6 common mistakes people make with GDPR training
1st November 2018
It’s official. Your people are the biggest cause of data breaches. Human error is behind the majority of incidents reported by organisations, rather than malicious cyber-attacks.
The last two years has seen a 75% increase in the number of breaches being self-reported to the UK regulator, the Information Commissioner’s Office (ICO). The cases compromised individuals’ personal data including medical, financial and employment details.
A deeper dive into the figures for the past year by Kroll₁, reveals that, of those cases where the type of breach is specified:
2,124 were attributed to human error
292 were due to cyber attacks
It’s another reminder that protecting data in your business relies on your employees and their ability to apply best practice around data safety. Of course, GDPR has raised the bar on data protection, but it seems many businesses are still failing to include training in their GDPR compliance strategies, despite the risk.
A new survey₂ of 1,000 UK office staff found that 47% don’t know if their companies are doing anything to comply with GDPR – so there’s obviously no training happening there! Meanwhile, another study₃ of 600 US and EU firms found that over a quarter (27%) haven’t yet made a start on their GDPR implementation phase.
So, roughly six months on from the introduction of GDPR, we’re focusing on where organisations are getting stuck with data protection training and the most common mistakes holding them back.
The big six errors
1. Doing nothing
Ignoring the need for training puts your organisation at greater risk of a breach and the subsequent reputational meltdown. GDPR places a responsibility to embed data protection “by design and default”. As part of this, “regular and refresher training is a must” according to Elizabeth Denham, the UK’s Information Commissioner.
2. Forgetting the audience
Rolling out the same GDPR compliance training to everyone means no-one gets the right training. High risk data users need a different approach to the general workforce. Segment the training, so high risk employees benefit from a bespoke programme. Meanwhile, introduce the basics of GDPR to lower risk data users in an engaging and accessible way, such as Sponge’s GDPR learning game, GDPR Sorted.
3. Overwhelming everyone
Handing out wordy documents with every GDPR dot and comma to all your people and saying ‘remember that’ is a recipe for failure. Instead, focus only on what they need to know about GDPR for their jobs, and which behaviours related to data protection are most important for them.
4. Once a year
Annual GDPR training isn’t enough. GDPR compliance requires continuous learning and reinforcement opportunities to avoid potential costly lapses. Continuous learning helps people to apply their training daily, keeping the company safe and contributing towards a data safety culture.
5. Ticking a box
With GDPR training, don’t tick the box, think outside the box! If your GDPR training is dull and boring employees won’t engage and they won’t learn. To be effective, learning about GDPR has to be memorable, so ‘rebrand’ it as an experience that people want to do.
6. In isolation
GDPR learning loses effectiveness when it’s delivered in isolation or is bolted on as a ‘p.s’. For maximum impact, build a GDPR learning campaign with preparation, activation and sustain phases. Use a mix of learning activities so there’s something for everyone. It’ll increase engagement and help people to understand the wider picture.
GDPR is here to stay. Indeed, other parts of the world are following the EU’s lead – such as the state of California. Data protection is a global requirement and organisations can’t afford to make the training mistakes we’ve highlighted, especially with record fines being handed out. What’s more, the public are just fed up – two-thirds of people in the UK still don’t trust organisations with their data. It’s high time to fix GDPR training and empower your people to reduce the risk of a costly data breach.
A fast-paced, engaging game designed to embed core GDPR principles to reduce the risk of data breach by employees.