GDPR Training: an instrument for maintaining compliance
Living in a world where a huge volume of information is processed every second, it is crucial to understand the necessity and value of personal data. Spreading awareness helps ensure security, thus protecting the interests of data subjects. In turn, it helps to secure the market position of the data holders: ensuring the privacy of clients and employees is perceived as a competitive advantage in the service market.
But what is data protection training? And how can you get a proper one?
Ensuring compliance with GDPR is a challenging objective: technologies are constantly improving, the volume of data and the quantity of data transfers rise, and necessary security measures escalate daily. Nevertheless, a well-trained team is an inseparable part of maintaining your compliance.
Considering most of the GDPR requirements, your company must implement appropriate procedures, policies, etc., to be able to demonstrate compliance. For example, the company staff must know what they can and cannot do with personal data based on the policies and procedures adopted by your management. These policies must be grounded on the GDPR and local data protection law and include privacy controls and ethical considerations aligned with the local culture and business model.
When someone comes to your website, office, or product, they experience the competence of the team that created these spaces. Their decisions impact how much data will be collected through registration forms, analytics tools, cookies, pixels, and action logging. They decide on the cloud storage, security certificates, encryption complexity, and data retention periods. They also prepare privacy notices and handle privacy-related questions. To work effectively with the regulation, empowering the data subjects with the capability to make the authority notice you and fine you, your employees must know the regulation on the level they know their craft.
Additionally, EDPB (the metaregulator of national data protection authorities) considers the basic training of personnel to be an organizational security measure that can prevent accidental, unauthorized, or unlawful processing and against accidental loss, destruction, or damage of personal data. In the context of Privacy by Design and Privacy by Default principles, training conducted among the team should be designed in a way that considers the requirements of a concept “state of the art,” meaning that your team must receive appropriate data protection regulations training as they sharpen their skills and gain more work experience.
Let’s look at administrative proceeding practice and the impact data protection training has on GDPR enforcement practices of data protection authorities
In one case, where the Italian DPA imposed a fine of €80 000 on Commify Italia s.r.l. for the unlawful retention and scanning of communication content and for failure to adopt adequate technical and organisational security measures, a provider of electronic communication services conducted staff training. Italian DPA recognised that the awareness events that complemented other security measures implemented might be considered as the adoption of corrective measures (Article 83 (2)(f)) (as a mitigating factor in case of GDPR violation). Simply put, if the company reacts to the violation with suitable training in data protection matters, it can lead to the fine becoming smaller.
In another case, the Spanish DPA imposed €35 000 EUR fine on OES GLOBAL ENERGY S.L, an energy company, for the violation of Article 5(1)(f) GDPR and 32 GDPR because an employee accidentally sent an email to the data subject with personal data belonging to other clients. Spanish DPA emphasized the following:
| Only internal personnel of the company constitute a circumstance that, more beyond the possible technical and/or organizational measures that OES could have implemented at the time, escapes the effective control of the company as soon as it is a human and punctual error that has consisted in not checking the recipients of an internal email prior to shipment. |
At the same time, the Spanish DPA admitted the sufficiency of measures (like conducting training and adopting an email management policy) that have been adopted to prevent unauthorized disclosure.
Finally, the French DPA fined Totalenergies France €1 000 000 after investigating 18 complaints and finding multiple violations stemming from the controllers’ failure to respond to requests for access and deletion, to provide disclosures when data was collected, and to provide no option to object to processing for marketing purposes. In the reasoning of this decision, French DPA noticed the following:
| 23. In defense, the company first emphasizes that the calls examined in the report do not reflect the practices of all the advisers since […] Finally, it specifies that its agents had to attend awareness training on this subject. 24. The Restricted Committee notes that the eighty-four recordings of canvassing calls collected as part of the check reveal a lack of knowledge of Article 14 of the GDPR. 25. The Restricted Committee observes that, in some cases, the people contacted for prospecting purposes did not receive any information […] In most cases, essential information, such as that relating to the very principle of recording the call and the right to oppose it, was not communicated. People were also not offered the possibility of obtaining more complete information relating to the processing of their personal data, for example, by pressing a key on their telephone keypad. |
In this proceeding, the French DPA emphasized the importance of conducting GDPR training, applying practice information disclosed in such training, and checking employees’ competence in data protection.
To kick off your privacy awareness program, your company might plan one of the following training topics:
| Team | Relevant Topics |
| General AI Awareness | AI Regulations (across the globe)AI and privacyAI and copyright (and trade secrets) Vendor assessments (when choosing a third-party model) |
| General GDPR Awareness | 1. Fines in 2018-2023: most famous and most common violations 2. How to work on your competence in data protection and privacy |
| Designers andSoftware Engineers | 1. Deceptive designs and dark patterns 2. Consent requirements 3. Privacy policy designs 4. Fines for dark patterns and (absence) of privacy-related information 5. Privacy testing: red teams and white hats 6. Classifications of privacy threats: ISO, NIST, and others 7. Risk assessments and DPIA requirements |
| Marketing | 1. Newsletters and emails: existing and potential customers 2. Analytics, profiling, and advertising identifiers 3. Consents and consenting 4. Testimonials and feedback 5. Data subject rights and requests 6. Retention and reuse of data |
| SoftwareDevelopment | 1. Principles: data minimisation, purpose limitation, accuracy, security 2. Privacy by Design / by Default 3. Data Security, Anonymization, and Pseudonymization 4. Data Transfers and Data Breaches |
| User / CustomerSupport | 1. Data subject rights and requests 2. Questionnaires and vendor assessments 3. Data retention and deletion of data 4. Non-mandatory requests 5. Dealing with notifications about data breach 6. Supervisory authority’s requests |
| Human Resources | 1. Employees vs. contractors 2. Purposes and legal bases of processing: consent, contract, legal obligation, or legitimate interest 3. Processing of sensitive data 4. Notification of privacy practices 5. Data subject requests from employees and contractors 6. Vendor assessments 7. Competence development and assessment |
| Finance | 1. Purposes and legal bases: contract, legal obligation, legitimate interest 2. Employee salaries 3. Vendor information 4. Customer payment details 5. Banks’ and Supervisory authority’s requests |
| Business and ProductDevelopment | 1. Privacy impact assessments and DPIA 2. Privacy in user stories/requirements 3. Privacy controls in websites/apps 4. Data protection management: policies and products 5. Communication of data protection to clients and team members6. Exercise: Privacy-related KPIs |
Therefore, it is important for GDPR-compliant companies and organisations not only to conduct some GDPR training but also to ensure applying information and skills acquired during such training by the staff. It is crucial to conduct training on a regular basis and to develop a training agenda depending on the context of technological progress.