When the General Data Protection Regulation (GDPR) comes into force, most companies won’t be fully compliant but will have programmes in place to close the gaps. One area in particular that presents a significant challenge is in raising awareness across an organisation, ensuring all employees understand their data protection obligations.
When it comes to compliance with the GDPR, data security is a key issue, with staff often sidestepping security policies to get things done quicker. It’s probably no surprise that the principal cause of a business security breach is human error, accounting for 35% of breaches, according to FISSEA.
Most staff either don’t know about security requirements or don’t prioritise them relative to other aspects of their job. In a 2017 survey by Dell, 22% of staff said they would share sensitive, confidential or regulated company or client information if it would help them do their job more effectively, and 13% said they would do so to help the recipient do their job better.
The problem is the penalties for infringement of data privacy rules are about to escalate dramatically. Maximum fines for non-compliance will rise exponentially from May 25th. GDPR is going to oblige companies to get serious about data security and privacy, which means all staff are going to have to make the same transition – treating data protection as a priority.
As of December last year, 81% of HR departments thought they would be ready for GDPR – even though around half weren’t clear about what it was, according to a recent survey from SD Worx. While ensuring your department is compliant in itself is great progress, the real question is who will take responsibility for educating the workforce?
There is plenty of work ahead to achieve company-wide compliance. With responsibility for training and internal communications, HR is the department with the most to give – and arguably the most to lose. So it may potentially fall to HR to drive the cultural change.
Why HR should own the education programme
The factor that will probably make the most difference to your GDPR programme is staff compliance. Just as a chain is only as strong as its weakest link, the organisation’s commitment to GDPR compliance is only as strong as your staff’s willingness to take responsibility and do the right thing when it comes to personal data – client or company-related.
That makes GDPR compliance an HR issue, no matter how much it might look like it belongs to IT, marketing or another department. In most cases, as we’ve seen, data leaks and breaches aren’t an IT issue anyway. They’re most frequently caused by staff errors through a lack of knowledge about data protection best practices and ignorance to the consequences.
Fundamentally, we all have to change not just what we do with data, but how we think about it. And staff have to be properly trained to make GDPR compliance simply ‘what they do,’ every single day.
How HR can run a successful programme
So we know what we need to do. So the obvious question is, how do we do it?
1: Staff have to understand the requirements of GDPR
No, everyone in HR doesn’t need to be ready to step into the Data Controller’s shoes at a moment’s notice. But staff won’t remain compliant based on a vague understanding of what GDPR means or a set of basic instructions about what to do and what not to do.
Instead, they need both a high-level understanding of GDPR – even if it’s simplified – and a clear view of how it impacts their work. They have to understand issues around staff consent, security and responsibility for themselves. Otherwise, they’ll nod and agree in training, then go away and keep cutting corners.
2: Make it relevant – and get senior leadership involved
Company cultures change from the top, for better or worse. If your company wants to convince its workforce that GDPR compliance is a priority, have senior figures show up to both lead, and participate in training.
And people listen when you talk about them. Spend some time making your GPR training relevant to your industry, your business, and specific job roles, without sacrificing real employee understanding of the broader issues.
3: Address internal sharing and communications
When staff think of data risks, they think of external actors. But the real data risks are almost all internal. It’s the person who unwittingly sends an email to the wrong person, or leaves data covered by GDPR on the company’s public cloud (or the printer out tray), who really defeats your GDPR compliance efforts.
Consider implementing tools that make it hard to share information accidentally, but also educate staff about what the requirements of GDPR mean for internal communications. Step-up your access control measures to systems that hold personal data and ensure managers are responsible for ensuring only authorised individuals are granted correct access rights.
4: Make training continuous
Training should be an ongoing process, and it should start during onboarding. GDPR is a fact of life and any new staff need to know about it as much as they need to know how to use your company’s productivity tools.
Staff who have been with the company a long time will have established ways of working that won’t be altered by a one-hour training session. They need continuous reinforcement, and perhaps also intensive coaching that might include one-to-one mentorship in how to do their jobs in a more compliant way.
5: Departmental leagues/gamification
The most effective rewards for success don’t include money. It’s surprising, but gamified leaderboards or leagues can be amazingly effective for encouraging compliance, by attaching a personal significance and relevance to each action.
You can exploit this by building gamified environments that deliver visible and tangible, but relatively low-cost rewards. It’s a lot cheaper to take the most compliant team for pizza once a month than to pay 4% annual turnover in fines.
6: Keep a record
It’s important to be able to evidence compliance with GDPR, and this will be essential should you face an external audit. Most good HR systems will allow you to keep track of any training completed by individual employees within their employee record.
In summary, here are the key points to take forward from this post:
- Without real staff understanding, compliance efforts are doomed to failure
- You have to change old, bad habits as well as establish new, compliant ones
- HR is the department often best placed to drive the cultural change
- Everyone from senior leadership on down needs to be actively involved
- Maintain a record of compliance with any training completed
- The sooner you start, the better!