Online privacy is becoming an increasingly important issue in the public sphere, and individual concerns about the safety of their personal information are driving efforts by governments to clamp down on companies misusing data.
In May 2018, the EU enacted a series of laws – the General Data Protection Regulation (GDPR) – which oblige companies to process data in a much more transparent way, whilst at the same time granting individuals far greater control over how their personal information is used.
Under the GDPR, not only do companies have to comply with a long list of regulations, they also need to provide their employees with internal privacy training on data protection. Under article 39 of the GDPR, Data Protection Officers (DPOs) are responsible for raising awareness and training staff involved in data processing operations.” DPOs will thus have to coordinate programmes which teach employees how to respect individual rights and fulfill company obligations under the GDPR.
Such programmes include workshops, online training and interactive exercises which make sure data processing staff remain up to date with the organisation’s security policies. They should, for example, know which types of data they are not allowed to modify or share with third parties, recognise fraudulent attempts to obtain personal information and understand the consequences of negligence.
Failure to comply with GDPR regulations – including employee training – could cost a company up to €20 million or 4% of annual revenue, depending on which sum is higher. Yet in the UK – where a substantial amount of employees have never heard of the GDPR – research suggests that just 66 percent of large business and 26 percent of smaller organisations have provided their employees GDPR training.
Indeed for large companies which have thousands of employees involved in data processing, putting in place a comprehensive system for internal privacy training and evaluation represents a heavy financial investment. In addition, the training also requires employees to take time off work, something which can harm productivity. These concerns also apply to smaller businesses, with limited personnel and financial resources. Often, small companies do not have a DPO, meaning that HR staff will have to make time to schedule and carry-out training exercises, alongside numerous other obligations under the GDPR.
Yet for businesses making the effort to properly train employees, the long-term benefits of having well-trained staff greatly outweigh the short-term financial investment and potential reduction of productivity. If employees are more aware of data security, the chance of a minor employee error resulting in significant data breach, which could severely tarnish a company’s reputation, is dramatically reduced. Well-trained employees can protect against cyber-attacks, the mishandling of customer data and subsequent fines under the GDPR.
Given the cost of non-compliance, companies must ensure that any employee processing data is thoroughly trained in data protection and understands how the GDPR applies to day-to-day responsibilities. What may seem like a costly investment now, may well save a company from million-euro fines which could cripple its entire operations.