In two recent posts, we’ve been discussing the European Union’s recently enacted General Data Protection Regulation (GDPR). We’ve provided a high-level overview of this new regulation and discussed some of the basic provisions.
Importantly, we’ve noted that the regulation can be applied to companies outside of the European Union and that violations can carry huge financial penalties. Here, we look at some tips for training staff on GDPR compliance.
Develop Your Compliance Strategy
The GDPR is a complicated and detailed regulation, and your compliance policy will need to be comparably detailed to ensure you are covering all of your bases. It’s not necessary for your entire staff to be experts on your policy, but you need to have a group of key staff who are well-versed on the regulation and how your organization aims to comply.
Make Sure Your Staff Know What Constitutes Personal Data
The fundamental concept underlying the GDPR is personal data. Even though your entire staff don’t need to be experts on the GDPR, anyone handling any customer data whatsoever should be aware of what constitutes personal data under the GDPR. This is the first step in addressing potential compliance issues.
Educate Staff on the Process for Escalating Potential Issues
Once staff have identified that they are dealing with personal data that may be subject to the GDPR, they should know the process for escalating potential issues. It’s likely that your company deals with many of the same types of data every single day, and your staff will know—to a large extent—what is not at issue with respect to the GDPR. But in the event there is uncertainty, they should have no uncertainty as to who to bring their concerns to.
Make Sure Your Staff Understand the Magnitude of the Penalties
Finally, staff should be aware of the significance of potential violations of the GDPR. For some businesses, a serious violation could potentially mean going out of business. Employees need to know that compliance with the GDPR isn’t something that is simply given lip service.
As we’ve stressed throughout the last few posts on this topic, the GDPR is a major compliance change that has far-reaching impacts and potentially massive consequences for violations.
It would be impossible to thoroughly cover the topic in 100 blog posts, let alone three. But hopefully, this high-level overview will be enough to raise awareness of the key issues and help identify areas for further research.