On the 25th May this year, the data protection laws within the EU saw a major overhaul due to the introduction of GDPR, or the General Data Protection Regulations. This is a piece of legislation that unifies and harmonises privacy rules across the EU and brings data protection regulations into the digital age. The overall aim of the legislation is to strengthen the protections surrounding personal data within the EU, The issue is particularly topical, not least because of the Cambridge Analytica scandal earlier this year and other reported data breaches in the media.
The application of the GDPR is vast and is not limited to EU Citizens but data subjects in the EU. Article 3 of the GDPR states “This Regulation applies to the processing of personal data of data subjects who are in the Union” therefore this extends to those data subjects who are temporarily visiting the Union or those companies outside the Union who process personal data of data subjects within the Union.
The legislation is necessarily complex to address each of these situations, amongst others. This is perhaps the main reason why, despite a two-year grace period to incorporate the legislation into their policies, an estimated 98% of financial organisations felt unprepared just one month before the GDPR was enacted. Yet such non-compliance could result in very severe fines and penalties and perhaps more critical issues of reputational damage and in the case of extreme or repeated breaches an order by the data protection commissioner to cease processing.
With these penalties in mind – which can be in the region of tens of millions of euros – it is essential that all companies affected by GDPR have adequate policies in place to ensure compliance. But for full compliance, employees must also be trained in GDPR practices. Even if non-compliance is the result of human error, it is not considered an adequate excuse and the negligent party can still be subject to penalties.
The remainder of this document will set out the key areas to be considered in preparing a GDPR Training course and the key steps where organisations need to focus.
Why is training necessary?
As mentioned above, if a company is found to be GDPR non-compliant – or worse, a breach occurs, and private data is hacked – human error is not considered an excuse. Thus, it is in the controller’s benefit to ensure any employee of theirs handling the data of EU data subjects has had some training in relevant sections of GDPR. It is tempting for all to ignore this – training days can be costly and take time from an employee’s day. However, in the long term, there are undeniable benefits to all parties in providing employee training.
There is another obvious victim should a breach occur: the data subject. If their privacy is breached, they may then become the victim of fraud, further cyber-attacks or identity theft. Private data can be sold for thousands on the black market, making it an attractive target for cybercriminals.
The GDPR breach definition is vast and includes non-material breaches.
A ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Article 4(12) – Definitions GDPR
How should we design training courses?
To avoid wasting time, training courses should be tailored for those taking them. Those who will never deal with the data of minors, for example, do not need to be trained in how to handle such data. Similarly, if a company never collects health data employees don’t need to be trained in that field. However, there are some common components that should be included in all training course.
This article sets out to describe different modules that can form the basis of a training course. Many of these will be necessary for all employees, though others can be tailored to the recipients.
It’s essential that any training program would have the most senior stakeholder in the Organization as a key sponsor and assist in the communication of GDPR awareness programmes.
- What is GDPR and where does it apply?
It goes without saying that before you launch into the complexities of GDPR legislation course participants need some basic introductions to GDPR legislations. We recommend avoiding lengthy history lessons, and instead recommend focussing on what GDPR means in a practical sense for the organisation.
- Introduction to data protection – Data protection is a vague term; most will have some idea of what it means, but setting out clear definitions will be beneficial for many. Data protection is about rights for data subjects concerning the processing of our data so we all are concerned by data protection legislation.
- Why GDPR is needed – The pre GDPR European law was a directive and not a regulation therefore data protection laws across the EU were non-uniform, with member states making different interpretations and applications of the law. The former Directive95/46/EC also pre-dated the digital age. There are still, even under GDPR, some specific exclusions possible for member states however EU guidance bodies like WP29 and the EUDP board should help standardisation. Additionally, a brief overview of recent data-related scandals may help focus employees.
- Geographic span of GDPR – The GDPR Regulation is vast and applies to the processing of personal data of data subjects who are in the Union (The European Union) it does not state they have to be Citizens of the Union. The GDPR also extends to any organisation that handles the data of EU data subjects in the Union regardless of the location of that organisation controlling or processing the data. Awareness around the geographic span of GDPR will be especially important for those employees dealing with personal data and subject access requests.
- When GDPR applies – GDPR is a complex piece of legislation that covers a wide range of scenarios. However, there are also many exceptions to this rule. Not every employee needs to know the details of such exceptions but highlighting them is still important. It is critical that companies anticipate a potential increase in requests from data subjects and can deal with the new ones such as portability and erasure.
- GDPR terms – To help employees understand the legislation, we recommend providing some sort of briefing on the language used using the definitions established in the legislation.
