The GDPR has been with us for a few years now, but most people still only have a vague knowledge of what this means. The truth is, international data protection law is a highly specialised and technical field. This means that GDPR training is absolutely critical.
The EU’s General Data Protection Regulation was approved in 2016, and came into force in 2018, replacing the 1995 Data Protection Directive. There are complex legal, political and historical reasons for this change of policy, which are beyond the scope of this guide.
The key takeaway is that the GDPR was aimed at strengthening the protection of EU citizen’s data, both at home and abroad. Of course, this also puts a lot of new responsibilities on organisations which handle this data.
With that in mind, let’s explore some of the key lessons you can learn from GDPR training. First, let’s have a quick history lesson.
Data Protection in the European Union
The EU has had a common approach to data protection across all of their member states since the mid 90s, with the goal of eliminating all trade barriers within the single market.
Even pre-GDPR, these regulations managed and protected the use of personal information in terms of how companies can use, obtain, store, transfer and delete it. This primarily within the EU, and was treated as a trade issue.
However, in 2009, the Lisbon Treaty gave data protection the status of a fundamental right of all EU citizens. This made it necessary to expand protections under EU law to more contexts, including the protection of citizen’s data from non-EU organisations.
The GDPR is legislated by the European Parliament, the European Commission, and the Council of Ministers of the European Union. It aims to prevent and control the breach of information and data security, and to reconstruct the approach of data privacy practised by organisations in the EU.
Organisations which breach the GDPR are liable for massive fines, which are issued by the national data protection authorities in the relevant member state. These are capped at whichever is higher out of €20 million, or 4% of the company’s global annual turnover.
To date, the largest fine which has been levied under the GDPR is €50 million, which was imposed on Google by the French data protection authorities:
Of course, for most companies this would be crippling. As such, fines are generally proportionate to the offending organisation and the exact nature of the breach.
Since the stakes are high, let’s look a little closer at why GDPR training is so important for organisations.
Why Do You Need GDPR Training?
Any organisation that needs to “Get Data Protection Ready” should consider GDPR training.
Prompted by the EU GDPR there are a number of courses available, including from data protection commissioners, government bodies and private companies.
These courses coax businesses to achieve goals and set up plans that require less personal data access. They are offered to all micro, small, medium or large organisations seeking to implement the regulation.
GDPR courses are suitable for all business areas that handle personal information and are seeking a better understanding of GDPR rules.
Accordingly, they were developed for organisations that seek to implement the GDPR procedures, understand what kind of data is considered GDPR, and understand what is expected of them concerning information security.
GDPR training is also important in the global context, especially when handling personal information of European Union citizens. Some training courses even provide a substantial approach in both global and EU data protection procedures.
This is going to become increasingly important in the coming years. The GDPR was the first international data protection law to assume jurisdiction based on the citizenship of the data subject, rather than their location.
In simple terms, this means that data processors have to follow the GDPR if they handle the data of even one EU citizen, no matter where they are located. This has opened the floodgates somewhat, with other countries and international organisations now taking a similar approach.
The trouble is, that the requirements of these different international regimes can often differ. GDPR training is an excellent way to get to grips with key ideas in international data protection.
GDPR training courses are either delivered in a classroom, live online, distance learning, or in-house. Here is the EU’s recommended GDPR training framework.
GDPR Foundation Training Course
This training course delivers a full introduction to the new regulation, and a brief outline of the GDPR requirements. Staff responsibilities are also outlined to assist those in charge to apply the changes to their organisation.
This involves explaining the key principles of the GDPR in simple and easy to follow language, which is ideal for learners without any legal or technical knowledge.
GDPR Practitioner Training Course
Building on GDPR foundation training, practitioner courses equip you with the operational skills necessary to implement and qualify for GDPR compliance.
To attend the Practitioner training, participants must attend and pass the Foundation course. In particular, this training was designed for:
- Staff members of any department or business handling personal data and those who are seeking to understand their responsibilities like Human Resources, Data Security, Financial and Accounting, IT services, and Corporate governance,
- Individuals wishing to pursue a position in the data protection field,
- Managers seeking to understand the advance and wide-reaching requirements of the GDPR, or managers with a position that processes data security and want to further their understanding in regards to means of complying with the requirements.
The GDPR Minimal Compliance Training Requirements
These training programs meet the limited requirements of the regulation. Sometimes, they could be as simple as an online workshop only for staff members that handle personal information.
GDPR courses require their learners to affirm their commitment to complying and implementing data security procedures. Still, they don’t place any demands on processors and/or controllers, just DPOs (Data Protection Officers) attesting for their compliance in meeting the requirements.
However, this does not mean that the DPO in an organisation is personally liable for GDPR breaches. Rather, they are responsible for ensuring that the organisation complies with the law, but the organisation itself remains liable when something goes wrong.
