GDPR training and testing for employees – what you need to know!

Date: 30 October 2019

Under the General Data Protection Regulation (the GDPR), the UK Privacy Act 2018 and other data protection regulations around the world, GDPR training for employees is mandatory.  Employers are obliged to deliver  data protection training for staff and to record the results of that training.  It's the employers job to ensure employee awareness of issues associated with data protection.  Cyber security training and skills assessments are a key part of your data protection, compliance and governance strategy. Here's why and what you need to do next!

 

Human error leads to privacy breaches

Research suggests that 27% of data breaches are caused by human error. An employee clicking on an inappropriate link, using weak passwords or simply sending personal data to the wrong email address - any of these things can lead to a breach of privacy law.

 

And the fines for these breaches are potentially huge. The GDPR, for example, allows fines of up to 4% of global turnover - or €20 million (whichever is the greater).  These fines can be mitigated if you can prove to authorities that you have undertaken formal data protection training for staff, and if you have taken appropriate steps to test employees on the understanding.  It is accepted that mistakes can happen - what matters is what your organisation has done to prevent these mistakes.

   

Employee GDPR Training is mandatory under the regulations

Is it a requirement of the GDPR and other comparable legislation around the globe that organisations ensure and demonstrate that they are taking the necessary measures to comply with the law. This means that employees need to be trained on how to avoid breaches of personal data.

   

You also need to test GDPR awareness

It's not enough just to train your employees and then forget about it - you need to be able to prove GDPR awareness. The ICO (the organisation responsible for implementing the GDPR in the UK) is clear on this:

 

Yes, the GDPR specifically requires you to have a process for regularly testing, assessing and evaluating the effectiveness of any measures you put in place. What these tests look like, and how regularly you do them, will depend on your circumstances. However, it’s important to note that the requirement in the GDPR concerns your measures in their entirety, therefore whatever ‘scope’ you choose for this testing should be appropriate to what you are doing, how you are doing it, and the data that you are processing.

Once you've trained your staff, you need to test them.  This is a key part of your compliance effort.  

Online GDPR training and testing may reduce the risk of a breach - and mitigate the level of fines

Data protection authorities have made clear that, in the event of a breach, steps taken by the organisation involved will have an impact on the level of any fine. It is reasonable to assume that a mistake made by a fully trained and regularly tested employee is going to lead to a smaller fine than one made by someone without any such training and where, as a result, the employer has not met its legal requirements.

   

What do your employees need to know?

In short, it is your responsibility to protect any personally identifiable data you store. As a result, you need to ensure that employees are capable of doing that. This might include everything from the understanding of the rights of data subjects, through to how to handle a data breach.

   

Some good news about data protection training!

The good news is that the training requirement reflects the job role of an employee. Your DPO (Data Protection Officer), if you need one, will be expected to be an expert on issues associated with data governance. He or she will need to be able to fully understand how the organisation uses personal data internally, and the third party data processors that it trusts. At ISV.Online, we've invested heavily in following best practice by creating an Internal Security Committee (ISC) which includes a colleague with both the EU GDPR-P and the EU GDPR-F qualifications. Smaller firms may employ a DPO directly, although some prefer to use independent consultants.

   

However, not every employee needs to be an expert.

However, other team members do not necessarily need to be industry experts. They simply need to understand best practice as it affects them. This will vary from organisation to organisation, and employee to employee, but many basic skills will be standardised.

 

Organisations need to put in place a learning path that reflects this divergence of requirements - but, fundamentally, anyone who might come into contact with personally identifiable data needs to be trained, to a greater or lesser extent.

   

Options for testing and training your staff

While many organisations turn to expensive GDPR training courses delivered by third party consultants or instructors, this is rarely necessary. ISV.Online has developed a suite of online security training, testing and assessment tools that will - out of the box - meet the needs of many organisations.

 Skills tests results are presented in many ways. There isn't always a pass mark

 

Our standard online GDPR data privacy training includes:

  • Protecting and sharing information
  • Personal data in the workplace
  • Working on the move
  • Staying safe online

Each course is completed online on any device and will take approximately 30 minutes to complete.

   

Our online data privacy tests and assessments include:

  • The GDPR quick text
  • The GDPR full test
  • Cybersecurity for office-based employees

The good news is that online GDPR testing need not be expensive.  Our cyber security tests are available for as little as £1 per employee.  Negligible in the context of the potential fines!

     

GDPR training is not optional!

Ensuring that your employees follow best practice in terms of defending the rights of data subjects is mandatory. GDPR training is a legal requirement.

 

Paul Mather, whose credentials include being an EU GDPR Practitioner and a Director of ISV.Online commented:

 

Paul Mather Operations Director ISV"People often misunderstand the GDPR. There is, as yet, no simple certificate that will say an organisation is 'GDPR Compliant". No organisation can receive certification as such. In reality, any business that handles personal data needs to ensure that privacy and cybersecurity are baked into everything it does. Training employees and then testing them on an ongoing basis is an important part of that process".

         

Learn more about GDPR online training and testing for employees

To learn more about our training and testing services - available for as little as £1 per empoyee, contact ISV.Online on 0800 051 9410 or via email at enquiries@isv.online

Trending stories

Blogging is a proven, consistent way of increasing traffic to your website, but is your #blog getting lost in the ether?

Here's a list of our top 5 tips to get your #recruitment blog read - http://ow.ly/CL1N30o8zAJ

@ISVSoftwareLtd

Close

Request a Demo

We hate spam as much as you do! View our Privacy Policy.

© ISV Online 2019. ISV Software Ltd, a subsidiary of Dillistone Group Plc. All rights reserved.