- Core Principles of Data Protection
GDPR was introduced to unify data protection across the EU, thus strengthening the protection offered to citizens. To reinforce this protection even further, GDPR outlines six core principles of data protection that guide all of this legislation. The importance of these principles should not be underestimated, and all employees should be made aware of their existence.
- Types of personal data – Before explaining how personal data should be protected, employees should first be told what it is. The definition ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Under the GDPR there is also a special category of ‘sensitive personal data’ which demands additional safeguards. ‘Sensitive personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). There are also specific guidelines around processing of criminal data and data processed by the state.
- Lawfulness, fairness and transparency – Before data is processed and handled in any way, employees must make sure that there is an adequate legal basis for doing such processing. There are 6 Legal Bases which are: consent, to fulfil a contract, a legitimate Interest, to protect vital interests, when processing data is in the public interest, and finally to fulfil a legal obligation. There is often a very strong focus in the media on consent and legitimate interest, however these are only two of the six legal bases for data processing. Data subjects can withdraw consent or object to processing under legitimate interest. Therefore, it’s essential that the company uses the basis most appropriate to the situation and data it is collecting. Companies need to be fair and transparent always and where consent is the basis selected withdrawing consent needs to be as easy as giving it.
- Data minimisation – Those collecting private data should not collect more data than needed for the pre-specified purpose. This is the key concept of privacy by default and by design.
- Purpose limitation – Before data is processed, the organisation must decide and explain to the data subject how it will be used and processed. When the data is processed, it cannot be used for anything outside of this purpose without the explicit consent of the data subject
- Accuracy the right to rectification– All data should be collected and maintained in an accurate and precise manner.
- Integrity and confidentiality – No unauthorised individual should be able to access the private data, and those who do have access to it must not share it with others unless necessary for processing.
- Storage limitation – Most types of data cannot be stored indefinitely, and the storage period is usually agreed before the data is collected and should be set out in the organisations retention policy. Some categories of data, like health data, have different guidelines.
- Rights of the Data Subject
The data subject is the individual to whom the personal data belongs. Data subjects are the focus of GDPR, as it is their rights that are being protected. There are a number of specific rights bestowed upon data subjects in the legislation. Any employee who deals directly with the data subject should be familiar with these rights. Organizations must ensure they are set up to deal with a likely increase in the volume of requests from data subjects and train front-line staff accordingly.
- Right of access – After data processing, data subjects must still be able to request a copy of any personal data that has been processed without undue delay from the controller and/or processor.
- Right to data portability –Should the data subject wish to move to another provider the data subjects must be able to obtain data in a digital machine-readable format.
- Right to object –If a data subject does not want their data to be processed, they have the right to object to data processing and prevent their data being processed further.
- Right to restrict processing –Similar to the right to object, if a data subject is not comfortable with certain aspects of data processing they can limit data processing by requesting their data not be used in certain ways. However, any processing that has been carried out remains valid.
- Right of. rectification –If a data subject finds any inaccuracies within the data that has been processed, they can request changes be made to rectify those errors.
- Right to erasure –Perhaps the most well-known of the new data rights, the “right to be forgotten” ensures that data subjects can have their data completely deleted by the controller or processor.
- Right to complain –If the data subject feels that they have been treated unfairly by a controller or processor, they can make a formal complaint to a supervisory authority..
- Right to representation –Data subjects that have lodged a complaint (above) have the right to be represented by an independent body.
- The role of the Data Controller
Under GDPR, the data controller is defined as the body that exercises overall control over the purpose for which, and the manner in which, personal data are processed. As they effectively take management control of the data subject’s data, they have a number of responsibilities towards the data subject. Fundamentally, they must ensure all activities including that of processors they may engage are GDPR-compliant. Such training is particularly important for higher-level management overseeing activities.
- Modality of data – Hand-in-hand with the data subject’s right to access and data portability, the controller must store data in a manner that is easily accessible and transferable.
- Transparency –From the moment they engage with the data subject, the controller must be clear and transparent on how they will process data, where they will store it, the protections to be applied and the duration of time for which the data will be stored.
- Accountability –Records should be kept of all the steps in processing, any contracts between the controller and third party or information provided to the data subject. Additionally, there must be an up-to-date account of how policies have changed across the organisation.
- Contracts –Controllers must ensure all contracts with processors are GDPR compliant as under GDPR the processor or sub-processor can only process personal data on the written instructions of the controller.
