Complete Guide to GDPR Training (updated for 2020)

Travis Good
May 5, 2020

Do you need GDPR training?

Every organization that must comply with GDPR must conduct employee training.

What organizations have to comply with the General Data Protection Regulation (GDPR)? The short answer is that any organization that stores personally identifiable information (PII) on EU citizens needs to comply with GDPR. This applies to companies with operations in the EU or not, meaning US companies that process EU citizen data need to comply with GDPR.

Technology companies are seen as being the most impacted by GDPR because they cross borders seamlessly via the Internet and technology business models and products often leverage PII.

GDPR defines two classes of organizations, similar to HIPAA - data controllers and data processors. Data controllers, like covered entities under HIPAA, directly serve EU citizens and technically own the PII. Data processors, like business associates under HIPAA, process, store, or otherwise manage PII for data controllers.

If you work for a company that stores or processes EU citizen data, you should be getting some type of GDPR training to understand the impact on your organization and your role in the context of EU citizen PII.

What training does GDPR require?

GDPR defines explicit training requirements and implicit training requirements. The two explicit training requirements under GDPR are:

  1. Article 39 - one of the defined tasks of a data protection officer is awareness-raising and training of staff involved in processing operation; and
  2. Article 47 - the appropriate data protection training to personnel having permanent or regular access to personal data.

The explicit GDPR training requirements apply to employees that access PII and processes that involve PII.

GDPR training should be conducted at onboarding for new employees when changes are made to compliance policies and procedures, and on a regular cadence, with annual being the longest acceptable interval.

Security by design and default

Implicitly, Article 25 of GDPR defines the principle of Data protection by design and by default. The Article states - The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed.

The challenge in applying security by design and default today is that data is usually a core part of business, meaning most of your employees touch personal data in some way. These employees need to be educated and empowered to make decisions about data that align with GDPR and your policies and procedures.

Additionally, the tools that are used to power your privacy and compliance workflows, things like approving access to applications, onboarding, and training need to be simple to use. If not, employees won’t use them consistently and you will fall out of compliance with your own policies and procedures.

Article 25 goes on to state that this requirement can be met with a certification, which is still yet to be defined. In the experience of Haekka, having led or been involved in 1,000s of audits and security assessments, we have no seen a security certification that does not require training of all staff. In order to implement security by design, privacy needs to be a part of the culture of an organization. Training is an essential component of this.

What does effective GDPR training look like?

Most training for GDPR is not effective. It is not effective because it does improve comprehension of the regulation or of the organization’s policies and procedures. Most GDPR training is infrequent and does not map to the ways in which modern work is done. Additionally, most GDPR training does not cater to technology companies or technology groups.

Employees represent the largest threat to corporate systems and data. Unfortunately, they’re also the most common cause of security incidents and data breaches. With remote workers and cloud-based technologies extending the human threat vector, it has never been more important to get GDPR training right.

Effective privacy starts with privacy policies and procedures. Translating policies into day-to-day work, ensuring those procedures are followed, and maintaining evidence of their execution is not easy. Proper training can help close many of the gaps and, at audit time, make life a lot easier for you and your auditors.

The Haekka team has created and managed privacy programs for GDPR. We have written and and taken part in privacy training for 100s of entities. We’ve also participated in or have run over 1,000 privacy audits and assessments. In order to be successful with training, and to limit the risk to organizations, GDPR training needs to be ingrained into the culture of the organization. In our experience, the following ten elements are essential aspects of effective GDPR training.

1. Human readable information

The basis of any compliance program is the policies and procedures. When your organization decides it has to comply with the GDPR rules, the first that it should do is a risk assessment. The second thing it should do is create policies. Oftentimes, because of the prescriptive nature of privacy regulations like GDPR and the need to address each and every requirement fully, or close to fully, privacy policies today are often written to the spec of the regulation.

The result is policies that are essentially just re-written versions of the regulations themselves. While these do clearly articulate that your company fully embraces security by design or that all workforce members are trained appropriately for their role if they field data subject requests, they do not provide truly actionable guidance to your employees.

Policies are translated into procedures, which should align with the actual work that people do each day, though our experience has shown us that procedures quickly fall out of alignment with the actual work of employees. Even if procedures do map to the way employees work, they are often written by the same people and in the same syntax as policies.

