After a two-year grace period, the General Data Protection Regulations, better known as GDPR, came into effect on the 25th May 2018. Yet a survey conducted by the financial consultants Cordium estimated that only 2% of financial organisations felt that they were ready to deal with the new privacy regulations. This lack of preparation could lead to heft penalties if it leads to GDPR non-compliance.
Before GDPR, privacy legislations across the EU were disparate and lacked unity. Now, all Member States have the same basic set of rules. GDPR also applies to any company based outside of the EU once it handles the personal data of EU citizens. Article 3 of the regulations explicitly states that “ “This Regulation applies to the processing of personal data of data subjects who are in the Union” therefore this extends to those data subjects who are temporarily visiting the Union or those companies outside the Union who process personal data of data subjects within the Union.”
The new legislation is extremely complex, and it would be unfair to expect all employees to read and interpret all GDPR documentation. Nevertheless, it is essential that all employees dealing with EU citizen’s data to understand GDPR. They must also be able to implement it in their daily work routine.
GDPR does not outline specific training requirements, so organisations must themselves design training courses for employees. This article lays out a sample training course that can be used and tailored for the specific needs of both the company and the employee.
What happens if employees aren’t trained?
The bodies that enforce GDPR do not accept human error or ignorance as an excuse for GDPR breaches. Whilst the former is almost unavoidable, the latter can easily be remedied by adequate training courses. If employees are not adequately trained, and a data breach follows, there could be severe consequences. The negligent party can face fines of tens of millions of euro, or 2-4% of the company’s annual financial turnover.
Additionally, if the data subject suffers any harm because of the breach they may seek financial compensation. The data subject may also choose to pursue damages through the courts. This often amplifies the damage done to the organisation’s reputation.
So what is an ideal GDPR training course?
With these consequences in mind, it is essential that organisations design comprehensive GDPR training courses. Ideally, the courses would be held on an annual or bi-annual basis, with each employee role having specific courses tailored to their needs.
Some of the modules alone – particularly the introduction course – are suitable for delivery to all employees, whilst others are more role-specific. The details of course delivery are at your discretion.
- Where, when, and how does GDPR work?
Many employees will have some idea of what GDPR is, either from their workplace or from the news. This module takes a broad view of GDPR, though shouldn’t focus unnecessarily on the details of how GDPR was introduced etc.. Instead, just present information that’s relevant to current events and policies and take a broad view.
- What is GDPR? – Some employees may see GDPR as an “unnecessary” hurdle to their work. Others may simply not know what it is. Thus, it is important to emphasise why GDPR is needed and the consequences for personal privacy if it is ignored.
- Where GDPR applies – GDPR is extensive in its reach; any organisation outside of the EU that deals with the data of EU citizens must comply. Any employee that handles private data should be made aware of the geographical scope of GDPR.
- Introduction to data protection – Even before GDPR, all companies will have had some mechanisms of data protection, mandated by the former Directive95/46/EC. However, these pre-dated the digital age.This can provide a refresher on some ways of ensuring data protection (e.g. physical and administrative safeguards), as well as means of integrating data protection into the daily workflow.
- When does GDPR apply? – The vast majority of employees will only encounter routine cases, though there are some situations in which GDPR doesn’t apply (e.g. when there is a threat to national security).
- GDPR definitions – As with any legal text, GDPR terminology is a common source of confusion. After introducing the legislation, define some key terms to ease the rest of the course (e.g. “controller”, “processor”, “data subject”).
- Data Protection – Core principles
GDPR was written to safeguard the privacy of EU citizens. All employees must thus gain a thorough understanding of the nature of private data, and the means to protect it. GDPR outlines six “Core Principles” that outline its approach to protecting data. They are detailed briefly below.
- What is private data?– The definition of private data is intuitive, but there are many categories of private data. They all relate to a natural person, and can be used to identify said person. Some types of data (e.g. gender, sexuality, medical history) are more sensitive than others. These data classes are handled differently and their different treatment should be explained. Additionally, GDPR stipulates new guidelines for processing criminal or health data.