- Data Processors and their responsibilities
Many controllers will contract a third party, the processor, to carry out any data analysis. However, the processor must adhere to many of the same rules as the controller, all with the fundamental goal of respecting data privacy and integrity. Indeed, the processor must only process personal data based on the written instructions of the controller.
- Contracts – Before processing beings, the controller and the processor must decide how the data will be collected and what actions will be carried out. The contract must also stipulate what actions will take place to protect the data, and who will be responsible for each element of data protection in the event of a breach.
- Data processing –All data must be processed in line with the pre-arranged contract. The processor must also ensure that they respect the rights of the data subject, such as the right to object or the right to rectify.
- Data security –Processors must have adequate safeguards in place to protect the personal data of the data subject.
- GDPR-compliant data collection
The first step in any form of data processing is data collection. Employees involved with this activity will usually have direct interactions with the data subject, but automated collection is an increasingly important means of data collection. Though it is more complicated to ensure GDPR compliance when data is collected by such means, it is still possible.
- Informed consent and the data subject – “Informed consent” essentially means that when a data subject agrees to the processing of their data, they know exactly how the data will be used and why it is being used for that purpose. Any employee that collects the data manually must be well informed on the regulation as they will have to answer questions.
- Consent and minors –Under GDPR law, anyone below the age of 16 cannot give informed consent, however GDPR specifies individual EU states can reduce this to 13 with legislation. For those under the age specified in the individual state, consent is given by the legal parent or guardian.
- Special cases of data collection – There are, inevitably, exceptions to the above rules. For example, if data collection is necessary for national security or related to a crime, consent is not needed. Most employees will never encounter such cases but should be aware of how they are handled if necessary.
- Choose The most appropriate basis for Processing –Organizations who rely on consent or legitimate interest should ask themselves if the ineterests are the correct and most appropriate bases for processing. Additionally, a contract may be a more appropriate for the company. Remember consent can be withdrawn and legitimate interest objected to. Organizations should not look for shortcuts to process personal data they need to be able to justify the basis for processing.
- GDPR password and data safeguard requirements
The phrasing of GDPR ensures that it will not need to be constantly updated – it is vague and lacks any specifics of how data should be processed. However, it does require that every possible safeguard should be implemented to protect a data subject’s data. Some key safeguards are outlined below. How exactly they should be enacted should be decided by managerial staff, the DPO, and the security team.
- Passwords – Classified as a technical safeguard, passwords are familiar to anyone who uses technology. Experts disagree on how frequently they should be changed, though all agree that they should contain a complex array of letters, numbers and special characters. Technologies that offer equivalent levels of protection (such as two-factor authentication) may also be used.
- Encryption – Again a familiar term, though many employees don’t know what this means. Explaining how this protects data, and how employees can use it in their daily workflow, can help prevent data breaches.
- Administrative safeguards –Technical safeguards, whilst important, are not the only means of protecting data. Administrative safeguards can be very important, especially if a breach has occurred. Explaining to employees the value of knowing who to report to or how to keep valuable records is essential. Implementing procedures for staff to connect when working remotely is critical.
- Physical safeguards –There are several simple actions any employee could do that can help to protect data. From employing clear-desk policies to ensuring all desks have lockable doors, these can all contribute to data protection.
- Anonymisation and Pseudonymisation – Using these techniques to protect data means that the company can further protect data and GDPR legal constraints are reduced.
- Data breaches and how to handle them
Regrettably, data breaches are a near-inevitability. As good as protective technology is, the technology enabling criminals to launch cyberattacks is never far behind. All staff should be made aware of how to deal with a breach, but for most staff this will involve reporting to higher managerial staff, who will then go on to deal with the breach.
- Supervisory authorities – All EU member states must appoint a Supervisory Authority. These bodies govern GDPR compliance within the state, and deal with any data breaches that do occur. When reporting to a supervisory authority, as much detail as possible regarding the breach must be provided to decide the course of action and any penalties that will apply.
- Reporting the breach –After the discovery of the breach, the controller and/or processor has just seventy-two hours to report it to the appropriate supervisory authority.
- The data subject –Any data subject that may have been affected by the breach should be notified should it pose a high risk to the rights and freedoms of the individuals. This is somewhat subjective for the organization however the data subjects also have the right to complain to data protection authorities were they not informed following a breach.
- Data Protection Impact Assessment
DPIAs, or Data Protection Impact Assessments, are useful in guiding organisations in GDPR compliance. Essentially, they identify key areas where policies need to be updated, as well as evaluate possible means of enhancing data protection.
