How To Use GDPR Training for Security Compliance and Staff Awareness
Although the GDPR has been around for some time now, many organisations are still figuring out the best way to provide GDPR training and increase staff awareness of security issues. The GDPR has training requirements, which make it necessary for staff to receive some security awareness training. Still, there are many ways to implement GDPR awareness training for employees: it could be online, in person, or a mix of the two, and there are tons of topics to potentially cover. In this blog post, we discuss why security awareness training is important for both GDPR compliance and organisational security, and we break down how staff awareness training can help you achieve compliance with the GDPR and other cyber security frameworks.
Table of contents
- GDPR training can fill gaps in knowledge
- GDPR training for employees makes security everyone's job
- Common GDPR and security awareness training topics
-
Most security breaches are due to human error, but they don’t have to be
- Technical tools can't stand on their own
-
GDPR and security awareness training: turn your team into your strongest defence
-
Security awareness training helps you meet GDPR training requirements and other cybersecurity certifications
-
GDPR and security awareness training can be implemented in a variety of ways
- GDPR training for employees increases security awareness and helps you stay GDPR compliant
GDPR training can fill gaps in knowledge
The GDPR was introduced by the EU in May 2018 to better inform consumers about how their personal data is used and to enforce better data handling and protection in organisations.
As a result, the GPDR introduced many rules regarding the handling of personal data and the prevention of security breaches, aligned within 7 principles for data protection. These rules are enforced under the threat of large monetary fines for noncompliant organisations.
Even though working with the GDPR has become normal now, it's common to be unsure of what you need to do in your organisation to be compliant. For instance, the roles of data processors and controllers, how to handle data transfers outside of the EU, and even what qualifies as personal data can be tricky to navigate.
Data security is the job of everyone within an organisation, not just the IT team. It’s also a topic that companies both large and small should take seriously. But most employees don’t have a lot of free time to study the GDPR or the latest IT security threats. That’s why awareness and GDPR training for employees is an important part of building a secure organisation. Through security awareness training you can, among other things, help your staff know how to deal with data on a day-to-day basis and bring your organisation closer towards achieving GDPR compliance.
Common GDPR and security awareness training topics
When it comes to the GDPR and IT security, there is a lot that your team should be familiar with. Security awareness training and GDPR training are complimentary, as both deal with issues concerning data and IT security – so you can integrate the two topics seamlessly.
For example, personal data is a popular topic for GDPR training courses because it is something that remains confusing for many employees. Proper handling of personal data is really important for all employees to understand, as mishandling of personal data is involved in many of the most common GDPR breaches. Personal data is also the target of many cybersecurity attacks and data breaches, making it an important topic in security awareness training as well.
A few other topics to cover in your GDPR and security awareness training could be:
- What is phishing and how to spot a phishing email
- Lawful basis for processing personal data
- How to use the internet and Wi-Fi safely
- The 7 principles of the GDPR
- How to make and use strong passwords
You are also welcome to review our course catalogue, where you can find examples of courses we provide in security awareness training and GDPR training. What’s important is that security knowledge rests not just in the IT department, but that the rest of the staff in your organisation are aware as well. However, it can be difficult for staff to keep up with data regulations on their own. To illustrate the importance of this, let us look at what could happen when safe data handling practices are not well understood.
Most security breaches are due to human error, but they don’t have to be
A security breach generally means that some or all personal data that is handled in the organisation is, accidentally or maliciously, released outside of the organisation. It could happen, for example, when an employee clicks a phishing email, accidentally downloads malware or ransomware, sends personal data to the wrong recipient via email, or uses an unsafe public Wi-Fi connection.
When people think about security breaches, they usually think about malicious, expert hackers attacking the organisation’s IT systems and stealing data.
However, often security breaches happen due to human error. This problem has two sides. On one hand, people might make mistakes or handle data trivially because they lack knowledge about the importance of safe data handling practices. For example:
|
|
On the other hand, when people lack security awareness, they are more susceptible to cyber attacks. This is because most hacking attacks try to exploit humans instead of IT systems. Thus, they are more likely to fall prey to social engineering attacks, like those used in phishing emails, that may lead to a data breach. That’s why training employees to recognize the signs of phishing emails is so important.
Technical tools can't stand on their own
Technical cybersecurity remains a vital part of keeping your organisation safe. Various technical tools, like mobile device management or SEIM and log management, can be used to reduce the risk of security incidents. A few other technical solutions include:
However, while technical tools certainly succeed at being very complex, they are not 100% effective at keeping out all threats. They are only half the battle and cannot improve:
-
Staff behaviour: e.g., a firewall won’t prevent staff from granting access to data to the wrong people.
-
Unclear processes when it comes to handling personal data.
-
Lack of knowledge about cybersecurity.
These are things that only the staff themselves can fix and prevent. And luckily, all staff are easily capable of this, given the right tools and security awareness training.
Your strongest defence against security incidents is a comprehensive awareness among all staff combined with clear processes for handling data. This is why it is crucial to increase awareness through IT security training.
GDPR and security awareness training: turn your team into your strongest defence
Awareness training is one of the tools your organisation can use to greatly improve your team’s knowledge about cybersecurity and safe data handling. It’s also needed to be GDPR compliant:
-
Article 39 requires that your data protection officer raises awareness and provides training to staff who are involved in data processing.
-
Article 47 requires that staff who have permanent or regular access to personal data receive data protection training.
As we discussed earlier in this blog post, personal data can be complicated. You cannot expect that all staff are experts in the GPDR. Therefore, a GDPR training program that regularly provides staff with clear, simple, and practical explanations and examples about how to safely handle personal data can be of great help in improving staff behaviours.
