Whichever GDPR-readiness survey you read, they’ll likely be telling you the same story: many organisations won’t be compliant when GDPR comes into force on 25 May, exactly four months away.
One of the most recent surveys, by SAS, has some startling statistics. In their global survey across multiple industries, they found:
- Only 45% of organisations have a structured plan in place to ensure GDPR compliance
- 58% of organisations aren’t fully aware of the potential consequences of not being compliant
- Unbelievably, just 26% of government organisations are aware of the impact of GDPR – the lowest awareness of all the industry sectors surveyed
Another survey, by leading research company, Gartner, predicts that at least half of affected companies will still not be ready by the end of 2018.
This reflects most GDPR data, including our own survey of L&D professionals during a live online session in January 2018. We found that over half (54%) were either still assessing their GDPR needs or had yet to execute the plan they’d drawn up. Only 16% were ready to roll out at that stage.
GDPR, or General Data Protection Regulation, is being introduced by the EU and has a global impact because any organisation offering goods or services within the EU must also comply. Potentially big fines might apply in the event of a serious breach, and for failing to notify a breach that has implications for people.
In the UK, GDPR replaces and beefs up the regulations in the existing Data Protection Act. The latest advice can be found on the Information Commissioner’s Office (ICO) website. The ICO has also produced a checklist to help organisations assess their readiness and see where they need to take action.
Training is at the heart
Employee training is a key requirement of GDPR. Indeed, it’s hard to see how data protection can be implemented “by design and default” without it. Organisations must at the very least provide and reinforce up-to-date GDPR awareness training for all personnel.
So why isn’t this happening everywhere?
While some organisations might simply have failed to grasp what’s needed, the ICO also believes that misinformation about GDPR is causing unnecessary panic. Might this be a factor behind some businesses fearing it’s too huge for them to even contemplate?
To allay concerns, the UK Information Commissioner, Elizabeth Denham, has stressed that GDPR is good for business and should be embraced.
Acceleration tips for L&D
In her blog, Denham describes GDPR compliance as “an ongoing journey” beyond 25 May and that “staff are your best defence and greatest potential weakness – regular and refresher training is a must”.
A dual approach in an answer.
High risk personnel will require a tailored learning blend to meet the organisation’s specific requirements. The beauty of a tailored blend is that it offers deep knowledge and constant reinforcement that’s delivered in engaging ways.
The general workforce must be aware of the risks they might come across in their jobs, so that they can identify them and prevent possible breaches. They only need to know the basics. For this audience, Sponge has developed GDPR – Sorted! – a digital learning game where employees learn the core rules. It’s experiential, in context, has scenarios, and can be replayed.
Head of Innovation at Sponge, Kate Pasterfield, explained: “The learning is designed so that employees have an instinctive response when they’re presented with risks in real life. They can instinctively see the risks and implement their behaviours.”
The two learning approaches have the same aim: to change behaviours by embedding learning at the level needed. Both are continuous and updatable. This means they can be done now to ensure compliance by 25 May and can be continued and adapted beyond the start date to maintain compliance.
And a final important tip – keep smiling! The ICO checklist highlights the need for positivity. We agree. This can only speed up the process. Managers and L&D should promote a positive culture of data protection compliance across the business, to ensure success.