Data Protection Awareness Raising

Preface:

The General Data Protection Regulation (GDPR) is a revolutionary change in the Protection of data-subjects’ data, becoming the de-facto gold standard of Data Protection regulation globally since 28^th of May 2018. The GDPR will, in all likelihood, have an international effect for all organisations that use intangible information for their day to day business.

One of the biggest challenges for organisations that fall within the broad extra-territorial scope of GDPR, is transforming the legal requirements of the GDPR into compliant and sustainable operational behaviours. Many organisations, which are not used to dealing with such regulatory requirements, face this new challenge and are now in the position of adapting to the norms of this new regime.

One of the most influential areas of the Regulation is the principle of Accountability which encompasses the move from ‘theory to practice’ in terms of their Data Protection efforts. According to the European Data Protection Supervisor (EDPS), in reference to accountability, ‘EU institutions and bodies should, at the most senior level, endorse and take responsibility for Personal Data Processing inside their organisations which occurs as part of the tasks of their institution’. Informing and training all people in the organisation on how to implement the internal policies and ultimately the Regulation itself, constitutes one of the most important aspects of the principle of accountability.

A successful implementation methodology requires many elements which can include technical solutions such as encryption, firewalls, virus scanners, phishing protection software, etc. However, one of the elements that can make the biggest difference is the human one. Knowing how to deal with risks to private data and how to respond to threats is essential. Educating internal personal data handlers is the strongest shield. This makes an informative and engaging privacy awareness program essential. This article aims to assist organisations to reckon with the most effective approach of preparing their own tailor-made awareness program.  

A statutory Requirement:

Apart from the fact that an awareness program is a key aspect of the accountability of any data controller/processor, it is also a mandatory part of the GDPR. According to Section 4 – Article 34 ‘Tasks of the Data Protection Officer’:

“to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits…’

The Regulation, however, does not specifically define what this awareness-raising and training should entail.  It is up to the organisation’s Data Protection Officer to decide what is the most appropriate approach according to a range of factors and circumstances which are unique for each case. It may be feasible for small organisations to internally engage and educate a limited audience through internal seminars and workshops. However, doing so for larger organisations, who include a much broader user population is unlikely to be practical. Organisations may be better placed looking to vendors who can deliver external seminars or even web-based GDPR training courses. Generally, the first and foremost purpose of creating broader awareness, is to create a mindset that encourages employees to be proactive and vigilant.

Noteworthy is the fact that each organisation is free to carry out an internal analysis to determine whether or not a DPO is to be appointed. The appointment of a DPO is limited only to those organisations which their core activities consist of processing operations which, by virtue of their nature and/or purposes require regular and systematic monitoring of data subjects on a large scale. This discretion though does not apply to whether or not the organisation needs to educate its personnel. The latter remains obligatory and, in case where a DPO is not appointed, shall be vested on the shoulders of a data governance officer or a responsible person who will be accountable to administer the training of the rest employees.

Support of Senior Management:

The Regulation explicitly states that every data controller and/or processor is generally obliged to provide active support to the DPO’s function and more specifically by providing the resources, infrastructure and staff necessary to exercise his/her tasks including training and awareness-raising. It is crucial to have the senior management’s (or C-level) support to ensure that the required resources and time is made available. Notably, the quality of the training is heavily dependable on the budget and resources approved by the senior management.

Visible support from the senior management also increases the likelihood of getting support from other departments, whose expertise is needed (i.e. IT for technical support and marketing for communication to the organisation).

In regards to Return and Investment (ROI), the senior management shall note that training is not optional and, in most cases, a good privacy awareness is proven to be a good investment. Recent research has shown that companies with strong awareness programs have fewer reportable breaches and fewer records lost per breach than those without.

It is worth mentioning that apart from the senior management’s active support, other key departments can leverage their expertise. It is a known fact that the most successful awareness programs involve multiple departments to ensure buy-in form the entire organisation. Examples include: marketing, human resources, legal, compliance, privacy and physical security. Working together with other departments not only means expert resources are shared but also that more activities can be coordinated which often leads to better results.

Who should be involved in the Privacy Awareness Program?

It is legally prudent not to limit participation from employees who are directly involved in processing operations and audits but also expand beyond and cover all staff. Members may work in different business functional groups or departments to facilitate understanding of the data protection and privacy risks applicable to that business functional group or department. Throughout the organization there is a need to understand the importance of privacy, to educate and support those directly responsible in order to meet the new regulations and fulfil their compliance obligations.

What should the Privacy Awareness Program entail?

Providing a meaningful education to staff across your organisation is critical to ensure that they fully understand their role in achieving and maintaining GDPR compliance. Many academics recommend that the content of such a program shall reflect the nature of business of the organisation, its needs and the knowledge of the specific target group. 

The training offered shall, among others, enable them to:

• Identify the Personal Data under their control;
• Understand how and why Personal Data processing is taking place;
• Protect the Personal Data from an Information Security perspective;
• Deal appropriately with Data Subject requests;
• Respond promptly to any suspected Personal Data Breaches.

