Why data protection reform needs a revolution in compliance…
New rules are moving closer which could see record fines for organisations breaching EU data protection law, no matter where in the world they are based.
With so much at stake, data protection is likely to become a top training priority, but meeting this new standard will require a shake-up in compliance training.
Giovanni Buttarelli, European Data Protection Supervisor.
“Europe must seize the opportunity to be at the forefront in shaping a global standard for privacy and data protection, a standard centred on the rights and the dignity of the individual." -
The European Union (EU) has been talking about data protection reform for a good few years now, but in June (2015) negotiations on the General Data Protection Regulation (GDPR) entered their final stage. Some analysts think agreement might even be reached by the end of the year.
When they finally arrive, the new rules will have wide-reaching implications…literally. For the first time, any company in the world will have to comply if it deals with the data of EU citizens.
The EU is seeking to set high standards in data protection and the final draft of the legislation is likely to include requirements for greater online privacy and the ‘right to be forgotten’ where people can ask for their personal online data to be deleted. The general consensus is that the final version of the GDPR will require businesses to implement a greater level of data protection compliance.
Coupled with this higher standard will be a much tougher penalty regime – how does a €100 million fine sound? This eye-watering figure could be a reality for the biggest global businesses, as the EU is looking to introduce fines of up to 5% of global annual turnover for serious breaches.
The key points: General Data Protection Regulation
- Faster response
Companies must respond more quickly to a data breach and notify customers within a set time frame. The limit could be set between 72 and 24 hours.
- Wider reach
As well as covering EU organisations, the new regulations would apply to all non-EU companies that process the data of EU citizens obtained while doing business in the EU.
- Right to be forgotten
People will have the right to ask for their personal data to be erased without undue delay, subject to a few exceptions.
- Privacy by design
There could be a clause in the final draft which requires organisations to build in privacy measures such as encryption into their data processes.
- Heavier fines
From a capped penalty, fines will jump to as much as €100 million, or up to 5% of worldwide turnover for organisations in breach of the rules.
A collective sigh
Most top performing companies are already doing a great deal to train their staff in data protection compliance, but the truth is they will inevitably have to do more to prepare them for the new standards.
Compliance training of any kind has a reputational problem and data protection is no exception. Employees often complain that compliance is the most boring training they have to undertake, so expect a collective sigh from the workforce when they face a new raft of data protection courses.
But it doesn't have to be like that. There are ways to make data protection compliance training less of a chore and ultimately improve its effectiveness by making it easier for staff to absorb and retain what they need to know.
Given what’s at stake in terms of money and reputation, the old-style tick box attitude to compliance training is really not an option.
How to revolutionise your compliance training
- Focus on relevance
Explain why the training is necessary and how it is specifically relevant to the learner. Use interactions to help people understand their responsibilities.
- Be clear on consequences
Spell out the implications of getting it wrong for them as individuals. Use real life examples and video clips to highlight the impact.
- Use realistic scenarios
Allow people time to practice their judgement by tackling challenging realistic scenarios. Use interactive video or game techniques to bring them to life.
- Keep it bite-size
Don’t expect to cover everything in one go, especially for complicated topics. Focus on a few key messages and break the training down into manageable chunks.
- Play on empathy
Try to make an emotional connection using storytelling, images or video. Highlight the human impact of a data breach.
Tesco , John Lewis and Boehringer Ingelheim are among the companies we've been working with to make compliance elearning more engaging and effective.
Here are a few examples to provide some more inspiration on how to revolutionise your approach data protection compliance training.