July’s Cyber Governance Health Check Report 2017 revealed that only 6% of FTSE 350 companies are properly prepared for the changes to the General Data Protection Regulation (GDPR), including GDPR training. Julian Roberts, CEO of EssentialSkillz, a training and compliance specialist, shares his advice on how businesses can get prepared well ahead of next May’s changes.
All businesses in the UK need to adhere to the EU’s updated GDPR legal framework when it comes to data they hold and how it’s used. The deadline date is 25 May 2018, which may seem like plenty of time to prepare. However, it’s such a complex topic with some hefty penalties, that it’s important to start to understand what the changes entail and be well equipped for ahead of the deadline – and this includes GDPR training all employees.
If businesses fail to recognise the regulations and comply, they face penalties of up to 4% of a company’s global annual turnover or £17 million, so it is something all organisations should take seriously, as this size of fine could end a business.
When determining whether a company needs to prepare for the changes to data protection coming from GDPR, there are several quick and simple ways to find out. Firstly, determine whether your company handles or processes personal data. If the answer is yes, and the company is based in the EU, GDPR applies and you should provide GDPR training.
If your company is located outside the EU but undertakes any form of trade with customers within the EU, then GDPR rules will apply to you if you store, process or share EU citizens’ personal data.
The ICO (Independent Commissioner’s Office) has devised a set of 12 steps to help organisations prepare for the changes, which is a useful checklist for those requiring the basic information on GDPR and how to prepare.
So now you know that your organisation needs to be GDPR compliant and you know the basic requirements – what’s next? In our experience, we’ve recognised some key hurdles that companies tend to fall at. But no need to panic – there are often some quick and simple solutions.
Lack of awareness of basic data protection
According to accountancy and advisory company Moore Stephens, “Organisations need to ensure that they fully understand GDPR so that they effectively identify what is required for the organisation to comply. The common theme that we are seeing is a significant lack of awareness of the regulation and this is throughout the organisation from top to bottom. Very often, the lack of awareness is not just related to the incoming GDPR but, more worryingly, concerns the basic data protection principles that the organisation should be on top of and fully compliant with already.
“Our experience to date has suggested that there are major underlying issues within organisations of all sizes in respect of them being a long way away from complying with the current regulation, let alone thinking about what the GDPR will be asking of the organisation. In this scenario, it suggests a lack of knowledge and resource within an organisation to address any data protection issues and it would be recommended that a third party should be engaged to make organisations aware of what is fully required under GDPR and to assist them on the GDPR journey to guide the organisation through to compliance before the enforcement date in May 2018.”
In a recent Webinar held in October EssentialSkillz polled over 100 key decision makers responsible for GDPR compliance about their GDPR training.
- Only 21% of organisations had rolled out GDPR training.
- 40% had tackled basic cyber security training
- However, 82% had provided guidance on the use of Social Media
This reflects the position many of our customers are in. The recent hacking attacks on the NHS and the impending threat of stiff penalties for non-compliance with GDPR mean that organisations are taking Cyber Security much more seriously. They have to, if you have not successfully addressed the basics then the chances of achieving GDPR compliance are negligible.
To address these fundamental issues within a company, it’s imperative that everyone in the company understands the basic principles of GDPR training, while those directly handling data require more extensive GDPR training.
Knowing your responsibilities
While it may seem obvious to some, being aware of the way that personal data is classified is the first action to take when determining a company’s responsibilities. Personal data is any data that can be used to identify the person, such as a name, ID number, location, IP addresses etc. Any personal data a company holds should have appropriate and explicit consent given by the owner for the desired use. The consent must be informed, specific and unambiguous.
The data processing principles are outlined in the GDPR framework. This includes a new accountability principle for data controllers and processers whereby they must be able to demonstrate compliance.
Anyone handling data of EU citizens are segmented into:
- Controllers – a person, public authority, agency or business that determines the purposes and manner for processing data.
- Processors – a person, agency or public authority or company processing data either solely or via third parties on behalf of a controller.
Some of the decision making is automatic – it should be apparent if data is held. But communicating the responsibilities of a company requires more time to set clear guidelines and goals for each team. When providing GDPR training to staff, it’s important to trickle down the responsibility to each employee, as anyone working with personal data of any kind needs to be compliant with the changes coming into effect. Another poll reflected this with 73% of organisations preparing everyone for GDPR, however 27% still had a view that the responsibility was siloed in the IT, Finance or legal departments.
Understanding individuals’ rights
The data owner has the right to obtain information from the data controller. They also have the right to know how and where their information is being used. If they do request to know more, the company must be prepared to provide it free of charge. Individuals will have enhanced rights to:
- Access information;
- Have inaccuracies corrected;
- Have information erased;
- Prevent direct marketing;
- Prevent automated decision making and profiling;
- Data portability.
If rights are infringed, individuals can take legal action against data controllers and data processors.
The process of supplying personal data back to the individual needs to be shared and understood by the team controlling the data. Equally, when obtaining personal data, privacy policies need to be reviewed to ensure they are more thorough when GDPR comes into force. Alongside GDPR, The Freedom of Information Act places additional burdens of disclosure on public sector organisations and employees in these institutions will again require additional training.
GDPR is a complicated subject, which is why it’s vital that businesses start to get to grips with the principles and practicalities well ahead of the deadline. It may seem daunting, but with the right GDPR training, organisations can be safe in the knowledge that all staff are educated, and the business is moving towards compliance.
EssentialSkillz has launched a number of courses aimed at employees of all levels to start their preparations for GDPR. The 50-minute GDPR training course is ideal for all employees to provide an understanding of GDPR so that they can apply the learning and be part of the organisations drive to achieve compliance. There are also eLearning courses covering Cyber Security and Freedom of Information.