- Lawfulness, fairness and transparency – The first Principle of Data Protection, employees must ensure that any data is processed in a legal, fair, and transparent way. This also means that employees should be provided with enough information about the data processing. There are six legitimate legal bases for data protection: consent, contract fulfilment, legitimate interest, protection of vital interest, processing of data in the public’s interest, and fulfilment of legal obligation. As data subjects retain the right to withdraw consent, it is essential that the controller has a legitimate interest and is transparent about said interest.
- Purpose limitation – Before collection, the controller will have decided how the collected data will be processed. The data must only be used in this way.
- Data minimisation – When collecting data, employees must only collect the amount of data necessary to complete the task at hand – and no more.
- Accuracy – Any data collected should be accurate, precise, and up-to-date with current circumstances.
- Storage limitation – Before data is collected, the data subject must be informed of how long the data will be stored for. There are different time limitations for different types of data. There are other exceptions where data can be kept for extended periods.
- Integrity and confidentiality – Adequate security must be provided to any data that has been collected. It should not be accessed by unauthorised personnel.
- Rights of the Data Subject
The data subject is the individual whose data is being collected. Those collecting and handling the data must respect these rights and facilitate the needs of the data subject.
- Right of access – Right to obtain data from the controller or to otherwise access said data.
- Right of rectification – Right to change any personal data should it prove incorrect. There should be no delays in amending the data.
- Right to object – Right to prevent controllers and processors from further handling or storage of data.
- Right to restrict processing – Data subjects can request that their data is not processed in a certain way or prevent further processing.
- Right to erasure – Right to request that personal data held by controllers is erased as soon as possible.
- Right to data portability – Data subjects have the right to access their data in a digital format compatible with a variety of devices.
- Right to complain – If they are dissatisfied with how their data is being handled, or feel that their rights are not respected, data subjects have the right to complain to a supervisory authority.
- Right to be represented – Right to be represented by a not-for-profit body when lodging complaints or receiving compensation..
- The Controller
The controller – the body that oversees data processing – are those that must focus of GDPR compliance. They have several responsibilities under GDPR, which relate to compliance, and maintaining the integrity of private data, though they also concern protecting the rights of data subjects.
- Transparency –The controller must clearly and simply explain to the data subject how and why their data is being collected, used, and stored.
- Modality of data – All data must be maintained in a way that can be easily transferred to other third parties.
- Accountability – To be GDPR-compliant, the controller must keep clear records about how data is being protected. They must also record who has access to data and when it was accessed.
- Provide for the rights of the data subject – The controller is responsible for the data subject’s data, and they must also ensure that the data subject can act on the rights awarded to them by GDPR.
- Processors and their Responsibilities
The controller is considered the main point of contact for the data subject, though they will often involve a third party for the actual collection, processing and storage of data. These processors must adhere to GDPR and also do their utmost to ensure data privacy.
- Data security – Similarly to controllers, processors must ensure that all data is adequately secured through a variety of measures.
- Data processing – Data must be processed in a GDPR-compliant manner. The same restrictions in how data can be used apply to both the controller and the processor.
- Contractual obligations– It is imperative that there is a legal contract between the controller and processor establishing how data will be collected, processed and stored. The processor is not allowed to use the data for anything that has not been agreed with the controller. The contract must also ensure the continued privacy of the data.
- Collecting Data
Data collection is the first step of data processing. Though usually conducted by an employee in person, automated collection is becoming increasingly common. However, it poses some difficulties. Employees should be trained in both methods of collection, with special emphasis on differences between the methods.
- Informing the data subject – Before data is collected, the controller must provide the data subject with information regarding their rights under GDP, as well as details on the processing and handling of their data. Employees must also be ready to deal with questions from the data subject.
- Automated vs manual collection – As mentioned above, more and more processors are using automated means of collecting data. This automated collection must follow the same rules as manual collection.
