GDPR Training Requirements

Training is required by GDPR. How will you comply?

Scribble line

Do you need GDPR training?

Every organization that must comply with GDPR must conduct employee training.

What organizations have to comply with the General Data Protection Regulation (GDPR)? The short answer is any that any organization that stores personally identifiable information (PII) on EU citizens needs to comply with GDPR. This applies to companies with operations in the EU or not, meaning US companies that process EU citizen data need to comply with GDPR.

Technology companies are seen as being the most impacted by GDPR because they cross borders seamlessly via the Internet and technology business models and products often leverage PII.

GDPR defines two classes of organizations, similar to HIPAA - data controllers and data processors. Data controllers, like covered entities under HIPAA, directly serve EU citizens and technically own the PII. Data processors, like business associates under HIPAA, process, store, or otherwise manage PII for data controllers.

If you work for a company that stores or processes EU citizen data, you should be getting some type of GDPR training to understand the impact on your organization and your role in the context of EU citizen PII.

What training does GDPR require?

GDPR define explicit training requirements and implicit training requirements. The two explicit training requirements under GDPR are:

  • Article 39 - one of the defined tasks of a data protection officer is awareness-raising and training of staff involved in processing operation; and
  • Article 47 - the appropriate data protection training to personnel having permanent or regular access to personal data.

The explicit GDPR training requirements apply to employees that access PII and processes that involve PII.

Implicitly, Article 25 GDPR defines the principle of Data protection by design and by default. It states - The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed. Article 25 goes on to state that this requirement can be met with a certification, which is still yet to be defined. In the experience of Day Zero, having led or been involved in 1,000s of audits and security assessments, we have no seen a security certification that does not require training of all staff. In order to implement security by design, privacy needs to be a part of the culture of an organization. Training is an essential component of this.

GDPR training should be conducted at onboarding for new employees when changes are made to compliance policies and procedures, and on a regular cadence, with annual being the longest acceptable interval.

What does effective GDPR training look like?

The goal of GDPR was to unify privacy protections across the entire EU, though enforcement is often localized. The aspects of GDPR that get the most attention, and are the most relevant to a discussion of GDPR training, are 1) data subject rights (right to be forgotten, right to access data, right to correct data, etc) and 2) security by design and default.

Most organizations do not offer effective compliance training to their workforces and GDPR covered organizations are no exception. Current approaches to GDPR training leverage existing compliance training, which is outdated, generic, infrequent, and does not practically apply to the day-to-day work of employees, especially employees at technology companies. Employees represent the largest threat to corporate systems data and are the most common cause of security incidents and data breaches. It has never been more important to get GDPR training right.

Additionally, in order to effectively implement security by design and to ensure all employees are educated about data subject requests, every member of the workforce should be trained in compliance, privacy, and security as well as relevant GDPR-specific rules.

At Day Zero, our team has designed and managed GDPR training programs. In order to be successful with training, and to limit the risk to organizations by implementing security by design, GDPR training needs to be built into the culture of the organization. In our experience, the following elements are essential aspects of effective GDPR training.

  • Simple words. Technical jargon should not be used. Most employees don’t need to talk to auditors or interpret compliance frameworks. They need training they can understand.
  • Ongoing. Training starts at onboarding but should be continually delivered in snippets on a regular, at least monthly basis.
  • Specific to employee role. Specific training curriculum and snippets should be tailored to the specific roles of employees.
  • Engaging. Training should not be static. Employees should be asked to participate with feedback and fun quizzes.
  • Relevant to modern work. Work is done on computers in the office and on employee-owned phones at home. GDPR training needs to take this into account and incorporate lessons that apply to all of these settings.
  • Covers data subject rights. GDPR rules are explicit about the handling of data subject requests. GDPR training should address these new rights.

Day Zero offers GDPR training that ensures all of the above. In addition, we provide metrics to continually gauge and improve compliance training. Our customers lean on us to build a culture of privacy across their entire workforce. We are 100% focused on making sure your employees are properly trained and you have the proof you need to comply with GDPR.