19 March 2018
The General Data Protection Regulation 2016/679 (GDPR) replaces the existing data protection regimes in place throughout the European Union (EU), including the UK. It introduces a number of new obligations on controllers 1 and processors 2. Compliance with the new regulations will be of even greater importance following the enforcement date of 25 May 2018, because the GDPR substantially increases the fines that can be imposed by the relevant regulatory bodies in the event of a breach – now up to a maximum of € 20 million or 4% of annual global turnover, whichever is the higher.
The third step in your journey towards becoming GDPR compliant involves ensuring that your staff are up to speed with your new data protection policies, practices and procedures. (Steps one and two are available to read on our GDPR compliance page.)
Staff awareness is a key part of preparing for the Regulation to come into play: ensuring that your staff are aware of the changes and what is expected of them will help you to remain compliant and avoid the potential risk of breaching the Regulation.
We recommend that you approach staff training by identifying two main groups:
1. Staff who will be dealing directly with GDPR compliance requirements.
- It is these employees who will be responding to and handling the exercise of data subject rights, maintaining Article 30 data processing records if required, executing breach notification procedures, and otherwise ensuring compliance with the obligations of the GDPR.
- These employees are likely to already have some data protection experience under the existing European and UK data protection regimes (the Data Protection Directive 95/46/EC and the Data Protection Act 1998 respectively) and so will already have at least a working knowledge of data protection principles.
- Nevertheless, it will be necessary for these employees to undertake further detailed and specialist training in respect of the compliance obligations under the GDPR.
2. All other staff members.
- It is unlikely that data protection will make up a significant part of these employees’ day-to-day roles. However it is important that they receive general training in order to create an environment of enhanced data protection awareness and compliance throughout your company.
- This company-wide training should cover the basic features of the GDPR, how you are responding to the requirements (i.e. your newly implemented policies and practices), as well as any job-specific issues they may encounter.
- Presenting the issues as case studies relevant to specific job roles may help in generating engagement with employees and increasing the impact of the training.
- It may also be helpful to consider carrying out training from both an inward and outward facing data protection perspective. Even if this group is unlikely to come across data protection issues on a regular basis, consider the fact that as employees, they are also data subjects and this training will be an opportunity to increase awareness and transparency with respect to the processing of employee-data subjects’ personal data.
You can find more information about data protection policies and practices from our GDPR webpage and the following helpful Information Commissioner’s Office (ICO) webpages:
The ICO’s toolkit of information rights resources
The text of the GDPR
The ICO’s guide to the GDPR
The ICO’s self-assessment resources
If you have any questions, or need any assistance with your staff training, please do get in touch.
In our next update we will discuss how best to communicate updated policies and the implementation of training to your customers, clients, subscribers, and any others whose personal data you hold.
1 A ‘controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
2 A ‘processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.