Much of the discussion about the EU General Data Protection Regulation (GDPR) has focused on the mammoth fines that supervisory authorities can levy against non-compliant organisations. However, in August 2017, the Information Commissioner’s Office (ICO) released a series of blogs insisting that fines would be a last resort.
That doesn’t mean that organisations that breach the Regulation will get away easily. As with current data protection laws, the GDPR gives supervisory authorities the power to impose enforcement actions. Some of these are outlined in the ICO Q1 2017/18 report, which summarises follow-up action the ICO has taken against breached organisations. In each of the three cases, the ICO forced the organisations to implement rigorous staff training and awareness measures.
Staff training obligations
The enforcement action that the ICO takes will always be dependent on its investigation of the company in question, but the report shows that this will often require organisations to:
- Make sure anyone whose job involves processing personal data undertakes data protection and data handling induction training. This includes full-time staff, third-party contractors, temporary employees and volunteers. The Northern HSC Trust was required to repeat this training every three years, whereas the Royal Bank of Scotland was instructed to deliver it “as and when a need for particular staff training is identified”.
- Record and monitor this training “with oversight provided at a senior level against agreed Key Performance Indicators to ensure completion”. Additionally, the data controller might be required to implement follow-up procedures to make sure staff who haven’t attended or completed the training courses do so before deadlines (set by the ICO).
- Make sure everyone in the organisation is aware of the content and location of its policies and procedures relating to the processing of personal data. If organisations don’t already have one, they should implement a mechanism that allows staff to be updated whenever changes are made to these policies.
Invest in staff training
The ICO’s focus on staff training and awareness policies following data breaches shows how important it is for employees to know how to handle personal data correctly. Human error is the cause of most data breaches, so organisations should invest in staff training to mitigate the risk.
We offer a variety of staff awareness solutions to help improve organisations’ cyber security. Our training aids, reading materials, in-house training and e-learning courses make your employees more aware of the risks they face and the way they should respond.
A staff awareness programme should be an ongoing process that begins with employees’ inductions and is reinforced by regular updates throughout the year or whenever staff-related incidents occur.