5 training insights from the first year of GDPR
Posted on May 13, 2019
Games & gamification
This time last year, how many of us really knew what GDPR stood for? Now, the General Data Protection Regulation is an everyday term for any business department dealing with personal data. But beyond the jargon, what have we learned after 12 months of living with GDPR? And specifically, what do we now know about the best way to train people on the new data protection rules?
When it was implemented on 25 May 2018, GDPR represented the biggest shake up in data privacy law for a generation. The new rules promised much tougher fines for breaches, tighter controls on personal data use and greater scrutiny of data practices. Reaching the first anniversary of GDPR, we’ve seen all this and more, with some very large and very public repercussions for non-compliance.
The European Data Protection Board (EDPB), the body that oversees enforcement of GDPR across borders, recorded 94,622 complaints and 64,684 data breach notifications in the first nine months of GDPR. Fines imposed in the same period amounted to €55.9m. In the UK, Elizabeth Denham, the Information Commissioner, reported a 111% increase in complaints from the public on data use, following the start of GDPR.
With this level of fines and breaches in the first year, along with the increased public awareness, it’s likely that GDPR compliance will remain a business priority for the foreseeable future. Regulators aren’t telling companies how to train their employees, but they do expect them to equip their people with the knowledge and skills they need to comply.
5 GDPR training insights
So, how have organisations approached GDPR training in the first 12 months of the regulation? We’ve picked out five observations from our work with international companies.
1. GDPR training means different things to different people
While the GDPR mentions a training requirement, it’s not specific, so businesses can interpret the training clause as they see fit. This has led to a big variation in the quality and quantity of GDPR training being implemented across businesses. What’s become clear is that some large organisations, particularly those with diverse or complex data requirements, are seeking bespoke learning solutions to support good data privacy behaviours among employees. This might include off-the-shelf elements for low risk data users, like our GDPR Sorted game, combined with tailored learning programmes for high risk data handlers and senior managers.
2. DPOs can’t do it on their own
We’ve spoken to Data Protection Officers who are becoming overwhelmed with the task of educating everyone in their organisation on GDPR. In some cases, they are doing the training in person on their own, and of course, this is unsustainable, even for the most conscientious DPO. Where DPOs are drawing on learning expertise, whether from their own L&D team or an externally provider like Sponge, they’re seeing more effective training solutions being implemented.
3. Knowledge dumping doesn’t work
Simply telling employees about the new data privacy rules is a temporary fix; it may have worked to kick off GDPR, but it soon comes unstuck. Organisations must consider whether this will help their people remember and apply the rules and build a continuous culture of responsible behaviour around data use. That’s why we advocate a learning game for this type of mandatory and continual reinforcement. Game-based learning really comes into its own in this situation; it’s fun, experiential and re-playable, building knowledge and understanding through repetition, enabling employees to practise something that’s genuinely applicable to their jobs.
4. The conversation is moving to culture
The level of scrutiny on data privacy has intensified during the first year of GDPR as the public develops a greater awareness of their rights and the regulators get into their stride on enforcement. Responsible use of data is now a market differentiator in some sectors and is quickly becoming a strategic priority for the C-suite. Changing culture long-term means moving away from a one-off training course towards building an integrated and continuous learning programme to embed good data behaviour and ethics across all levels of an organisation. By creating a culture where adherence is everyone’s responsibility, the layer of protection is far greater.
5. Data privacy is global
It was always the case that non-EU businesses using any form of data of EU citizens had to operate within GDPR, but many nations, like New Zealand are following suit anyway. Plus, if you are a large global business, you want data privacy consistency across territories, so your customers can be confident that you will protect their personal information wherever they live. However, educating diverse groups of people across geographies, cultures and languages is far from easy. Many global organisations are seeking GDPR training solutions that lend themselves to translation and localisation to maintain consistency and cost-effectiveness.
Overall, the introduction of GDPR has been a catalyst for organisations to up their game on training and education around data protection, and that’s got to be a good thing for businesses, employees and customers alike. For those who have yet to implement an effective GDPR learning programme, there’s every incentive to act now. European watchdogs have warned that the first 12 months was a transitional year and that businesses can expect increased action and “teeth” from regulators going forward. GDPR may be in its infancy, but organisations need to plan long term on training.