Date: 30 October 2019 Under the General Data Protection Regulation (the GDPR), the UK Privacy Act 2018 and other data protection regulations around the world, GDPR training for employees is mandatory. Employers are obliged to deliver data protection training for staff and to record the results of that training. It's the employers job to ensure employee awareness of issues associated with data protection. Cyber security training and skills assessments are a key part of your data protection, compliance and governance strategy. Here's why and what you need to do next! Employee errors leads to privacy breaches Research suggests that 27% of data breaches are caused by human error. An employee clicking on an inappropriate link, using weak passwords or simply sending personal data to the wrong email address - any of these things can lead to a breach of privacy law. And the fines for these breaches are potentially huge. The GDPR, for example, allows fines of up to 4% of global turnover - or €20 million (whichever is the greater). These fines can be mitigated if you can prove to authorities that you have undertaken formal data protection training for staff, and if you have taken appropriate steps to test employees on the understanding. It is accepted that mistakes can happen - what matters is what your organisation has done to prevent these mistakes. Employee GDPR Training is mandatory under the regulations Is it a requirement of the GDPR and other comparable legislation around the globe that organisations ensure and demonstrate that they are taking the necessary measures to comply with the law. This means that employees need to be trained on how to avoid breaches of personal data. Online data protection training is a cost effective way of delivering on this part of the GDPR. You also need to test GDPR awareness It's not enough just to train your employees and then forget about it - you need to be able to prove GDPR awareness. The ICO (the organisation responsible for implementing the GDPR in the UK) is clear on this: Yes, the GDPR specifically requires you to have a process for regularly testing, assessing and evaluating the effectiveness of any measures you put in place. What these tests look like, and how regularly you do them, will depend on your circumstances. However, it’s important to note that the requirement in the GDPR concerns your measures in their entirety, therefore whatever ‘scope’ you choose for this testing should be appropriate to what you are doing, how you are doing it, and the data that you are processing. Once you've trained your staff, you need to test them. This is a key part of your compliance effort. Online GDPR training for employees may reduce the risk of a breach - and mitigate the level of fines Data protection authorities have made clear that, in the event of a breach, steps taken by the organisation involved will have an impact on the level of any fine. It is reasonable to assume that a mistake made by a fully trained and regularly tested employee is going to lead to a smaller fine than one made by someone without any such training and where, as a result, the employer has not met its legal requirements. What do your employees need to know about cyber security and data protection? In short, it is your responsibility to protect any personally identifiable data you store. As a result, you need to ensure that employees are capable of doing that. This might include everything from the understanding of the rights of data subjects, through to how to handle a data breach. Some good news about online data protection training! The good news is that the training requirement reflects the job role of an employee. Your DPO (Data Protection Officer), if you need one, will be expected to be an expert on issues associated with data governance. He or she will need to be able to fully understand how the organisation uses personal data internally, and the third party data processors that it trusts. At ISV.Online, we've invested heavily in following best practice by creating an Internal Security Committee (ISC) which includes a colleague with both the EU GDPR-P and the EU GDPR-F qualifications. Smaller firms may employ a DPO directly, although some prefer to use independent consultants. However, not every employee needs to be an expert. However, other team members do not necessarily need to be industry experts. They simply need to understand best practice as it affects them. This will vary from organisation to organisation, and employee to employee, but many basic skills will be standardised. Organisations need to put in place a learning path that reflects this divergence of requirements - but, fundamentally, anyone who might come into contact with personally identifiable data needs to be trained, to a greater or lesser extent. Options for testing and training your staff While many organisations turn to expensive GDPR training courses delivered by third party consultants or instructors, this is rarely necessary. ISV.Online has developed a suite of online security training, testing and assessment tools that will - out of the box - meet the needs of many organisations. Our standard online GDPR cyber training includes: Protecting and sharing information Personal data in the workplace Working on the move Staying safe online Each course is completed online on any device and will take approximately 30 minutes to complete. Our online data privacy tests and assessments include: The GDPR quick text The GDPR full test Cybersecurity for office-based employees The good news is that online GDPR testing need not be expensive. Our cyber security tests are available for as little as £1 per employee. Negligible in the context of the potential fines! A combined GDPR training and testing solution is the best approach to achieving compliance! Best practice will see you train your employees; test them to ensure that they have taken in the advice and guidance offered and then test again at a later stage. Having a combined suppler for your online cyber training and testing is a great way of ensuring a joined up compliance policy. GDPR training is not optional! Ensuring that your employees follow best practice in terms of defending the rights of data subjects is mandatory. GDPR training is a legal requirement. Paul Mather, whose credentials include being an EU GDPR Practitioner and a Director of ISV.Online commented: "People often misunderstand the GDPR. There is, as yet, no simple certificate that will say an organisation is 'GDPR Compliant". No organisation can receive certification as such. In reality, any business that handles personal data needs to ensure that privacy and cybersecurity are baked into everything it does. Training employees and then testing them on an ongoing basis is an important part of that process". Learn more about GDPR online training and testing for employees To learn more about our training and testing services - available for as little as £1 per empoyee - request a demo online, contact ISV.Online on 0800 051 9410 or via email at email@example.com. ISV.Online is the leading supplier of skills testing software and services to the UK Recruitment Industry. Used by 9 of the top 10 UK agencies, by number of offices, and 7 of the top 10, by revenue, ISV.Online offers candidate skills assessment and evaluation software and online training tools, allowing agencies and in-house HR/recruitment teams to validate the skills of potential candidates and existing employees across a wide range of areas.