GDPR Complete Compliance Training Requirements
A total of 11 chapters and 99 articles make up the GDPR. These are accompanied by several hundred recitals, as well as a growing body of case law, emanating from national authorities and courts, as well as the EU institutions and courts.
Here are the key topics covered within GDPR training.
Awareness is the first step to complying with the GDPR. Compliance cannot be achieved without the awareness of the new laws within the regulation. Decision-makers must be aware of the areas and fields of business that will be influenced the most by the regulation.
Waiting until you have a breach on your hands to read up on the GDPR is frankly unforgivable stupidity. Large organisations with several streams of personal data centres need to be prepared and allocate budgets and personnel to serve the new GDPR reforms.
2. The Role of a Data Protection Officer
Appointing a DPO is mandatory for public authorities, large-scale data processing of sensitive data, and large-scale systematic data processing. The criteria for what is considered ‘large-scale’ or ‘systematic’ are not explicit in the GDPR, but can be based on guidance from national authorities.
When it comes to appointing a DPO, there is no exemption for medium or even small organisations. The requirement for appointing a DPO is based on the scale of your data processing, not the size or value of your organisation.
DPOs report to the decision-makers and board members in any organisation due to the crucial roles they play. They manage all data protection procedures; train and advise their organisation and employees about their responsibility to comply with all data protection regulations.
Some organisations appoint an internal employee with data protection experience as their DPO. How? Well, they usually skill them up with a DPO training course. Others, who don’t have such calibres, seek professional DPOs.
Similarly, in many companies there is a need for a DPO, but not to the point that would require someone to work in this role full-time. This is another good reason to upskill an existing employee to be responsible for DPO functions.
3. Communicate the Use of Personal Data
According to the GDPR, any organisation handling EU citizens’ data must provide certain information on how their information will be used, stored and processed by the data handler. Without this, it is impossible for data subjects to give informed consent.
Related to this is the principle of purpose limitation. In brief, this means that data must be collected, stored and processed for specific purposes, which cannot be open-ended. If these change, data subjects must also be informed of new purposes in order to obtain consent.
For instance, when an organisation obtains personal information, they must communicate their identity and how they plan on using the data. They’ll also be required to state their data possession duration and their legal reasoning for data retention.
4. Track, Detect, and Report Data Breaches
Under GDPR, organisations are required to communicate and report data breaches to their customers and their national Information Commissioner’s Office (ICO). To accomplish that, organisations will need to formulate adequate procedures in order to detect, report, and finally investigate any data breaching.
Any failure in reporting such breaches will result in heavy fines that could reach up to four percent of their annual global revenue or €22 million, whichever is greater. This is in addition to a fine imposed due to the breach itself.
Hence, DPOs are obliged to report to board members and stakeholders in case of any data breach – even if by accident – that might result in reputation damage, confidentiality loss, or financial loss.
Moreover, if inaccurate personal information is shared, organisations must report that inaccuracy. In case of suspecting inaccurate data, reporting it is done by documenting the obtained personal data, how it was obtained, and who it was shared with.
5. Individual Rights
In the presence of GDPR, organisations must refrain from both automated decision-making and profiling. Also, their data protection procedures must demonstrate the new rights held by the individuals.
Listed below are some of the rights individuals are entitled to:
- Demand data corrections and deletions if necessary,
- Moving personal data from one IT department to another,
- Request access to their personal data, free of charge, in a timely manner, and in a comprehensible form under what is called “Subject Access Requests.” Such requests must be provided within a month time period, and in case of a request refusal, organisations must notify the individuals and explain why. Still, individuals are entitled to file a complaint to authorities against any request refusal.
Organisations should generally consider designing systems that enable individuals to access their data in an easy and read-able manner.
Under GDPR, traditional means of consent will be going out the window and will be replaced with solid, affirmative forms of consent. GDPR requires that consents be explicit and separate from any other condition or term when signing for the organisation.
In addition, GDPR strictly and clearly regards the pre-ticking of opt-in boxes as insufficient.
7. Data Protection for Minors
In the process of data protection reform, GDPR regulates laws that protect minors’ personal data. Organisations could comply by either developing programs to check individuals’ age or acquiring the needed consent from guardians before processing any personal data.
GDPR has promulgated 16 years to be the appropriate age for minors to give their own consent to information processing.
To conclude, there are a number of GDPR training courses that ensure a stronger compliance, provide systems that manage and control customer data, and enable adequate access of personal data.
For this reason, organisations must allocate the right budgets to conduct training courses that are most applicable to their needs. A GDPR training should result in effective data security reforms, and affect the way businesses track, detect and report data breaches.
The training course could be an ongoing activity for staff either through quarterly training or a regular awareness campaign, rather than just a one-time training course. Inadequate training comes at a very low cost, but in case of an error could result in enormous fines.
For more information, check the EU GDPR information portal.