Last Monday (9 April), the SFA's Helen Quinn spoke at the DataSec Conference in the session for small businesses. Data Protection Commissioner, Helen Dixon gave a keynote speech whereby she specifically mentioned SFA’s contribution to GDPR awareness within the small business community. With only weeks to go before GDPR comes into force, data breaches and GDPR training for staff was the recurring focus of the conference. With this in mind this week we focus on how businesses should ensure that all staff are trained for GDPR.
At the DataSec conference Helen Dixon emphasised that GDPR is a “front room to board room” process and that all “frontline staff” must be made aware of and trained in GDPR. So what should this training look like.
We share six key areas that this training should include:
1.What is GDPR?
All staff should receive basic training on the key principles of GDPR and how these will inform the day to day business operations in processing personal data. They will need to know what is personal data and what is sensitive data and how these two data types should be treated. They should also understand the difference between a data controller, a data processor and a data subject.
2.Data subject rights
All staff should have a basic understanding of the rights of individual under GDPR including access to their data, the right to be forgotten, the right to have their data rectified and other rights that they are entitled to under GDPR. This section could also include record keeping and keeping personal data only for as long as necessary.
3.How to recognise and act upon a data access request
One of the key challenges to GDPR is the shortened timeline to respond to a data access request. Businesses must respond to a data access request within one month and in general there is no fee. It is essential that all staff and especially frontline staff are trained in and aware of what a data access request looks like as well as the different channels that a data access request could come through. This could include e-mail, a webform, by letter or even via your social media account.
All staff should have a basic understanding of the conditions for consent under GDPR in relation to personal and sensitive data. They should understand that consent must be freely given, transparent, easily understood by the customer, be as easy to withdraw and that there are no conditions attached to the consent. It should also factor in the need to document and record the consent that has been given and the specific purpose for its use.
5.Keeping data secure to prevent data breaches
Many businesses already have good guidelines on keeping data secure such as not sharing it with third parties and ensuring that personal data is kept secure. However, the risks are much higher under GDPR. This should be emphasised in the training and the need to keep all data secure. In addition, the training should explain what is a data breach and how all staff can help minimise the risk of a data breach by following correct IT procedures.
6.Following the correct procedure in relation to a data breach
All staff should be made aware of how to report a data breach and who to contact within the business should this occur. They also need to know that the business only has 72 hours to report a breach to the Data Protection Commissioner should it pose a privacy risk to individuals.
SFA and Ibec will be introducing an online GDPR training course that will be ideal for all staff to avail of so that they are GDPR aware and ready. We will announce details of it in the coming weeks.
In the meantime, if you have responsibility for GDPR in your business, why not avail of our one day GDPR course for small firms on 11 May in the Ballsbridge Hotel, Dublin 4. Book here to secure your place as there are only a number of spots available.
If you would like more information on GDPR or to discuss your requirements further, please contact Helen at SFA on 01 6051668 or at firstname.lastname@example.org or visit our GDPR section on www.sfa.ie/advice