Ignore the GDPR at your peril
Organisations who think the GDPR doesn’t apply to them, or ignore ICO and industry warnings (or still believe Brexit means it doesn’t matter) are all mistaken. Any company processing personal data needs to know about the GDPR and any of their staff involved in handling personal data need to understand the implications.
It’s not just the compliance and legal teams that need to appreciate the changes the GDPR ushers in; marketing teams, database marketers and anyone who processes personal data need to know what they can and can’t do. Failing to do so might lead to inadvertent, but potentially highly damaging, mistakes. Organisations need to know the risks they might be taking, so they can manage, mitigate and avoid any bear-traps lying in the data-forest.
Training should be higher up the agenda
A recent survey on GDPR-readiness by the Direct Marketing Association firmly, and perhaps unsurprisingly, placed Consent as the overwhelming concern for organisations. This was followed by up by worries about legacy data and profiling but training was well down the list.
Staff need to be empowered with an understanding of the GDPR, what it says about Consent, what the transparency requirements are and how Consent will need to be proved. Training staff on these issues is an obvious solution to concerns - a lack of knowledge could leave key areas of compliance overlooked. So, it was interesting to see only 13% of organisations cited training as a concern; arguably this should be much higher up the agenda.
Proper training and awareness allows staff to know (for example) how and when Legitimate Interests might be relied upon for direct marketing, realise there are new rules to consider for direct marketing profiling and appreciate when enhanced individual privacy rights need to be considered. Otherwise, any one of these areas might be easily overlooked, leading to potential complaints, litigation and reputational damage.
DPOs are required to ensure staff are trained
Training also plays an important role when it comes to Data Protection Officers (DPOs). Under the GDPR many organisations are required to appoint a DPO or may choose to appoint one (even if not covered by the mandatory requirement) to ensure they can meet increased emphasis placed on transparency and accountability in the Regulation. The DPO is someone empowered to ensure policies and procedures are in place to minimise the risk of breaches, and to uphold the protection of personal data. The Regulation not only stipulates that the DPO must be supported with adequate resources and training to carry out their role, it also places upon them a requirement to train staff.
Article 39 (b) relating to the tasks of the DPO the GDPR states:
"to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;"
It is abundantly clear that staff who handle personal data mustn’t be left in blissful GDPR ignorance. Many companies may already ensure their staff have data protection training on (say) an annual basis; its crucial this is refreshed to reflect the new regulatory environment we face.
The International Association of Privacy Professionals estimates that DPO requirements under the GDPR will lead to as many as 28,000 DPOs being needed across Europe and the US.
Even if you manage to recruit a fully-fledged certified DPO, their skills and knowledge will need to be developed and refreshed. In particular, adequate training will be necessary to ensure DPOs are up-to-date, as guidance from regulatory agencies evolves over the coming months and years.
Why GDPR knowledge matters
Ensuring relevant staff have sufficient knowledge of GDPR requirements is a strong safeguard against your company or organisation falling foul of the rules. Even under current legislation, the ICO has regularly criticised companies for failing to train staff. As the rules tighten come 25 May 2018, the risks increase.
Organisations were given two years to ensure compliance when the GDPR was formerly adopted in May 2016. The UK Regulator has spoken of little else since. I stress again, not being aware won’t be an excuse, GDPR awareness and training should not be ignored. Now is the time to ensure it’s a part of your GDPR compliance strategy.
The IDM runs regular face to face courses to inform marketers about GDPR, these allow delegates to absorb the key requirements and ask vital questions about implementing GDPR compliance in their organisations. An online GDPR award is also available from the IDM covering the fundamental impacts of the Regulation for marketers.
The EU General Data Protection Regulation (GDPR) is just twelve months away and marketers need to fully understand its impact now. Consumer awareness of privacy rights is increasing (and will most likely continue to increase), as seen by the proliferation of no-win-no-fee data protection solicitors chasing data breach claims. The introduction of the GDPR will only increase the risk of falling foul of the rules, as loop-holes are identified and bench-mark cases pass through the courts. Perhaps most importantly, the Information Commissioner’s Office is also taking a tough line – a lack of awareness about the Regulation won’t be an excuse, and won’t cut any ice when it comes to the eye-watering fines that could be levied against offenders.