Experts have advised organisations to question whether their General Data Protection Regulation (GDPR) training is relevant to their employees, one year before the new rules are due to come into force.
Speaking at a roundtable hosted by cybersecurity company Kaspersky Lab yesterday, Sue Daley, head of cloud, data, analytics and artificial intelligence at techUK, said the trick to successful training on the forthcoming law would be making it “real” to staff. “The first stop is to talk about it and get people to understand what it means,” she added.
Meanwhile, Caroline Hinton, head of HR at radio production company Somethin’ Else, acknowledged that GDPR training risked becoming a “tick-box exercise” if not properly designed. “The key around that is just making it individual to different roles and different departments, [emphasising] why is it relevant to them,” she said.
Hinton also pointed out that there was no reason that HR could not start to try out different tactics now rather than waiting until implementation day: “Don’t see this as a hard deadline but just see it as a living, breathing process that starts now.”
Jo Bance, global head of marketing at SQS, said many employees could naturally be interested in how the legal changes would affect them in other aspects of their life. “We are all consumers in are own right anyway so there is an interest there,” she said.
Key features of GDPR include a requirement to make a notification of data breaches within 72 hours of becoming aware of them, easier enforcement of people’s right to be forgotten and fines of up to 4 per cent of annual global turnover or up to €20m, whichever is greater, for failure to comply.
Daley also reminded the audience that not everything in GDPR was new, and organisations could transfer much of their knowledge and processes from the existing data protection laws.
Research released by Kaspersky Lab to coincide with the roundtable revealed that more than a fifth (22 per cent) of IT decision-makers are not confident their organisation will be fully compliant with the regulations by the time they come into force on 25 May 2018.
However, the panelists were more upbeat about businesses’ readiness to comply. “It is a term that is recognised by everyone,” said Bance. “Everyone is recognising those four letters.”
Daley added: “Everyone is looking at this and looking to get ready.”
Although the GDPR laws stem from the EU, Karen Bradley, the secretary of state for culture, media and sport, confirmed in October 2016 that the UK would be implementing the regulations despite Brexit.