Every large organisation will be aware of the EU’s new General Data Protection Regulation (GDPR) which comes into effect in the UK on 25 May, 2018.
But they might not be aware that a serious breach of GDPR – especially if not dealt with properly – could potentially cost them millions of Euros or 2% of their global turnover.
Likewise, employees are unlikely to realise the seriousness of the new personal data laws or that breaches could have severe repercussions for them as well as for their employers.
The key questions businesses should be asking themselves now are:
How to embed compliance to ensure we avoid costly breaches? And how can we make sure employees sit up and take notice of the importance of the new rules?
Why you should be taking personal data seriously
In our earlier blog, we set out the main points of GDPR and how L&D teams would have to take a lead on ensuring compliance. Every single organisation will be affected and everyone – leaders and employees – will need to know the rules. By law, some organisations will have to appoint a data protection officer.
Essentially, GDPR supersedes the existing Data Protection Act in the UK and introduces much tougher controls on the use of personal data. It also expands the definition of personal data. The most significant element is that cookies are going to be treated as containing personally identifiable information (PII).
Senior learning designer working for Sponge, Nick Beddows, spells out why GDPR will require a change in the often lax attitude to personal data: “GDPR will put an end to people routinely using or sharing information that they shouldn’t be sharing because they don’t think it’s an issue. Organisations have got to get their employees up to speed otherwise staff could be unwittingly making their employers liable for huge fines. There is also reputational damage and, depending on company policy, employees could face dismissal. “GDPR puts the onus onto the businesses to make sure that they are GDPR-compliant. Businesses have a duty to keep customer data confidential and only share it with express permission.”
Another key addition to the new data protection laws is the far greater significance placed on accountability and governance. Failure to notify the authorities when a breach occurs could set your company back millions of Euros.
Ignorance of the law is no defence, either: “The courts will come down hard if you’re found to be breaking the GDPR laws,” warns Nick.
There will be no avoiding these new EU regulations. In its overview of GDPR, the UK’s independent Information Commissioner’s Office (ICO), makes it clear that the UK is likely to retain GDPR post-Brexit because “international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals”. There will be no cherry picking or opting out of GDPR, whatever final Brexit deal is reached. It has global significance, too: “The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.”“The courts will come down hard if you’re found to be breaking the GDPR laws.” Nick Beddows Senior Learning Designer Sponge
GDPR: 6 steps to take
Phil Sampson, founder of Sampson Hall, is helping companies get their workforce ready for GDPR. He predicts it will change the way that organisations do business. But rather than regard this as onerous, he says companies should be welcoming the changes.
“One of the most common misconceptions about GDPR is that it will be a pain, but in fact, it will help companies perform more efficiently," explains Phil. "Having data that’s up to date is good business practice. This could be a positive.”
Phil has six tips that will stand organisations in good stead:
1 – Take personal data laws seriously from the top down! Self-explanatory!
2 – Understand what personal data is. Everyone needs to understand it because virtually everyone comes across personal data in their jobs.
3 – Understand where your data is stored. This is the key starting point. It will need resources and it will take time but it’s essential to get you to the start line so that you’re ready.
4 – Introduce effective training. The new regulations are so complex and all-encompassing that training is required for every single member of the organisation. This will mean an initial outlay, but the ICO stresses that training will be key in order to ensure compliance.
5 – Get your checks in place. Think about your business and how these regulations apply to you. Then make sure you’re doing the best you can to comply.
6 – Ongoing training. This is essential in order to protect personal data against emerging threats. Your workforce needs the knowledge to identify the dangers and defend against them.
Digital learning works for GDPR compliance
How many employees in your organisation deal with personal data?
The answer for almost every company is simple: It’s everyone!
Given the sheer scale of the GDPR challenge, digital learning is the best option for reaching all employees in terms of cost, consistency and efficiency.
But to maximise the impact and safeguard your organisation, a compliance programme needs to be relevant and include bespoke scenarios so your workforce understands the context of data protection in your business and how to apply what they learn on the job.
Nick Beddows recommends scenario-based short videos as a central part of online GDPR training: “The clips need only be 30 seconds long. Employees will see someone doing or saying something that’s wrong and is flagged up. These would be scenarios that hit home.”
Having upskilled your workforce in the new rules, you’ll need to reinforce the learning so people can embed the knowledge back into the workplace. Smart technology is making learning reinforcement easier and more effective than ever before.
This continuous approach to learning is key to getting ready (and staying ready) for GDPR.