- Consent – Data subjects give informed consent when their data is being collected, meaning that they have received sufficient information and understand how their data is being used. Yet, minors and other groups of data subjects are unable to give informed consent. Thus, employees should be trained in how to deal these special cases.
- Legitimate interest – As mention above, controllers must have a legitimate interest for processing data. Before collecting data, organisations must ensure that they have an appropriate legal basis for processing. Otherwise, the data subject will have legitimate grounds to withdraw consent. Thus, it is important that employees do not try to take a shortcut and simply select the most convenient option.
- Storing and Processing Data – GDPR Safeguards
After collection, GDPR requires that data is protected at all stages of processing. The integrity of the data must be maintained such that it is protected from all unauthorised individuals, regardless of their intent. The employees charged with storing and handling data must protect the data and respect the rights of the data subject.
- Encryption – Encryption ensures that, even if unauthorised personnel access data, it cannot be read. Thus, it is a fundamental technical safeguard to protect a data subject’s privacy.
- Passwords –GDPR password requirements are vague, though it is imperative that some system of password protection is in place.
- Physical safeguards – The importance of physical safeguards cannot be underestimated, as the theft of hard-drives and USB sticks can allow even low-tech criminals to steal large amounts of data. All employees should be required to adopt a clear desk policies and lock cabinets.
- Administrative safeguards – Administrative safeguards include maintaining records of how data is protected, ensuring a clear chain of command when communicating data and recording who has accessed data when.
- Legal basis for processing – A core principle of data protection, before processing can take place the controller must ensure they are legally allowed to do so.
- Maintaining records –Records should be accessible, accurate and up-to-date, and kept as an electronic copy. They should also be transferrable to other parties if needed and thus work on a range of operating systems.
- Dealing with a Data Breach
Unfortunately, data breaches are almost impossible to avoid, even if comprehensive policies are in place. This is largely due to the threat of cyber criminals and advancing technologies, as private data has huge value on the black market. Regardless of how good company policies are, data breaches will sometimes occur. Managerial staff within an organisation should be trained on dealing with data breaches.
- Timeframes – After a data breach has been discovered, it must be reported within 72 hours to report it to a supervisory authority. The report must include details on the nature of the breach, what has been done to mitigate the consequences and also all records the controller has regarding the data.
- Supervisory authorities – Under GDPR, all EU Member States must have one or more supervisory authorities. These are independent bodies who oversee GDPR enforcement and deal with any data breaches, should they occur. These authorities will then decide the course of action, as well as any penalties that may be levied against the controller.
- Informing the data subject – All those affected by the data breach must be notified. They should be told how the impact the breach will have on them as well as their options for the future.
- What is a Data Protection Impact Assessment?
- New types of processing – Technology for handling data is rapidly progressing. The DPIA should be able to evaluate how these technologies could be used by the controller to protect data.
- Prior consultation – If the DPIA indicates there may be some risk to data, the controller must consult with the relevant supervisory authority. They will then receive advice on how to deal with the situation, and act upon it before processing can begin.
- Who is the Data Protection Officer?
All organisations that deal with private data should appoint a Data Protection Officer (DPO). This individual oversees GDPR compliance within the organisation, advising employees on how they should process data. The DPO should be the main point of contact for all employees, as well as data subjects wanting to contact the controller regarding their own data.
- Roles of a DPO – The job of the DPO can be summaries as three main roles of a DPO: educating, advising and supervising. The DPO should be able to teach GDPR compliance to all employees, as well as offer advice on the best course of action when dealing with different situations. Thus, there must be clear channels of communication across the organisation to facilitate this. The DPO may also be involved in designing campaigns or training courses.
- Monitoring compliance – The DPO must monitor activities within the organisation to ensure there are no GDPR breaches – intentional or otherwise. Thus, to ensure this job be carried out fairly, the DPO must be able to act independently of the controller or processor.
- What happens if a party is non-compliant?
GDPR is an important piece of legislation, and it would be nice to think that controllers and processors would comply for the sake of the data subject. However, without suitable penalties, GDPR compliance would be very low. GDPR outlines how controllers and processors can be punished for non-compliance or negligence.