Furthermore, when people are aware of the dangers that cybercriminals pose, they are more likely to detect phishing attacks and less likely to make other errors, such as storing data incorrectly or for too long.
Next to awareness about cybersecurity and the importance of safe data handling, staff also need to be aware of the specific processes and responsibilities regarding information security in your organisation. Simply put, it is the task of the IT department and the management team to set up clear processes that staff can follow and to appoint people who staff can contact with questions about the GDPR and information security. This could be, for example, your Data Protection Officer. Both an IT Security Policy and an Acceptable Use Policy are documents where these kinds of processes can be described.
The organisation needs to establish:
|
The staff need to be aware of:
|
Security awareness training helps you meet GDPR training requirements and other cybersecurity certifications
In the previous section, we went over the GDPR articles that refer to staff training requirements. Making sure that your company is GDPR compliant is top of mind for most organisations, and there are several frameworks that organisations use to help them maintain and document GDPR compliance. For example, some are industry-specific, and others are country-specific. Not all cybersecurity frameworks ensure GDPR compliance, but some of the frameworks’ requirements overlap with the GDPR and many frameworks require awareness training.
Below, you can see a few of the additional cybersecurity frameworks that organisations are using in their GDPR work and how security awareness training fits into each of them.
Framework: ISO 27701 |
|
Description | An extension of ISO 27001, which is an international standard for information security practices. ISO 27701 has additional requirements regarding personal data that ensure GDPR compliance |
Awareness Training Requirement | Clause 7.2.2 requires that all company workers and necessary contractors receive awareness education and training |
Framework: ISAE 3000 (GDPR) |
|
Description | An ISAE 3000 audit report documents whether an organisation complies with the GDPR. Depending on the amount of personal data your organisation processes, you would work with either ISAE 3000 High (for high levels of personal data) or ISAE 3000 low (for low levels of personal data) |
Awareness Training Requirement | Requires the relevant training of personnel |
Framework: CIS (Center for Internet Security Critical Security Controls) |
|
Description | Best practice guidelines for computer security with a list of actions organisations should take to prevent attacks |
Awareness Training Requirement | Control 14 requires a security awareness program to be created and maintained. Learn how to meet all the awareness training requirements in our blog post about CIS 18 |
Framework: ISO 27001 and 27002 |
|
Description | International standard with best practice guidelines for information security management systems |
Awareness Training Requirement | Clause 7.2.2 requires that all company workers and necessary contractors receive awareness education and training |
Framework: NIST |
|
Description | U.S. based framework with information security guidelines that organisations that do business with the U.S. federal government must comply with |
Awareness Training Requirement | To comply, an organisation’s managers, systems administrators, and systems users must be aware of security risks. Awareness training should cover how to recognize and report threats |
Framework: CMMC |
|
Description | Soon to replace NIST in the U.S. Used for entities doing business with the U.S. government |
Awareness Training Requirement | There are several levels for compliance. Levels 2 and above, which indicate a minimum intermediate cyber hygiene, require awareness training |
Framework: ISRS 4400 |
|
Description | Similar to ISAE 3000, but the ISRS 4000 is based only on the criteria that the auditor is asked to verify |
Awareness Training Requirement | Requires the relevant training of personnel |
GDPR and security awareness training can be implemented in a variety of ways
Getting started with security awareness training is easier than you might think. It all comes down to giving people knowledge about personal data and cybersecurity in a way that they can easily understand and remember.
That’s why it’s a good idea to transfer this knowledge in multiple ways and through multiple channels, to really make awareness about cybersecurity present in everyone’s mind.
You could, for example, combine GDPR training online with classroom learning. E-learning can help you achieve a certain continuity and encourage staff to learn at their own pace. Classroom learning can facilitate the exchange of ideas and put knowledge into practice.
There are many possibilities for organising a good awareness training programme. Here, we have put together some tips for creating a training programme that your employees will enjoy. You can get pretty creative if you want to, for example with the use of gamification elements.
Different methods of GDPR and security awareness training
A few examples of GDPR training and security awareness training formats are:
Online GDPR training: Short e-learning modules consisting of videos, text, quizzes, and more.
Classroom learning: Longer sessions given by an instructor. This can encourage discussion or give you the opportunity to invite an expert.
Simulations: Phishing and other cybersecurity simulations give people the opportunity to practice their knowledge in realistic security incident situations.
Workshops: For example, a workshop where staff can place themselves in the shoes of a cybercriminal and learn to understand how a cybercriminal thinks.
Freely available online material: There are many learning sources and other materials available online for free. This ranges from YouTube videos to government campaigns to posters and diagrams you can hang up around the office.
For example, the European Union Agency for Cybersecurity (ENISA) has free materials to promote IT security. Additionally, the United States National Cyber Security Alliance (NCSA) has a free video series that you can share with your employees.
Group activities & games: These can be in a variety of formats, for example an escape room or a Cluedo-like scenario where the team must figure out how and by whom the company was infiltrated.
GDPR training for employees increases security awareness and helps you stay GDPR compliant
Aside from what we’ve already mentioned, there are many possibilities for organising security awareness training. You can choose the formats that best fit your organisational needs, and measure the effect of the training on your employees. A good awareness training program is one that staff do not see as a burden, but one they may even look forward to.
Successfully applying awareness training techniques results in staff that are intuitively aware of what they need to do in their own daily workflow to comply with the GDPR, while also improving the general cybersecurity in the organisation. In the end, staff who are aware might just turn out to be your strongest line of cyber defence!
You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.