The aforementioned are mere guidelines and each DPO (if not applicable the responsible person) is free to approach the matter as he/she wishes. A training that is based on real-life examples within the organisation will be much more impactful than examples from other companies or news stories. Besides, risks that need to be controlled or mitigated within the organisation offer great subject material for a privacy awareness program. The trainings should be engaging and true-to-life to ensure that employees fully comprehend the information.  

Another suggestion in raising attention and interest during a training is to focus on how the employees can use this knowledge at a personal level. More specifically, by helping employees understand how to deal with information safely at home, you are instilling a mindset that will help at work. Taking into example the usage of social networks, rather than prohibiting their access during work time, teaching them how to safely use them instead will be more beneficial for both the organisation and themselves. The key is to enforce positive habits.

Personnel shall also be trained in regards to internal procedures relating to cyberattacks, intrusions and data breaches. Incident response plans should be tested and rehearsed to ensure that they are effective and that they can be activated swiftly. Demonstrate to the responsible employees a clear reporting structure so that events can be reported, escalated, investigated and reported appropriately. Furthermore, involve them in periodic testing rehearsals as prescribed by the organisation’s data privacy incident or breach response plan.

Creating targeted content for each key subject means that is easier to select elements for the different awareness trainings. It is advisable to focus on a broad or specific aspect, depending on what the target of the training needs. It is important that each internal/external seminar/workshop is scheduled regularly. Short and regular bursts of information are much more likely to be remembered and will help instill the culture of privacy awareness across the organisation.

Also important is to maintain records and paper trails to be able to demonstrate compliance at any given time. It is necessary to show that the DPO (if not applicable the responsible person) has developed targeted relevant training material to the correct audience in a way that fits the organisation’s culture.

Format and Level of Training:

Engaging with the target audience to consider their preference as to the format of the training is a good starting point. The DPO (if not applicable the responsible person) shall examine the pool of audiences and decide which is the most appropriate level of training. It is recommended that the initial trainings shall be introductory and explanatory, instead of being extensive and full of confusing details.

Multiple approaches and multiple options of how to compose a training program are always available. Imagination is the only limitation. Different groups will respond better to different formats and styles. For example, senior management may appreciate a newsletter or short articles, whilst younger employees may prefer a video or more interactive content. Below is a non-exhaustive list of possible options to consider:

• Newsletters;
• Videos;
• Posters;
• Articles;
• Quizzes;
• Computer-based training;
• Online courses;
• Blogs.

Aside from the format, it is also important to remember that you must package the content in a way that is appealing, i.e. increasing engagement of participants during the training.

 

Ongoing Process – Maintaining Commitment:

A privacy awareness program should not be a one-time initiative. Improving the data protection and privacy requires continuous processing and monitoring based on good developed data protection and privacy awareness among all employees, staff and senior management of the organisation. This can be achieved through short trainings, newsletter or any other format that is not too content heavy. More general awareness initiatives can be bolstered by related events in the real world – security breaches, stolen logins or ransomware for example. An ideal moment to refresh employees’ knowledge through a newsletter, a short quiz or other engaging content is on the Data Protection Day on the 28^th of January each year. The best approach is to create a basic on-board awareness program and regular touchpoints to refresh this awareness.

Validating and Improving:

It is important to receive feedback, via survey, from employees regarding past seminars and workshops. In this fashion, the DPO (if not applicable the responsible person) will be able to improve the relevant aspects of future events. It is important to carefully consider the needs of the audience so that the effectiveness of the program is guaranteed.

Monitoring the results of the program should be the logical aftermath. The success of the program can be assessed through quantitative and/or qualitative measures. For example, comparing the number of privacy-related incidents before and after the awareness program as a quantitative measure and comparing the satisfaction of individuals with their knowledge about privacy awareness as a qualitative measure. For the quantitative metrics, it is important to check the status at regular intervals to identify the success of both the initial program and any refresher sessions.

Remember, taking the time to measure the effect of your efforts will ensure you are able to steer your organisation and its employees towards a positive mindset in relation to privacy awareness.

New Team Additions:

When new employees join the organisation, it is a great opportunity to share the organisation mindset regarding privacy awareness. Thus, a privacy awareness introduction is a valuable addition to the onboarding program. Each new staff member shall acknowledge and agree to adhere to data protection and privacy policies and shall be accountable for their actions with respect to handling personal data. This acknowledgement can take the form of a separate document like a Code of Conduct, Employee Handbook or an individual copy of the organisations Policies in their personal files.

Conclusion:

Challenges revolving around data protection and privacy will increase considerably in the near future. The best possible way to avoid any law violation is to cultivate the spirit of cooperation and compliance within your organisation. Human error still remains the top cause for data breaches or successful malware attacks.

- “The only defence against a problem is a thorough knowledge of it.” -