tips on running a cybersecurity awareness training program

GDPR defines a requirement forĀ  relevant data protection training for personnel having permanent or regular access to personal data. It does not however define what the training should be for these personnel. As a result, training can fall short in key areas which are designed to protect personal data that controllers and processors handle. Here’s a look at top areas to include in order to stay compliant.

7 Principles of GDPR

Staff need to understand 1st the principles of data protection in order to frame other learning topics. This covers principles such as data minimization, accuracy, transparency etc. This will develop an important awareness among personal data handlers on safe treatment.

GDPR Rights of Individuals

Obviously, these are part of the core of data protection and include rights to object, to be forgotten, right of access etc. Training should cover how these rights are exercised in practice. This usually means through the formal ‘data subject access request’ mechanism which companies must facilitate free of charge.

Types and Categories of Personal Data

Training should cover personal and sensitive personal data types and special category data such as childrens data and criminal data. Examples of personal data might include information about religious beliefs, sexual orientation and race information.

Data Protection Roles & Responsibilities

GDPR defines several roles including the data protection officer, data controller, data processor, data subject, data protection authority etc which should be covered in the training.

Fines and Infringments

Trainees should understand the significant two tier fine structure for privacy infringements. Namely the 2% and 4% of global annual turnover levels. Case history should be included as a tool in bringing home the seriousness of data breaches and mishandling incidents to employees.

Safe Handling and Breach Reporting

Two other key areas in training should cover how employees handle personal data and how the data breach reporting process works. Personal data handling involves areas like secure disposal, secure storage, technical controls (e.g. access controls, passwords), physical security etc.
From a breach reporting aspect, it’s important that employees know incident reporting procedures and timeframes. They should be aware of what to do if they suspect a breach and who to contact.

Next Steps

Finding data privacy awareness training which covers core topics and assessess trainee competency is important for organizations. Visit our privacy awareness training solution for employees here.