How to build a privacy-friendly culture inside your team: Trainings in GDPR, CCPA, and ePrivacy Directive

The General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the ePrivacy Directive compliance refer to the adherence to the requirements and principles outlined in these acts. The GDPR, CCPA, and ePrivacy Directive compliance requirements may vary based on factors such as the location of the company and the type of data processing activities involved. Here’s a step-by-step overview of where you need to comply with one or several of these acts.

Understand the Regulations: the scope, essential requirements, and implications for your company.

The General Data Protection Regulation

The GDPR is a comprehensive data protection regulation implemented by the European Union (EU) to protect the personal data of individuals within the EU. The material scope, Article 2 of the GDPR states, that:

“This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”

For territorial scope of the GDPR is determined by Article 3 of the Regulation and based on two main criteria:

• the “establishment” criterion, as per Article 3(1), and 
• the “targeting” criterion as per Article 3(2). 

Article 3(1) of the GDPR provides that:

“The Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”

Consequently, if a processor has an establishment within the European Union, processing personal data by that processor may also be subject to EU law. It means that both the establishment of a controller and a processor are referenced. 

Article 3(2) of the GDPR provides that: 

“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”

Where one of these two criteria is met, the relevant provisions of the GDPR will apply to the appropriate processing of personal data by the controller or processor concerned. 

It is important to note that this does not limit the need for training to companies that are obligated to appoint a data protection officer, even while the GDPR explicitly mentions training as a responsibility of the DPO. Ensuring that employees know about data protection principles, policies, practices, and compliance with the GDPR is essential to maintaining data privacy for your team.

The California Consumer Privacy Act

The CCPA applies to businesses that operate for profit, conduct business activities in California,  and meet any of the following criteria:

• As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year;
• Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households;
• Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

Therefore, if your company falls under at least one of these three criteria, you must comply with the CCPA. Nonprofit organizations and government agencies are generally not subject to the provisions of the CCPA.

The obligation to hold training is not directly mentioned in this act. However, the CCPA states that a business shall:

“Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance […].”

The ePrivacy Directive

Article 1 of the ePrivacy Directive states that:

“This Directive harmonizes the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community.”

The ePrivacy Directive governs various aspects of data privacy, including but not limited to the regulation of cookie usage, email marketing practices etc. Like other EU directives, the ePrivacy Directive does not possess direct binding legal force, but an instruction to EU member states to create laws that align with the directive. 

Identify Relevant Roles: determine which team members are directly involved in handling personal data and responsible for compliance. 

Different departments of the company may be involved in processing personal data, taking into account the specifics of your company’s area of work. Still, one thing remains the same – most companies will need general training to get started.

In general, departments are directly involved in handling personal data, such as sales, marketing, HR, support, and management.

The GDPR training service includes a range of training programs tailored to your company’s specific needs. As an example, it can be either specific training for the sales, marketing, HR, and support team, or practice-centred training, namely training for the support team, software engineering and QA teams and other employees that handle personal data and are responsible for managing and responding to data subject requests, training for the employees who handle personal data and are responsible for managing and responding to data breaches, etc.

Address Common Challenges: dedicate a section of the training to common challenges faced in complying with the GDPR, CCPA, and ePrivacy Directive. 

Privacy training aims to educate the employees about the applicable data privacy laws, internal company policies, and the importance of adhering to them internally and externally. A key aspect of the training is to clarify the distinction between data security and privacy, as it is vital for the effectiveness of privacy awareness initiatives.

The training on data protection can be conducted by internal individuals hired by the company or external teams. If your company has appointed the DPO, he or she can lead the training. Otherwise, you can seek assistance from external consultants who offer data protection training services. These professionals bring in-depth knowledge and experience and can provide tailored training sessions to meet the company’s needs.

Compliance training should cover the key provisions and concepts, helping employees understand their responsibilities and obligations. It should also address common challenges arising from interpretation, such as defining a lawful basis for processing, determining data subject rights, or understanding consent requirements.

Your main steps at this stage:

1. Conduct a training needs assessment;
2. Customize or ask an external consultant for training materials and content;
3. Schedule training sessions.

Document Compliance Procedures: create the compliance procedures and guidelines your team should follow to ensure adherence to the GDPR, CCPA, and ePrivacy. 

You need to conduct regular training sessions to educate employees about data protection regulations, their roles and responsibilities, and best practices for handling personal data and ensure that the team understands and remembers the basic concepts.

After the training, give employees time to familiarize themselves with the materials prepared by the persons responsible for providing the training. Make these resources easily accessible to team members for future reference.

The awareness test is an essential step of every training program, as it helps to ensure that the company’s team is fully prepared to comply with the regulations and protect the privacy rights of data subjects. After completing each GDPR training program, the company team should have the opportunity to take a test, evaluate the understanding and retention of the information covered in the training, and identify any areas where further training or clarification may be needed.

Stay Informed: encourage your team to regularly review relevant industry news, attend additional training, and participate in continuous learning opportunities.

Your team can deal with evolving regulations, new trends, and best practices by being informed. This commitment to ongoing education will strengthen your company’s ability to navigate data protection challenges and maintain compliance.

Conclusions

Indeed, the five basic steps provided are just the starting point for your compliance. Maintaining compliance with the GDPR, CCPA, and the ePrivacy Directive is essential for companies to protect the personal data of individuals. By implementing compliance procedures, conducting regular training, and fostering a culture of privacy awareness, your company can mitigate risks, build trust with your customers, and avoid penalties.

Our team is ready to provide you with the necessary knowledge, skills, and guidance to navigate you in data protection. Don’t hesitate to contact us if you have any questions. We are dedicated to providing comprehensive knowledge and skills to help your company meet the requirements of data privacy regulations.