People are starting to complain about GDPR overload. The emails, webinars and articles about it are coming in from left and right. Sometimes they obsess so much with the detail that it is hard to know what practical steps your company should be taking on GDPR. I wrote the book “GDPR- Fix it Fast! Apply GDPR to Your Company in 10 Simple Steps,” (available in the UK on Amazon here and Waterstone's here and here in the US) to solve this problem.
This article sets out some of the basics on GDPR.
Which companies does it apply to?
GDPR applies to all companies in the EU that process personal data.
GDPR also applies to all companies outside the EU that offer goods and services to people in the EU.
For example, a US company that markets and sells its shoes to UK customers is caught by GDPR.
Equally, an Australian company that offers an online dating service to French customers is also caught.
Those £17m/$17.7m fines – What do I need to know?
The maximum fine for breach of GDPR is 4% of global annual turnover or 20 million euro (whichever is higher). These fines will usually relate to a breach of a data subject’s rights or any of the basic GDPR principles.
There is a lower tier of fines of 2% of global annual turnover or 10 million euro (whichever is higher) for administrative breaches.
Article 83 of GDPR says the fines must be “proportionate” to the GDPR breach.
What are these new rights I keep hearing about?
There are numerous data rights set out from Articles 12-23 of GDPR. These will give you new powers to potentially erase embarrassing posts from social media. You also have the potential to transfer all your details from your old mortgage provider to your new mortgage provider.
These could merit a separate article so let me introduce you to two of them today (there are more details in my book here).
Staff training is a crucial part of protecting data privacy. One recent study found that human error is the leading cause of data breaches, featuring in 37% of data breaches. Providing staff training is an important part of avoiding GDPR fines.
Despite its importance, staff training is perhaps the most under-emphasised part of any GDPR project. Companies have been busy fixing their processes, working on their information security and updating their customer consents; however, there seems to be seems to be little attention paid to how staff training will need to be revamped in order to keep your company in line with the requirements of GDPR.
These are my 3 tips on staff training:
Tip 1: Teach all staff the basics on Data Protection
All employees need some basic knowledge of data protection. Sometimes we can get lost in the minutiae of GDPR and can forget that our first line of defense needs clear and simple explanations about their data duties.
Typically general-employee training will include:
a) A brief explanation of GDPR and why it is necessary to protect privacy
b) A description of the fines and reputational damage that can occur if the company does not comply
c) An explanation of the primary principles of the GDPR and how they apply to the activities of the company
d) Information on the main points of your company’s Data Protection Policy and where the policy can be found, and
e) Information on where to get additional information and answers to questions
Remember that people are most affected by training when they understand two things: (1.) Why the training is important to them and (2.) What they need to do in response to the training.
Tip 2: Give more detailed training on data protection to the employees that need it
Some staff will need specialty knowledge on the different areas of GDPR. For example:
a) Call Center /Customer Facing Staff – Your call centre staff will need a working knowledge of the Right to Erasure and the Right to Data Portability because customers may ask to assert these rights and there are strict time limits for response.
b) Marketing Team – Your Marketeers will need to understand the new rules on consents.
c) Data Analytics Teams – If you have any employees that are carrying out Big Data analytics then they will have to understand the new rules on profiling.
d) Senior Management – Senior management in areas such as HR, Legal and Sales need solid training on how GDPR affects their areas so that they may cascade this knowledge down.
e) Human Resources - The Human Resources team will need training on how to handle employee data, including employee subject access requests and handling job application data.
f) Board – You should advise the Board about the new fines under GDPR.
Tip 3: Make it engaging
a) Keep it short – Try and keep individual sessions to one hour or less. Being lectured to will not engage an audience for long. This is data protection after all….
b) Mirror your audience – Find out who your audience is beforehand. If it is a room of 22-year-old sales gals and guys, then you will want to use language and examples that appeal to them. Alternatively, a presentation to the Board will require a more formal tone.
c) Make it practical – The worst training session I ever sat through was one where the speaker just read out legal cases that related to the Eight Data Protection Principles. I will never get that day back. Don’t make the same mistake. Make sure you give your staff examples of how the GDPR applies to them.
With a little bit of preparation, your training can teach people what they need to know if a way that will help them to protect the company.
Do you ever sit at a desk trying to read a company policy and find that the words are just not going in? Often company policies are written in the most turgid, dull and unintelligible language. The consequence is that employees never read them, much less remember what they sat.
The European General Data Protection Regulation (GDPR) requires companies to be smarter than that. Under GDPR we must be more accountable and be able to “demonstrate compliance”. Part of being able to show compliance includes having proper staff policies in place to help employees understand their data duties.
The Essential policies – These are the ones you MUST have.
Data Protection Policy - An essential guide to employees regarding how they may use data, how they can keep it secure, and the consequences of misuse. A good Data Protection Policy can prevent data breaches by helping employees understand how they are supposed to handle data.
Data Retention Policy - A statement explaining when data in documents (or data held electronically) should be deleted. This policy sets out the time limits for deleting different types of documents so that we can stay within the GDPR storage limitation principle found in Article 5 of the GDPR.
Data Breach Incident Policy - An emergency plan that tells your company what to do if a data breach occurs, how to form a team to deal with the breach, how to prevent any further loss of data and whether the company needs to tell customers and Regulators about the breach.
Other data policies you may need
Big Data Policy – What you can and cannot do with Big Data under GDPR.
Human Resources and Data Protection Policy – How to treat employee data.
Marketing and Data Protection Policy – The rule book on sending customers offers and promotions.
Social Media Policy – Explains what employees are allowed to post on social media, sometimes including on private accounts.
Encryption Policy – How, when and why we encrypt data.
Outsourcing Policy – What you need to do if you are sending data to a business partner.
Bring Your Own Device Policy – The manual on how to use a personal device in the course of your job.
Once you’ve written your policies, you need to know that they are understood by your employees. To make them comprehensible:
Make sure they are easy to find - If a 22- year-old call center worker has a query about data protection from a customer, she should be able to access the Data Protection Policy at the click of a mouse for more details. Put your policies up front and center on your intranet home page.
Mind your language – Draft policies for all levels of your company and all age groups. Draft policies for the people who watch “Suits” as well as the people in suits….
Keep them short – Enough said.
Be consistent – Use the same introduction, sign off and layout for all your company policies. Use an attractive layout.
Don’t be afraid to enforce your policy – Proper Data Protection Governance is a much more important for companies post-GDPR. This means that companies have much more to lose if employees misbehave with customer data. Do not be afraid to discipline an employee if they have breached the Data Protection Policy.