Training your staff regarding General Data Protection Regulations (GDPR)
If your company collects, uses or stores people’s personal data, then this is important. New GDPR laws came in to force on May 25th which evolved from the Data Protection Act 1998. Under the new GDPR law, employees who handle or process personal data should receive adequate training about their responsibilities regarding data protection. Good practice dictates that new staff members should receive initial training as part of their introduction to the business, whilst all other employees should receive refresher training on a regular basis, or after a significant change to the legal requirements.
Is IT secure?
Personal information must be processed in a manner which ensures its security. This includes protection against accidental loss or damage. IT security training is an essential part of GDPR compliance. The actual elements of your company’s IT security training will differ depending on the type of data which is stored and the level of access that a user has, but basic security training should include items such as the maintenance of strong passwords, the deletion of spam email messages without even opening them, and an awareness of possible prosecution if data is deliberately distributed without the data owner’s permission.
Reinforce the message
Appropriate organisational and technical measures to secure personal data must be in planned and in place. Key messages regarding GDPR should be communicated to all staff who have, or might have, access to personal data. Training messages should be repeated regularly to help the messages to stick and to reinforce any official training. Ways to achieve this internally can include team meetings, notice-board posts, the company intranet or memos sent by instant messenger. All reminders will help to get the message across and enable data security to stay front of mind.
If personal data is not handled, processed, transferred and stored securely (including arrangements for the data to be ‘forgotten’ on request) then your company could face prosecution and fines. A case which recently made headlines involved Morrisons supermarkets and the deliberate release, by a disgruntled employee, of the personal data of approximately 100,000 employees. The case highlights the overarching responsibility of employers to ensure the security of personal data. It also demonstrates the potential for vicarious liability, where a company can be held responsible for the malevolent actions of an employee.
The bottom line: GDPR training is essential
For further advice on how you can ensure GDPR compliance, or for more details on how GDPR affects your company, feel free to contact us.