GDPR Training: What to Consider
With the EU General Data Protection Regulation (GDPR) just around the corner, it’s time to consider why GDPR training is useful, and how to decide on appropriate courses to attend, writes Olivia Whitcroft, solicitor and principal of information law specialist OBEP.
Who will have training?
Organisations will need to comply with the GDPR from May 25th 2018, and training can assist individuals working for those organisations to understand and apply the new rules.
But which individuals will have training and what training should they have? This article refers to "you" as the person looking to attend training, but there will be similar considerations for those who want to provide training for their staff, either by sending them to external courses or by designing courses in-house.
Some level of data protection training will be of benefit for everyone working within a business. The GDPR rules apply to the use of personal data about living individuals, and everyone is likely to have some exposure to this type of data or the systems which hold such data, whether such exposure is big or small. For IT contractors, training may be useful from the perspective of your own business as a contractor, and for the work which you undertake for clients.
However, not everyone will need the same type or depth of training. Training should be appropriate to your level of existing knowledge, and your work in handling data or dealing with GDPR issues. You should also consider what you want to achieve from the training -- for example an introduction to legal rules or more in-depth guidance on how to apply the rules to specific company/client procedures.
Existing data protection knowledge
Data protection laws are, of course, not new, and a lot of people will already have some knowledge of existing rules and how to apply them. The GDPR does, however, make key changes to some existing requirements, and introduces some new ones too.
For those new to data protection, you may not need to get your head around the detail of how the current rules are changing. You can start data protection afresh under the GDPR. You will probably want to start by attending training that gives a good overview of data protection rules under the GDPR, and can then move on to a more detailed course depending on your role or contract.
If you already have a good understanding of the existing rules, some of your tried and tested knowledge will need updating in line with GDPR requirements. You may want to focus on training covering key areas of change, for example:
- new requirements for accountability, breach management, data protection impact assessments, additional rights of individuals; and
- changes to existing requirements for privacy notices, subject access requests, legal basis for processing (including consents), data processor obligations and data processing contracts.
Having said that, unless you are already very comfortable with existing law, learning about the GDPR may be a good opportunity for refresher training across all areas.
Your role/involvement in handling data or dealing with GDPR issues
- DPO: The GDPR sets out the role of a Data Protection Officer (DPO) (though not all organisations will need to appoint one). If you are going to be a DPO for an organisation, you will need to be involved in all matters relating to data protection. The GDPR provides that the DPO shall be designated on the basis of professional qualities and expert knowledge of data protection. This does not require any specific qualification or training, but training will need to be in-depth, given the responsibilities involved. You may wish to consider a week-long training programme.
- Advising the business on GDPR issues: If you have a role in advising a business on GDPR issues, you may need in-depth training similar to a DPO. You are likely to need legal and technical knowledge of the GDPR, as well as how to apply it in practice. Courses giving a detailed analysis of GDPR requirements may therefore be useful for you.
- Responsibility for specific GDPR matters. If you have some responsibility for particular GDPR issues or procedures within a business, you may want to focus your training on those areas. A lot of training providers run days or half days of topic-specific training to assist with this. So, for example, if you sit within technology or information security teams, training on security risk assessments and data retention may be of benefit. If you are responsible for responding to subject access requests, training on individuals' rights would be useful. HR personnel may wish to attend training focused on use of employee data.
- Handling personal data: To the extent you collect, store, access or use personal data on behalf of a business, training with a practical element may be of benefit, rather than just an overview of what the GDPR rules are. For example, workshops which put GDPR rules into the context of common scenarios can be very helpful. If training is being conducted in-house, it can also go through specific company policies and procedures.
- Designing or managing systems which handle data: If you assist in selecting, designing or managing systems or processes which will store or use data, you will want to be familiar with how the rules impact those systems or processes. So, for example, IT contractors working on new technology may be particularly interested in training on matters such as information security, data protection by design and default, data protection impact assessments, and other risk assessments under the GDPR.
- Everyone else: As above, everyone within a business can benefit from some basic training in key GDPR areas, such as information security, recognising requests or complaints from individuals, and how to apply company policies and procedures. An hour or two is generally sufficient for this.
Industry-specific training in the General Data Protection Regulation may also be useful. For example, if you work in the health industry, you may want more guidance on the intricacies of using sensitive personal data, or if you work in the public sector, you may want training on how the rules apply differently to the private sector.
Other factors may influence what training you decide to attend, for example pricing and quality of training providers, resources to run training in-house, time availability to attend training, and whether you prefer face-to-face or online training. These matters can be researched before selecting which courses to attend.
When to attend training
Now is a good time to start your GDPR training, to be prepared for May 2018. In addition, I would suggest putting a note in the diary for next year to consider whether more training may be useful. Regular training on data protection can keep the key areas fresh in your mind, and ensure you are up-to-date on legal developments and guidance on applying the GDPR in practice.