When you conduct training for GDPR, you should be educating your employees on the GDPR regulations themselves and your company policies and procedures. If these are not easy to read or understand, your employees will not understand them when trained on them. This leaves two options - 1) re-write the policies and procedures or 2) translate them into training that is easy to understand.

Re-writing policies and procedures to be easily understood is ideal and should be done for reasons beyond employee privacy training. But, this is a heavy lift as policies are time-consuming and expensive if you outsource it to a legal firm or consultant. The realistic solution is to translate both GDPR regulations and your own policies and procedures into training that employees can understand, retain, and execute on a regular basis.

2. Delivered with spaced repetition

Privacy regulations like GDPR and privacy policies written for GDPR are often new material for learners. Most people do not have a background in privacy and, even those that do, GDPR is a new and unique regulation. Most privacy training is done on an annual basis. Conducting training annually on new and foreign material, like privacy and GDPR, is not effective. Checking the box on training by doing the minimum interval necessary guarantees your employees will not comprehend or be able to follow privacy policies or effectively communicate privacy-related questions with customers and partners.

One effective technique that works particularly well for privacy and GDPR training is spaced repetition. Spaced repetition, or repeating the same lessons at different intervals, is a well-established system to improve retention in learners. Considering the structure of privacy training, it can be broken down into tagged or characterized content that can be delivered consistently, building comprehension over time. The other benefit of spaced repetition for privacy training is it enables easier tracking of comprehension for different topics. Below is a video on spaced repetition.

In terms of spacing schedule for privacy and GDPR training, there is not a prescriptive approach in terms of the cadence but there is research-based evidence for best practices. The benefit of spaced repetition privacy training, beyond improving comprehension and execution is that it helps to build culture as a part of your culture.

One of the challenges of going to a spaced repetition privacy training schedule is a collection of evidence for training. When training is done annually, tracking who has taken it is a lot easier than tracking training on a weekly or monthly basis. Spaced repetition does require rethinking training from the ground up but is one of the more important changes in order to ensure the effectiveness of privacy training.

3. Put employees in the training

If you have taken modern training for exams or seen kids take online training, you have likely seen the use of scenarios in education. These scenarios are short, cover 1 or maybe 2 topics, and have some form of a question to evaluate comprehension. Oftentimes, they can be completed within 5-10 minutes.

Creating a database, or catalog, of GDPR training scenarios requires work. Maintaining and updating that catalog is necessary to ensure the scenarios do not repeat and become stale. For larger organizations with dedicated training groups and resources, this may be feasible though even these organizations have a hard time doing this. For smaller organizations, this likely requires you to find and buy scenario-based privacy training or a scenario-based training platform. In any case, the complexity of implementing privacy in 2020 is more complicated than ever before so finding additional resources for training, or other aspects of privacy may be necessary.

Below is a sample GDPR scenario, a scenario tailored to technical employees.

Your company is building a new mobile app. The app will be used by end-users in retail stores in France as they browse on the rack inventory. The app is installed on the users’ own mobile devices. The app collects basic information about the individual when they signup then tracks them as they move from store to store.

Large retailers buy and white-label the app. The user data that is collected belongs to the large retailer.

The user data is not stored on mobile devices. The personal user data will be stored on a server on the public cloud, specifically an Amazon Web Services (AWS) data center in France, in AWS cloud accounts owned by your large retail customers.

Which of the following are required to comply with GDPR? (choose all that apply)

  1. Sign a data protection agreement (DPO) with your large retail customers.
  2. Sign a (DPO) with AWS.
  3. Sign DPOs with Apple and Google because your app runs on iOS and Android.
  4. All of your customers sign DPOs with AWS.
  5. Store patient records in AWS data centers located in the EU.

Answer: a, b, d, and e

The scenario is a good example of putting your employees in your training. This makes the training relatable. Employees see how privacy applies to the work they are doing and the decisions that they make on a day to day basis. And each scenario comes with a simple explanation, making it easy for employees to comprehend the learning of the scenario.

4. Contextualize training

Privacy training should be done where your employees work. In 2020, that means the applications and digital tools that your employees use every day. Training in context has been shown to help with the retention of training content. To meet the goal of delivering GDPR training that is effective, it needs to be done in context.

Today, most corporate training, not just privacy training, is done in classrooms or in learning management systems (LMSs) that reside wholly outside of the tools employees use every day. Employees leave their work to train on things that have no connection to the decisions they make each day. This training is a checkbox.

