We #StandWithUkraine, find out how to help here.
Last updated: 06.12.17

Staff Training for GDPR 2018

The General Data Protection Regulation, better known as GDPR, comes into force in May 2018, it will bring with it the prospect of major changes to the way UK businesses think about and use the data that they collect from individuals.

The EU has brought these laws into force in order to give EU citizens better control over the use of their data which is held by businesses and other non-governmental organisations. As a result, it is fairly broad reaching and complex, which makes it difficult to understand easily, particularly for businesses that are going to have to really pay attention. This is why efficient and effective staff training is crucial for businesses. In this article, we’re going to look at why it’s important, who needs to be trained, what this should cover, and how you can get help.

Virtual College has a free overview course titled ‘An Introduction to GDPR’. It may be very beneficial for those starting the process of becoming GDPR compliant, and those who are individuals or businesses who are not already aware of the basics of what GDPR involves. Click here to find out more about out introduction to GDPR course.

Why It’s Important

Training is hugely important for GDPR because of its complexity, and the new rules that have been introduced. There are very few businesses that were set up to deal with GDPR before it was agreed into law, so most companies will need to make some form of change. If staff are to properly understand those changes and implement new processes, then they need to be trained.

The other major issue is of course that GDPR fines can be very significant indeed, and it is in your interests to stay on the right side of them. It is not known exactly how strict the EU is likely to be at this stage, but it’s simply not worth the risk. If there are members of staff handling people’s data and they don’t understand GDPR, they could well be a risk.

Who Needs Training?

This is a question that only business managers can answer, depending on the nature of the business and the level of awareness of employees. There are, however, guidelines for who needs to be aware of GDPR.

Anyone handling an individual’s data in any way, whether they are looking after customer accounts at a bank or collecting customer emails for marketing purposes, need to be aware of what GDPR is and what it does. If your business involves any of this, then you should have everyone involved undertake at least a basic overview training session. Staff members who are directly responsible for data security will require more substantial training.

What You Need to Cover

Given how extensive the GDPR regulations are, there is a lot to potentially be covered in any training provided to staff. At a minimum, we’d recommend that everyone even tangentially involved to data processing needs to be aware of the following things that GDPR does, and how that affects them:

  • Legal Basis - You now have to have a ‘legal basis’ for collecting and processing an individual’s data
  • Consent - In many cases you must gain a person’s consent to hold information about them, and store a record of this (this includes gaining consent on behalf of children)
  • Subject Access Requests - Individuals have the right to request all of the information that is held about them, and this should be dealt with promptly
  • Right to Erasure - Individuals can also request that their data is erased under a number of legal grounds
  • Reporting - There are now requirements for reporting any data breaches and other Cyber security incidents in a timely fashion, and to the correct authorities

In addition, you will of course need to conduct training on the policies you have implemented in order to adhere to these regulations. It’s not enough to know that individuals can request their information - you need to know how you’re going to service those requests.

How to Get Help

GDPR can clearly be daunting, which is why many businesses are looking for external help. There are of course official publications of the incoming regulations available from the EU itself, but these are hugely complex and can be difficult for those without a legal background to understand. The UK’s Information Commissioner’s Office, which is responsible for looking after people's’ rights when it comes to information on the UK, has published a variety of guidelines that might help.

If you’re in any doubt at all as to whether you have the necessary GDPR knowledge, then you should undertake training. Virtual College can assist your business in staff training, with a range of courses that are dedicated to cyber security and GDPR.

Related resources