A little more than a year out from its effective date of May 25, 2018, the General Data Protection Regulation (GDPR) is undoubtedly on the minds of many of privacy professionals whose organizations handle the data of EU citizens.
In a nutshell, the GDPR is designed to strengthen and unify data protection for individuals within the European Union (EU). Perhaps more significantly, it also addresses the export of EU citizens’ personal data outside the EU. This means both Eurozone companies and those based in the U.S., for example, will have to comply with the regulation. And the regulation has teeth: fines for non-compliance can add up to $22 million or 4% of a company’s global annual revenue, whichever is greater.
Unfortunately, recent survey findings aren’t exactly a cause for hope. For one, a late 2016 survey from Dell found that a whopping 97 percent of companies had no plan in place to comply with the GDPR. Another survey found that 78% of IT decisions makers at 700 European companies were unclear or completely unaware of GDPR requirements.
You’re likely to find gallons of digital ink spilled over the ins and out of the GDPR, and organizations should have started planning months ago for what changes will be needed to comply.
GDPR and privacy awareness
I’d like to focus on a specific piece of the lengthy GDPR: the requirement for privacy awareness training. In technical terms, Articles 39 and 47 make “awareness-raising and training of staff involved in processing operations, and the related audits” a responsibility of the Data Protection Officer, or DPO.
Detailed requirements of such training are lacking. But, that’s no reason to put any less focus on this aspect of GDPR compliance as any other; or hold off on thinking about how to train your employees until the last minute.
Employee awareness training is in my wheelhouse, so I’m offering the following five-step checklist designed to help you tackle the privacy awareness training requirement of the GDPR with ease.
1. Survey employees on data privacy knowledge
When it comes to privacy awareness, you need to know what your employees don’t. Knowledge assessment surveys are perhaps the most direct way to measure what your employees know and don’t know about privacy best practices.
The design of such a survey can take many forms, but the questions should be geared toward those aspects of data privacy that could affect your organization the most. A good place to start is the GDPR itself – consider using the myriad requirements in the regulation as a guide. The regulatory requirements on data breach reporting or data processing, for example, are great fodder for surveys and subsequent training.
2. Plan your initiative
So now that you know what your employees don’t know, the next step should be to make a plan for a privacy awareness program that specifically addresses the knowledge gaps revealed in your survey.
You’ll want to use this information to identify a set of defined risks and desired behaviors to address in the training. By doing this, you stand a great chance of accurately measuring your ability to improve your risk posture through an effective training program. Such a program ensures your employees are getting relevant information delivered to them, in a variety of forms that include, but should not end with, conventional training.
3. Build alliances with communications staff
No one gets through life alone, and the same is true for launching or improving a privacy awareness initiative. If your organization is big enough to have to comply with the GDPR, your organization likely has dedicated employee communications staff–people who send out updates about the company, post notices from HR and other departments, etc.
Now’s the time to connect with them and make sure they know about your desire to get the word out about privacy awareness. At the very least, they’re less likely to feel like you’re stepping on their toes when you communicate company-wide about privacy best practices. At best, you’ll find collaborators for your privacy awareness efforts who may even think of ways to present privacy topics you hadn’t.
4. Get executive-level buy-in
Ultimately, someone has to pay for the work involved in a privacy awareness initiative. Whether the work is done by a third-party vendor or in-house, this means getting buy-in from the ones signing the checks. The key here is clearly answering the question: is it worth it? Explaining the cost of not equipping your employees with the tools they need to keep private data private is an important point to bring up in budgetary discussions. The average cost of a data breach hitting $4 million on 2016. That, and the GDPR itself carries hefty fines for non-compliance.
This, you’ll likely find, is another benefit of having a firm plan in place before training starts. It will be easy to show executives what goals you plan to achieve and how you plan to get there. With enough good will from the higher ups, you may be able to corral an executive into crafting a personal message about the importance of privacy awareness to your employees. Data privacy, after all, is everyone’s responsibility.
5. Train, train, train
Again, the GDPR offers no specifics as to what sort of privacy awareness training should be implemented. I see this, though, as opportunity to shoot for an awareness initiative that not only complies with the GDPR requirements, but exceeds them.
Theories abound on the best way to present educational content to employees. I often recommend seeking an expert vendor to build or at least consult on training development, but this is not an absolute necessity. The goal of any awareness initiative should be to replace risky employee behavior with risk aware behavior, which safeguards the sensitive data your employees have been entrusted with.
When it comes down to it, you should think of privacy best practices as seeds of conversation you want to hear around the office. Instead of talk of the reality show du jour around the water cooler, a (not too unreasonable) goal should be to hear discussion of the latest high-profile data breach and how it could have been prevented. A well-planned, risk-aligned privacy awareness program will set the groundwork for these conversations.
GDPR as an opportunity
Though a daunting set of requirements to tackle, I believe the GDPR will ultimately have benefits beyond its stated mission. The regulation has the potential to change the dialogue on the importance of privacy protection from the executive level down to the employee level.
This new discussion will be happening not just in organizations seeking compliance with the new regulation, but across organizations of all industries and sizes. In our increasingly interconnected world, data privacy spoken of this frequently and to this extent cannot be a bad thing.