GDPR training can be delivered where employees work. Technology enables easy integrations between privacy training content and tools people work in every day. Tools like email and chat, where many employees spend time each day, are great delivery platforms for training content. Since employees are already identified and authenticated in these tools, the collection of evidence for training is easier, as is the tailoring, or adaptation, of training for individual employees.

5. Make Training Adaptive

With its expansive view of personal data, the subject rights users have for that data, and the financial penalties for violations, GDPR should touch every employee at your company. Security by design and default, a key tenet of GDPR, implies the need for a full-fledged Privacy Stack. And, the need for a certification referenced in Article 25 of GDPR means that a Privacy Stack not only needs to be defined but also implemented.

Because GDPR specifically and privacy generally touches every employee at a company, the training given needs to be adaptive to the roles and responsibilities of individual employees. The broad nature of GDPR means the training for it should adapt to what each individual employees knows of GDPR. Additionally, GDPR is unique in that it requires different training for different groups. Your data protection officer needs their own training while all those employees that field or even interact with users should have training tailored specifically to processing data subject requests and questions.

Training software developers on how to handle paper records of user data is pretty low value. Teaching GDPR integration into your system development life cycle process to finance is equally low value. Training should be personal to the job and function.

Adaptive training has been found to improve comprehension by over 20%. This is pretty astounding, and the reason why almost all modern educational platforms used in school are adaptive in nature. Yet, when it comes to privacy training, what we provide to employees is often static, one size fits all training.

Below is a video with examples and research about adaptive learning and adaptive technologies used in education.

6. Bite-Size Material

A key enabler of effective training is breaking training down into digestible chunks. There is always going to be the need for primers and introductions to the major themes of GDPR. This more generic, more traditional training has a place, namely with new hire onboarding. But, these monolithic training only be used as a primer and should not be seen as a means to effectively educate your employees about GDPR and privacy generally.

Effective training is focused on and addresses a small set of topics and objectives at a time. Within the context of GDPR, a limited set of GDPR articles and privacy policies and controls should be taught at a time. Scenarios are a great way to focus content.

Bite-size training content also enables delivery within existing tools such as chat programs like Slack or via email. These programs are where a lot of work is done so the training is delivered and completed in the context of daily work.

One of the major benefits of bite-size training is that it can be wholly delivered in tools you already use, like Slack. There are a growing number of Slack bots and 3rd party integration in Slack, making training an obvious extension of the ways Slack is already used today.

The key to successfully breaking GDPR training into bite-size content and delivering in a continual way is with proper content management. Training needs to be organized and tagged in ways that make it easy to store, retrieve, and link to other training material. Traditional LMS systems fall short of this as their tagging and content management were not built for agile, bite-size training but for organizing traditional, monolithic training.

7. Build engagement into your content

One of the primary goals of training, if the training is going to be effective, is to build engagement into the content itself. Engaging employees optimizes the experience and comprehension of learners.

GDPR and privacy gets a bad wrap. It’s often viewed as a checkbox and boring but it does not have to be. It requires creativity to make privacy training fun and engaging but there are some guidelines you can use.

  • Include interactive QA every 150-200 words, at the most.
  • Use QA as a part of the actual training - explain both right and wrong answers.
  • Leverage the results of QA to tailor future training.
  • Use QA that is hard, but not too hard - feel free to use multi-select and not just multiple choice.

These are great shortcuts to start making GDPR content more interactive and engaging.

8. Ensure training aligns with remote work

Remote work is, at the very least, one aspect of the new, post COVID-19 normal. If your company does not do remote work today as its primary form of work, it has to at least support remote work. It is now a must have function to allow employees to work from home and typically from a mix of company and employee-owned devices.

Remote work, whether primary or secondary as the means of getting things done, has an impact on the execution of your privacy policies and controls. The ways in which people connect, the ways they share data, the places they leave their devices, and the conversations they have in public or semi-public areas need to map to privacy policies and GDPR rules. The privacy training you provide needs to help employees understand that the work environment itself impacts the privacy of their devices, data, and workflows.

9. Train like you use modern technology

GDPR was written in the age of cloud. And a large driver for the regulation itself was the amount of data collected by modern technology and harvested for modern business models. Almost every company today, from small retail to massive Fortune 100s, uses a mix of cloud technologies and SaaS to operate their businesses.

