“GDPR Training” is a MOVEing Target

Data Protection training is a key issue in the Data Protection Commission’s recent Decision on MOVE (DPC Ref: IN-20-7-1). This Decision has a number of aspects to it that my colleagues will be looking at in more depth over the next few weeks. As Carey pointed out in her blog, this was a “meat and potatoes” decision.  A lot of the issues raised by the Data Protection Commission may not be spectacular or exciting, but they’re ubiquitous.  These are issues and decisions you’ll find on the plates of organisations all over Ireland.

As I’ve been focusing a lot lately on launching our new public eLearning portal Castlebridge Data Education, I’m meditating on the training-related aspects of the decision. These are things that every organisation in Ireland faces at some level. The DPC’s Decision in MOVE is important for anyone looking at data protection courses in Ireland or data protection training courses online, and it speaks to the need for organisations to invest in data literacy and data protection literacy for staff.

Data Protection Training is a key organisational security measure

While the investigation took place on foot of a data breach involving losing personal data on SD cards that MOVE had reported, the Data Protection Commission emphasized as part of its findings that appropriate training is a key organisational measure to protect the integrity and confidentiality of personal data. The Data Protection Commission found that, despite having policies, procedures, and training in place, MOVE Ireland had not kept up with the risks, implemented appropriate technical controls, or ensured that staff were actually aware of the importance of protecting data.

One of the corrective measures the Data Protection Commission ordered is to institute “Adequate data protection training for staff and measures to promote the awareness of staff with regard to data protection requirements relating to their roles and responsibilities and MOVE’s policies and procedures”

So, what does that mean?

Consider your data and the context of processing. What level of training is necessary and appropriate?

A GDPR Orientation course may be appropriate for general orientation for all new hires, but people in different roles may need more detailed role-based training.  (Castlebridge offer general orientation eLearning and live courses at different levels.)  The Data Protection Commission assessed MOVE’s training adequacy in the context of the sensitivity of the data and risks related to the processing.

MOVE reflects the importance of training and awareness in its own policies and it provided one training session to staff in November 2018. Considering the high risk of the processing activities related to the recording of group sessions, I find that a once off session cannot be considered appropriate to the level of risk.

The upshot of this is that organisations must take into account the kinds of data and processing they’re doing when assessing their GDPR training programme, and make sure employees are provided with training appropriate to their roles and to the context of the data processing they do.

Are new hires getting the same quality of training as people who were with you in 2018?

The Data Protection Commission’s findings in the move case highlighted that staff who’d been with the charity in 2018.  However,

 “MOVE stated that facilitators are employed on a one year contract (from August to July) and it did not provide any documentation that facilitators were given further training after November 2018 and before the personal data breach. For example, it might be possible that a change of the facilitators happened since November 2018 and new facilitators may or may not have data protection training appropriate for MOVE’s processing.”

This is a very common situation. We saw a lot of this in the run up to May 25 2018 and the next few following months as everyone was rushing to complete gap analyses and reach “GDPR compliance” before deadline, expert trainers like my Castlebridge team members were stretched thin trying to meet the demand for GDPR training.  But many organisations made a common mistake of going,  “Well, the GDPR thing is done. Now let’s move on to the next thing”.    MOVE is far from alone here.

Data Protection, of course, is an ongoing requirement, and new hires need the same level of training that employees and staff got in 2018.  Training is not a one-and-done tick box, and the Data Protection Commission will look for appropriate on-going refresher training as necessary. Therefore, your approach to training needs to be flexible and scalable. It needs to allow you to make changes in response to changes in policies, technologies, legislation, or enforcement. It needs to be part of a continuous improvement philosophy, as Carey points out in her post.

What kind of follow-up and follow-on do you need?

In the MOVE breach investigation, the Data Protection Commission looked for evidence of any refresher training provided to staff members and didn’t find any.  This was a notable mark against them.

