What form should GDPR training take?
The new data regulation is more than just a compliance challenge – it’s a people challenge, says Oz Alashe
With the EU’s General Data Protection Regulation (GDPR) coming into force in little over a month, guidance on how companies should be preparing is already widely available. While almost all of these strategies revolve around the need for ‘compliance’, paradoxically, organisations fixating on the need for compliance are unlikely to be successful. Ticking boxes may give a business a superficial feeling of being fully compliant, but it’s no guarantee of the actual, operational and behavioural change that the GDPR encourages. That’s because it isn’t just a compliance challenge – it’s about the way people collect, process, store, share and securely wipe personal data. The GDPR is principally a people challenge.
Employees at almost all levels of an organisation handle important information that will fall under the scope of the GDPR, and across the entire company – including IT, marketing, customer support and data teams – staff need to be aware of new policies and how they can execute changes effectively. Training is evidently necessary, but the defining question remains: what form should this training take?
This doesn’t have an easy answer. As HR departments will know, just because employees know about the GDPR and some of the regulations’ core concepts, it doesn’t necessarily mean that they put that learning into practice.
A tick-box approach to GDPR compliance training is clearly insufficient – as is overwhelming staff with information about the legislation, or handing them a huge GDPR training manual. Giving employees a one-off GDPR training session may similarly have little impact, because of the required concentration for the training to be absorbed, and the fact that GDPR practices among staff may deteriorate over the course of the year.
GDPR training needs to reflect what we know about how people learn, retain and act on information. Studies show that people are more likely to remember information given in regular, smaller chunks. In this sense, the GDPR needs to be an ongoing item throughout the year, rather than a once-only event. Given that staff often value learning that integrates with everyday life, technology that enables training to be done at a time and place convenient for them may be the best option.
Training pertaining to cybersecurity should be prioritised, since the most punitive punishments outlined in the legislation – €20m, or 4 per cent of global turnover – occur as a result of data breaches. This applies to both ‘data controllers’ – those who own and determine the use of data – and ‘data processors’ – those who process personal data on behalf of the data controllers.
Considering some 75 per cent of breaches that occur in business can be attributed to people, protecting one’s company and avoiding large fines will inevitably involve training staff to act safely online. And since most cyber attacks rely on social engineering and the underlying emotions of victims – excitement, curiosity, doubt, boredom, etc – good cybersecurity training will need to do much more than just inform; it also needs to transform behaviour.
Ensuring employees are empowered and educated to cope with the additional demands of the GDPR – be that on cybersecurity awareness, data handling or data storage – will determine how compliant a business is after 25 May.
What is clear is that any form of GDPR training will need to make a tangible impact on people’s behaviours. Training that doesn’t achieve this will not deliver significant return on investment for HR departments.
Oz Alashe MBE is a former lieutenant colonel in the British Army and UK Special Forces, and CEO of CybSafe