Privacy by design and default, as required by GDPR, means that modern technology, including both the configuration and the management of the technology, has to have privacy and security as a core part. This is harder than it seems as the speed of technology, in particular the cloud and IoT devices that collect reams of new kinds of data, is changing rapidly. What is possible in terms of data about people as well as what is possible in terms of securing that data, will be different tomorrow. In order to keep GDPR training effective, it needs to be updated regularly to account for these evolutions.

10. Close the feedback loop with employees

Feedback goes both ways. If your company wants employees to follow GDPR and your policies and procedures, they need regular training. Employees need to be able to gauge where they are in terms of comprehension at any time. Also, employees need to be able to provide feedback on what is working and not working with privacy training.

When it comes to feedback to learners, research shows that more feedback and less teaching is best. This is hard to do with privacy training, at least at scale. One effective way to do this is to leverage technology and gamification to show learners how they are improving, tell them where gaps in comprehension exist and provide clear learning pathways to fill gaps. At Haekka, we do this through intelligent employee profiles that build upon all interactions with privacy training - time spent on training, questions answered correctly, and categories of questions asked about corporate privacy policies.

On the other side of feedback, one of the missed opportunities with GDPR training is getting feedback from employees and leveraging that employee feedback to continually improve content and delivery. Even if you try to apply all of the above features, there are bound to be areas for improvement or adaptation of training. Feedback should be continuous and encouraged, ideally in some way that makes storage and interpretation of feedback efficient.

How effective GDPR Training builds a culture of privacy by design and default

Given the current regulatory landscape and public perception, privacy should be a board level, organizational-mission aligned initiative. The collection, storage, and usage of personally identifiable information (PII) and protected health information (PHI) is a liability, a liability every organization needs to address. To successfully minimize the risk associated with PHI, organizations need to build and maintain a culture of privacy. Security by design and default is not unique to GDPR, it is imperative for every healthcare organization.

Effective GDPR Training helps to tactically turn privacy policies and procedures into execution. Following policies and procedures is the best way to mitigate risk to your organization and user data. It also makes auditing and security assessments much easier.

When assessing the maturity of your privacy and compliance program, the execution of your policies and procedures fall within the 3rd stage, Implementation. Most audits and compliance certifications in 2020, including SOC 2 Type 2, require that the majority of your requirements are at the Implementation stage. Effective privacy training gets you much of the way there.

But, there will always be times when employees do not have a playbook or specific steps for the work they are carrying out. In these instances, your workforce is the bridge between your privacy policies and your technical implementations, your interactions with users, and your documentation. The way to succeed in implementing privacy when there is no playbook is to build a culture of privacy.

A culture of privacy is just that - a part of the culture of your organization. Much like “customer-first” or “move fast and break things”, privacy should be a part of decision making. Scaled decision making must align to the highest levels of an organization, which is why privacy must align with organizational mission and values.

Effective GDPR training helps to build a culture of privacy. It empowers employees to make choices involving privacy. It helps measure the execution of privacy across your organization in a safe, low consequence way. It helps identify and target areas for improvement. And it helps to foster privacy champions that can scale privacy.

Privacy training, done right, takes privacy and compliance from a bolt-on or check-box to an integrated part of the way your organization lives and breathes. In doing so, it builds a culture of privacy that extends trust to your users, customers, and partners.

Haekka GDPR Training

Haekka training is built from the ground up to be effective for a modern workforce and modern technology. Our training covers the best practices for privacy, tailored to the function of each of your employees, and goes into detail on GDPR-specific regulations for things such as breach notification timing and data subject requests.

Haekka is delivered and employees engage with it in the tools you use each day, namely communication tools like Slack. Privacy, through Haekka training, becomes a part of the work of your employees and gets baked into the culture of your organization.

Our training is adaptive, making it hyper-focused, relevant, and improving the retention of content. Our training content is continually updated based on the regulatory and technology market so your employees will not fall behind.

All Haekka training is logged, meaning you have everything you need come audit time or security assessment time with your partners and customers. Our audit content is detailed and can be exported with real-time data at any time, ensuring you always have the most up to date data for your audits and security assessments.

One of the valuable returns on investment in effective privacy training is that it helps to build and maintain a culture of privacy. Haekka, using adaptive training and targeted content, helps identify gaps and areas of improvement for your privacy program, meaning you can continually strengthen the role of privacy at your company.

We are 100% focused on turning privacy into execution. We empower your employees with relevant training and intuitive compliance workflows to ensure your policies and procedures are followed and documented.

Resources for GDPR training

Below are some links to learn more about GDPR training.