“MOVE’s duty regarding training and awareness is not limited to once off training modules. In light of the sensitivity of the personal data handled by facilitators, I consider that an appropriate level of security must include ongoing data protection and awareness training to facilitators. Therefore, the training methods demonstrated by MOVE did not meet standard required by the GDPR.” 

I’ve had a number of familiar faces in some of Castlebridge’s public training courses. In some cases, delegates from our “Data Protection Essentials” training wanted to deepen their understanding of the data governance and practical application aspects of GDPR compliance, and signed up for a “GDPR Advanced” course, or specific workshops on Data Protection Impact Assessments or process documentation to build effective Registers of Processing Activities. In other cases, they were looking for more role specific training, so that teams in different functional areas understand the requirements for compliant marketing or CCTV usage.

When planning training strategies for data protection, or other data skills, organisations need to consider how to support learners who want to refresh or update their knowledge. They also need to consider how they will enable staff to develop deeper knowledge in areas relevant to their roles. This “contextual competence” is a key factor in data literacy in general as people need to understand data, data skills, and the rules about using and protecting data in the context of their roles and their day to day activities. For Data Protection it reflects the fact that the HR team will have different deep-learning needs in respect of data protection laws and practices than the Marketing team.

Finally, how can you demonstrate that the training is effective?

Do you know if people actually understood what was in the training they received and can apply it to what they are doing with data in the context of their roles?  The question here is not just whether your employees have received training, but whether they are building competencies and skills. This is a focus in building data literacy in general, but it is fundamental for GDPR compliance.

A key point from the Data Protection Commission here, is that MOVE had no way of showing that

“Moreover, it does not appear that there were any measures in place to prevent facilitators even to use their own personal SD Cards .These risks are borne out by the fact that MOVE was unable to confirm what personal data may have been on the SD Cards which went missing. In this case, it was pivotal to have effective measures in place to provide oversight of compliance with the policies and procedures, as well as an effective record/tracking and storage system of SD Cards.”  

Furthermore, MOVE did not provide any documentation or records of refresher training for existing or renewed staff.

Three questions to ask here when you are assessing the effectiveness of your training are

• Can you identify change in behaviour?
• Do your controls enforce the correct behaviour?
• How do new team members get data protection training (or other data skills training)?

How should the Data Protection Commission’s Decision inform training plans for organisations?

The Data Protection Commission’s decision brings focus on the need for data protection training to be treated not as a cost but as an investment. It is an investment in both compliance and risk management controls, It’s also an investment in developing staff competencies and capabilities so they can carry out their daily tasks correctly and in a compliant manner. And that saves money in the long term!

Training needs to be brought beyond the “classroom” (or Zoom meeting) and into day to day data management of data and governance defining and enforcing policies and procedures. Data Protection Training is part of a holistic strategy for compliance.  It must be responsive to assessment of risk, and it must inform how people make decisions with personal data. It must also be responsive to the practicalities of the organisation. Therefore, it needs to support different learning modes and options so that busy staff can access effective learning in the most effective way. It also needs to scale to handle the needs of the organisation as a whole and individual learners looking to develop deeper knowledge relevant to their roles. And it also needs to support different modes of engagement from team members who are working in a Connected Working environment from different locations.

And, as MOVE learned the hard way, that is not necessarily an hour of PowerPoint presentations once every year or so.

How We Can Help

Castlebridge has over a decade of experience developing and delivering class-room based, instructor led on-line training, and e-learning. We help organisations change how people think about data through effective training and management education on the business of data. We have pioneered the use of online courses to develop data protection skills since 2010 (including designing courses for the Law Society of Ireland and others).

1. We offer public on-line instructor led courses and (subject to public health restrictions) classroom based courses on data protection and other data management skills
2. Our online learning portal DataEducation.ie has just been relaunched and we will be rolling out additional courses and additional learning options, including instructor supported course options, over the next few months.
3. We can develop custom in-house training and skills development programmes for clients using a blend of e-learning, instructor led on-line workshops, or coaching. Get in touch to find out how we can help.