- Risks to privacy and GDPR compliance – If the DPIA identifies any scenarios in which personal data remains vulnerable, companies need to mitigate the risk or perhaps not process the data at all. The DPIA should move any high-risk processing to a medium or low risk one.
- New technologies – Cybersecurity is rapidly advancing, and there are a myriad of new technologies that can be used to update existing policies. DPIAs should be able to identify possible new technologies, as well as design policies around how they should be implemented. Under GDPR where data can be fully anonymised the same constraints under the law can be exempted.
- Prior consultation – Where vulnerabilities have been identified, before any further processing occurs the controller and/or processor must seek advice from the supervisory authority. They will then be given advice and told how to proceed.
- Role of the Data Protection Officers
It is highly recommended that each controller employs a specific Data Protection Officer (DPO). All employees should be made aware of the DPO, as well as told how they can contact him/her. Additionally, when dealing with data subjects, they too should be informed of the role of the DPO and told how to contact him/her.
- Purpose of a DPO – The role of a DPO can be roughly summarised as an educator, an advisor and a supervisor. They are responsible for designing training courses (such as this) and providing general information to employees regarding data compliance. They must also supervise all data-related activities and offer advice to those unsure how best to be GDPR-compliant.
- Independence –The DPO must be independent of the controller and processor to ensure that he/she can carry out their job without bias. There should be no conflict of interest where the DPO holds another role in the company.
- Consequences of non-compliance
GDPR non-compliance is a serious issue, as it puts the privacy of any user of the controller’s service at risk from fraud, identity theft, or other malicious activities. To help enforce the legislation, GDPR stipulates several ways in which controllers and processors can be punished for non-compliance. Informing employees of these penalties can also reinforce the importance of GDPR compliance.
- Administrative fines – There are two types of financial penalties for GDPR breaches: a standard fine of €10-20 million, or a fine of 2-4% of the company’s global turnover. How much is actually fined depends on the nature of the breach and how it was handled, though is ultimately up to the discretion of the supervisory authority. The Data Commissioner can also order an organization to stop processing
- Legal prosecution –Data subjects have the right to seek a judicial remedy through the court system for any disagreements between them and the controller. The proceedings will take place either in the member state that the controller is based in, or the state in which the data subject resides.
- Compensation –If a data subject has suffered damage due to an infringement of GDPR, they may seek financial compensation through the court system.
- Member state penalties –The administrative fines described above form the basis of the penalties that can be applied by member states. Some states may choose to impose additional punishments, including jail time.
- Key Areas Organizations should focus on for GDPR Compliance
This section will give a short summary on the key areas Organizations should work on to achieve compliance.
- Data Mapping and Inventory – Organisations should start by looking at what personal data they hold in the organization, and do a data mapping of systems, categories of data and flows inside and outside the organization. You can’t make a project plan until you know what you hold. Does the organization hold sensitive data as defined by GDPR? If yes there are additional safeguards required.
- Controller or Processor – Organizations should look at where they stand on the controller or processor spectrum, all Organizations will be a controller for at least some date such as employee data. The linked step to this is Contract which may have to be re-written between Controller and Processor.
- Gap Analysis and Project plan – Once the first two steps are completed perform a gap analysis on where the Organization is now and what it needs to implement to move towards compliance with GDPR. This becomes your project and should have milestones and timelines.
- DPO and DPIA’s – Organisations should decide whether they need a DPO or not and will it be internal or external, a key criterion is that the person should be expert on the GDPR law and independent. The Organization will need to identify the DPIA’s which are needed.
- Article 30 – Maintain a record of processing a key step under GDPR Organizations under 250 employees are exempt from this.
- Training and Awareness – Train all staff but not necessarily to the same level. Ensure that you have a team trained and ready to respond to and fulfill the various data subject requests. Ensure the organisations systems can manage the requests also. Test cases are important here to ensure response times are met.
- International data transfers –If transferring data outside the EU a basis and adequacy for the data transfer needs to be in place.
- Policy Documents – Organizations will need updated data governance, retention, privacy and data breach policies.
- Privacy by default and by design – Organizations under GDPR need to place privacy by default and by design at the core of everything they do, minimising the data collected and holding it specific purposes.
- IT Systems – These are key to compliance enhanced security for personal data is critical, also Anonymisation and Pseudonymisation can assist in achieving compliance.
GDPR cannot be simplified down to a single training course: it is too complex and covers too many different scenarios. Training is necessary, though should consist of short, regular sessions that are tailored to the recipients. This is the best way of preventing human errors that lead to GDPR non-compliance.