Data protection in the workplace – the importance of training for staff
22 November 2018
It has now been six months since the General Data Protection Regulation (GDPR) came into force on 25 May 2018. In the run up to that deadline, and since, organisations have been busy making sure that they have appropriate policies, procedures and contracts in place to ensure that they comply with the new regulations and avoid the potentially hefty fines which have been introduced.
One step which should not be underestimated as part of your compliance plan is training on the basics of data protection law for your general staff – not just for the management team.
Why is training for staff important?
In many organisations most, if not all, of your staff will have access to personal data which you are responsible for. They will need to use that personal data on a daily basis as a part of their jobs and in many cases it will be your staff who are collecting that data for you in the first place. Therefore, it is important that your staff understand what is required from each of them when collecting and processing personal data.
Two areas of GDPR which clearly demonstrate the need for staff to be aware of data protection law are mandatory breach reporting and data subject rights.
Under GDPR, organisations are now legally required to report certain types of breach to the ICO within 72 hours. Failure to report the breach within that timescale will constitute another breach. The 72 hours runs from when the organisation becomes aware of the breach – not from when a manager or Data Protection Officer is made aware of it. Some of the most common breaches occur when a staff member sends an email to the wrong person, or loses a device or paper file containing personal data. You are therefore heavily reliant on your staff being able to identify when a breach has occurred and knowing what they need to do next. If your staff know that the instant they become aware of a breach they need to report it internally then you are going to be able to investigate and report (if necessary) within the 72 hour window. Crucially, the more quickly you are made aware of a breach, the more you are able to do to minimise any damage caused by it, which should in turn mean that any sanctions imposed are less severe.
Similarly, under GDPR individuals have a range of rights in relation to the personal data you hold about them, such as the right to access that data (commonly known as a Subject Access Request) and the right to rectification of incorrect data. If an individual chooses to exercise one of those rights, you need to respond without undue delay and, in any event, within a month of receiving the request. Failure to respond within that timeframe is a breach of GDPR. The request can be made in any format and does not need to state that the individual is looking to exercise a particular right. Therefore, you need your staff to be aware that these rights exist, how to identify whether one has been received, and know what steps they need to take next (i.e. are you happy for some rights requests to be dealt with by the person who receives them, or should all requests be passed to one person with overall responsibility?).
More generally, it is a requirement of GDPR that data protection be built into your working practices from the ground up and that organisations develop a culture where personal data is dealt with fairly, securely and in line with the rest of the principles. Training your staff so that they understand the new processes you have put in place and also the data protection rules behind them will lead to a reduced risk of breach.
In the event that your organisation is ever investigated as the result of a breach or of a complaint, it will greatly assist you if you are able to demonstrate to the ICO that you have taken steps to train all staff with access to personal data on the requirements of data protection law and your updated processes in light of GDPR.
Training which Birketts LLP offer:
Birketts LLP has a range of training courses aimed at assisting your organisation to comply with GDPR. Full details of the courses we offer can be found here – GDPR Courses.
Our ‘GDPR – Data Protection in the Workplace’ session runs for 2.5 hours and is aimed at providing your general staff with an understanding of data protection law and how it applies to the work they do. The session is tailored to the work carried out by your organisation and the types of data processing carried out.
Full details of the course can be found here GDPR – Data Protection in the Workplace. For further details, please contact Nicola Heywood at [email protected], or 01603 756568.
Services
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at November 2018.