- Administrative fines – Fines of €10-20 million can be levied against the negligent party, or 2-4% of their global financial turnover. The exact amount paid in any one situation is determined by the supervisory authorities.
- Member State penalties – In addition to the fines described above, EU Member States can also decide to add additional penalties for GDPR non-compliance. These may range from financial penalties to jail terms for severe cases.
- Compensation for data subjects – Data subjects have the right to seek compensation if they sustain damage – material or non-material – as a result of a GDPR breach.
- Legal sanctions – In some cases, negligent parties will be brought to court for GDPR breaches. Proceedings will be carried out where the controller or processor has an establishment within the EU. If that is not possible, proceedings will occur in the Member State where the data subject resides.
- Halt activities – In cases of severe negligence, the Data Commissioner can order a controller and/or processor to stop processing data.
- Key Areas Organizations should focus on for GDPR Compliance
- Data Mapping and Inventory – Organizations should start by looking at what personal data they already have and conduct a data mapping of systems. This includes categorising data and noting its flow inside and outside the organisation. This can then decide the appropriate course of action for the organisation.
- Controller or Processor – The line betweencontroller and processor is blurred. All organisations will be a controller for at least the data of their own employees.
- Gap Analysis and Project plan – Organisations should conduct a “gap analysis” on the organisation’s current position and what it needs to implement to move towards compliance with GDPR.
- DPO and DPIA’s – Organisations should decide whether they need a DPO. Critically, the DPO must be independent. The organisation will then need to identify the nature of the DPIAs needed.
- Article 30 – Organisations must maintain a record of processing, though organisations with under 250 employees are exempt from this.
- Training and Awareness – All employees must be trained appropriately for their role. Some must also be specialised to fulfil the various data subject requests.
- International data transfers –The organisation should have the appropriate policies and safeguards in place to transfer data outside of the EU.
- Policy Documents – Organisations will need to update all policies (governance, retention, privacy and data breach) in light of GDPR.
- Privacy by default and by design – Both of these concepts incorporate data protection into the technologies and policies from the beginning, placing an emphasis on privacy.
- IT Systems – Processes such as anonymisation and pseudonymisation can be key to ensure GDPR compliance and protect data.
GDPR Training Course – Conclusion
After two years, many will be happy that the EU has finally harmonised its data policy. However, it may cause panic for many organisations who feel ill-prepared for the change. Employee training is a straightforward way to address the issue, and is an essential step in ensuring GDPR compliance.
GDPR Training FAQs
How does GDPR training differ from HIPAA training?
For most employees of HIPAA Covered Entities, GDPR compliance is very similar to HIPAA compliance in terms of preventing unauthorized uses and disclosures of patient data. For example, the data minimization requirement of GDPR is similar in concept to HIPAA´s Minimum Necessary Standard.
Is GDPR training mostly technical?
This will depend on the results of a Data Protection Impact Assessment (DPIA). If there is reason to believe breaches of GDPR could occurs in non-technical environments, training will have to be provided in these environments in order to address the issues identified in the DPIA.
Does every organization have to appoint a Data Protection Officer?
Only organizations involved in “regular and systematic monitoring of EU data subjects on a large scale” or those processing “special data” (i.e. biometric data, genetic data, geo-location data, etc.) are required to appoint a Data Protection Officer (DPO) by the general Data Protection Regulation.
What if our organization doesn´t appoint a Data Protection Officer?
Organizations that collect, process, or store the data of EU data subjects still need a point of contact through which data subjects can exercise their rights. If the volumes of data collected, processed, or stored do not justify the appointment of a DPO, organizations should document the reason why and provide an alternate point of contact.
Can a DPO and a HIPAA Compliance Officer be the Same Person?
Due to the similarities between GDPR and HIPAA, it makes perfect sense for a Data Protection Officer and a HIPAA compliance Officer to be the same person – provided the workloads do not prove to be too much for an individual, or for two people if the roles of HIPAA Security Officer and HIPAA Privacy Officer are divided.