Why aren’t organisations taking GDPR training seriously?
21st March 2018
Just two months to go before the General Data Protection Regulation (GDPR) comes into force on 25 May 2018, and most organisations still aren’t ready. And many of those who are taking steps towards GDPR compliance aren’t prioritising employee training.
Surveys across the globe tell the same story:
- 89% of organisations are still confused by GDPR (UK)
- A third of businesses do not feel prepared for GDPR (USA)
- Only 2% of companies are ready for GDPR (Germany)
- Three quarters of firms not ready for GDPR (Republic of Ireland)
In the UK, a new Government survey has highlighted a widespread lack of GDPR awareness among organisations, despite all the publicity campaigns.
The report, Cyber Security Breaches Survey 2018: Preparations for the new Data Protection Act, found that just 38% of businesses surveyed had heard of GDPR. Awareness is higher where senior managers take security seriously.
Equally worrying is that even where organisations are aware, they’re not training their staff – just a fifth of the 38% of aware companies have introduced additional staff training.
The UK isn’t alone in this failing. In Ireland, surveys show that many businesses don’t have staff training in place either.
Why aren’t companies implementing GDPR training?
There appears to be several reasons why organisations aren't responding to the training needs presented by GDPR:
- They think GDPR is a systems/IT/legal issue only and doesn’t involve wider staff
- They don’t regard training as a business priority / lack of support from the top
- They’re confident their staff already have the data protection training they need
- They agree training is needed but don’t know what training is best
- They want to introduce training but are behind schedule
- They’re waiting to see what other organisations do first
- Budget constraints / fears that GDPR training will be costly
Leading UK data protection lawyer Nicola Frost says that “buy-in from the top” is key to ensuring that staff are trained and she warns that a breach involving an untrained employee will be viewed unfavourably by the regulators, the Information Commissioner’s Office.
GDPR makes ‘data protection by design’ an obligation. Training and awareness is an important part of this. So why isn’t it happening? The good news is that it’s not too late to get your staff trained. And, once in place, it’s simply a case of reinforcing and updating it.
Actions L&D can take
In August 2017 we wrote about the lack of boardroom support for GDPR training and how L&D were the people best placed to turn the situation around. They need to use their influence to secure funding and support for employee training.
In her recent blog, Elizabeth Denham, the UK’s Information Commissioner, went as far as to say: “Staff are your best defence and greatest potential weakness – regular and refresher training is a must.” If your managers still need any persuading, then take that quote to their office!
GDPR training doesn’t have to be complicated or costly. We advocate tailored training for your high-risk personnel and advise that representatives from the Board and L&D also undertake it.
A blended learning programme keeps it engaging and is part of everyday working. Ongoing reinforcement learning and performance support will then embed it, so that in terms of staff training, you are doing all you can to meet GDPR’s ‘design and default’ requirement.
For all other employees, a GDPR game offers the awareness training they need. GDPR – Sorted! has been developed by Sponge specifically to embed the core regulations in wider teams. These staff need to be aware of the risks they might come across in their work and be able to identify them promptly.
The digital game is experiential, allowing employees to see the consequences of their decisions, and it can be accessed for repeated practice on devices or computers. The game can also be updated in line with future GDPR changes.
There’s no need to panic. But there is a need to act. You can’t have data protection ‘by design and default’ if you don’t train your staff.