data protection requirements.

Get in touch to discuss your GDPR compliance needs.

ISO 50001 audit tool

© Copyright All Rights Reserved, NDC Certification Services Ltd. 2020.