GDPR Essentials for Employee Compliance Training
When it comes to GDPR compliance, the stakes are high for any organization that handles the personal data of EU data subjects. Penalties can be as great as €20 million or 4% of a company’s annual worldwide turnover. And, the potential for violation rests with any individual who has access to the personal data. In its first year of effect, there were approximately 144,376 complaints logged by private citizens or by an organization on behalf of individuals, objecting to privacy violations related to the use of telemarketing, promotional emails and video surveillance.(1) U.S. company Google earned the largest fine to date, €50 million in January 2019, for “failing to disclose to users how their data is collected and used for targeted advertising.”(2) Worldwide expectation is that this is only the beginning, with reports, investigations and fines expected to rise as new regulations modeled after GDPR, are being proposed and enacted around the world. (3) The Information Commissioner’s Office, an independent UK authority, publishes a continuous list of enforcement actions, including monetary penalties.
Is GDPR Training Required?
GDPR compliance training for employees plays a crucial role in ensuring that companies meet and maintain compliance with GDPR requirements. Although the GDPR legislation does not specify details about training requirements, there is a clear expectation that training is a responsibility of the Data Protection Officer (Article 39) or any organization subject to Binding Corporate Rule (Article 47), and of the European Data Protection Board (Article 70). GDPR requires “the appropriate data protection training to personnel having permanent or regular access to personal data.” (Article 47). (4)
It is true that some of the GDPR requirements can be met with technological solutions, but when a company interacts with data subjects within the EU, every employee shares responsibility for protecting the personal information. In addition, since GDPR compliance includes customer and employee data, in addition to any other personal information you may collect – from volunteers or for marketing purposes only – virtually all departments of a business play a role in meeting the data privacy requirements. This means that most employees in your organization require training on properly handling personal data.
Is Your Organization Prepared?
Is your organization prepared? Does everyone know what information is covered by GDPR? Has your company met GDPR compliance training requirements? Have you even addressed GDPR training yet? Ask yourself these questions to see what you know.
Whose data does the GDPR protect?
GDPR protects the personal data of any data subject located in the EU, as explained below:
- Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
- Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. (5)
It does not matter if the person is a customer, employee, volunteer or intern, citizen of the EU or not – any organization that collects personal data from someone in the EU must follow the GDPR regulations or risk the consequences.
Who is required to follow the GDPR requirements?
The GDPR applies to:
- A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
- A company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.(6)
Any organization that meets these requirements must follow the GDPR data privacy regulations. This includes businesses who market or sell to customers in the EU, whether they are located there or not.
What data is covered by GDPR requirements?
All personal and sensitive data covered by the definitions outlined in the GDPR must be kept private and protected, or in some cases, should not even be collected. This includes all personally identifiable information like name, address, phone number, birthdate, national identification number, driver’s license number, etc. It also includes less commonly mentioned personal information like race, gender identity, political affiliation, and religious beliefs, among others.
What do we have to do with the data?
Organizations must have a lawful basis for processing before any data is collected. This can be written consent, by contractual obligation or other lawful basis. After the data is collected, it must be guarded securely, maintained for accuracy, restricted to use based on the stated purpose, and deleted or destroyed when no longer needed. And if there is any chance of a breach, breach reporting protocol as outlined by GDPR must be followed immediately.
GLS’ General Data Protection Regulation (GDPR) Essentials 7539
To protect your organization, GDPR compliance training is critical to prepare all corporate employees to meet the requirements. GLS’ GDPR Essentials course presents key information about the GDPR regulation and how to apply the data privacy principles that form the backbone of the regulation. This scaled down course concisely presents the most relevant information someone needs to understand GDPR and to maintain someone’s privacy and treat their data securely and legally according to the regulations. This course covers the following GDPR training topics:
- Recognize the purpose of GDPR and penalties for non-compliance
- Explain the key principles of personal data protection under GDPR
- Define personal data and sensitive personal data under GDPR
- Describe key provisions, including breach reporting and consent requirement
- Explain good data protection practices to be followed by individuals handling personal data
1 European Commission. (2019, May). GDPR in Numbers. Retrieved from https://ec.europa.eu/commission/sites/beta-political/files/infographic-gdpr_in_numbers_0.pdf
2 Collins, K. (2019, May 24). Europe’s GDPR has accomplished a lot in its infancy. Retrieved from https://www.cnet.com/news/europes-gdpr-has-accomplished-a-lot-in-its-infancy/
3 Bernard, A. (2019, May 2) Evaluating the GDPR experiment. Retrieved from https://www.scmagazine.com/home/security-news/evaluating-the-gdpr-experiment/
4 Council of the European Union. (2016, April 6) EU General Data Protection Regulation. Retrieved from http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
5 Eurpoean Data Protection Supervisor (2019). What is personal data? Retrieved from https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
6 Eurpoean Data Protection Supervisor (2019). Who does the data protection law apply to? Retrieved from https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
- Buckbee,M. (2018, October 5). GDPR Requirements in Plain English. Retrieved from https://www.varonis.com/blog/gdpr-requirements-list-in-plain-english/
- Eurpoean Data Protection Supervisor (2019). Data Protection. Retrieved from https://edps.europa.eu/data-protection/data-protection_en
- Information Commissioner’s Office Website. (2019) Enforcement action list. Retrieved from https://ico.org.uk/action-weve-taken/enforcement/
- Rubens, Paul. (2019, May 10). How to Comply with GDPR. Retrieved from https://www.esecurityplanet.com/network-security/how-to-comply-with-gdpr.html