We’ve been taking soundings from data protection officers (DPOs), and the picture they’re painting isn’t a pretty one. Six months after the introduction of the EU’s General Data Protection Regulation (GDPR), and it seems too much is being asked of them by their organisations, with too little support.
Some are being asked not just to monitor and advise on GDPR training, but to lead on training for employees. But they’re not learning professionals and they don’t have the time to do this. So, what is the training role of DPOs in keeping their organisation GDPR-compliant and how can L&D support them?
The role of the DPO
DPOs require a huge skillset to do their job. They must be an expert in data protection and have the necessary influencing and soft skills to hold sway in conversations with those at the highest management level. They must ensure their voice is heard, when data protection strategies are designed and implemented.
Another key part of the role involves “monitoring compliance with the GDPR and other data protection laws, data protection policies, awareness-raising, training, and audits,” according to the Information Commissioner’s Office (ICO).
Clearly, there is a responsibility for them to be involved in ensuring employees have the training they need to keep the organisation – and people’s data – as safe as possible. However, at the GDPR, Eprivacy and Digital Marketing Conference in Reading on 8 November 2018, it was equally clear from what DPOs told us that they are sometimes being asked to take on too much of the burden in the training around GDPR. And there is frustration that some of the training is not achieving results, with potential breach-risk behaviours continuing after training.
Here are three ways L&D can step up:
Face to face training
Is asking your DPO to lead a classroom session the most effective use of their time? Probably not. Yes, it’s a good idea for them to attend some key sessions, perhaps with senior teams, to answer questions and clarify points. But they can’t lead every session, it’s just impractical. Make the most of technology to capitalise on the expertise of your DPO without tying up too much of their time. Video is the perfect way to bring their insight to a wider audience. Think about how you blend digital with face to face to enrich the learning experience for your people and optimise the input from your DPO.
DPOs told us that employees were being given “extremely dry” GDPR elearning and that the main message was around the potentially high financial penalties in the event of a breach. The outcome is a lack of engagement in this crucial topic; people are switching off. Engagement is a key factor in our decision to create a digital learning game, GDPR Sorted. It embeds the core principles of GDPR, using relevant scenarios in a fast-paced, fun game, where people learn about data protection as they master the game. Internal research at Sponge found that 91% of players enjoyed the game and it contributed to a 58% knowledge lift and a 38% increase in confidence when applying GDPR.
Of huge concern to DPOs is that GDPR compliance learning isn’t ‘sticking’. They are still seeing some of the high-risk employee behaviours after training as before. One scenario in particular that gives DPOs sleepless nights is a lost laptop, on a train or other public place, creating a serious data breach. Ensuring that people remember the rules and develop safe behaviours is difficult to achieve with one-off training. L&D has a huge role to play in creating a sustainable and continuous learning strategy around GDPR compliance. It’s one area our GDPR Sorted game is helping to address by encouraging people to repeatedly play and practise applying their knowledge before they move on to the next level.
DPOs are doing a great job – but they can’t do it alone. There aren’t many DPOs that understand learning theory or how to motivate learners. As learning professionals, L&D needs to work in partnership with DPOs to deliver effective employee training across the organisation. Their GDPR expertise, and your learning know-how, is a potent force in building safe data privacy behaviours among the workforce. We’re looking forward to meeting more DPOs and other compliance professionals at the Data Protection World Forum event at Excel London on 20-21 November 2018. Our learning experts can advise on how digital learning can help employees understand what they need to know about data protection to reduce risk and keep everyone’s data safe.