The introduction of the GDPR in the EU has had many far-reaching consequences for small and large organisations alike. Many organisations are still uncertain about how to exactly implement the GDPR in their daily operations. Additionally, failing to comply with the GDPR can have grave consequences, ranging from heavy fines to serious security breaches. That’s why it’s important that everyone in the organisation knows how to deal with data on a day-to-day basis. In this blog, we’ll talk about how awareness training might prove useful for GDPR compliance.
The GDPR was introduced by the EU in May 2018 to better inform consumers about how their personal data is used and to enforce better data handling and protection in organisations.
As a result, the GPDR introduced many rules regarding the handling of personal data and the prevention of security breaches. These rules are enforced under threat of large monetary sanctions for non-compliant organisations.
Even though the GDPR has now been in effect for over 2 years, many people are still confused about how it affects them and their organisation. For instance, it can still be unclear what constitutes personal data, what actual good data handling practices are, or what the consequences of not complying with the GDPR can be.
This already requires a lot of effort to enforce the GDPR and to have IT experts to keep up with, so it is only normal that many members of the team are a bit lost on how to deal with the GDPR and personal data in their work.
Let us briefly illustrate how confusing personal data can be. Many people likely don’t quite know what personal data means – other than it is information about a person. It quickly gets complicated when you start asking questions like: Is your shoe size categorised as personal data? And what about your hair colour?
Personal data is a lot of things and it can be unclear what exactly is or is not considered personal data. Almost everyone in your company comes in touch with personal data every day however, so it is important that they understand what it is.
We’ll briefly define personal data here. You can read much more about it in some of our other blog posts.
The GDPR defines personal data as:
“information that relates to an identified or identifiable individual”
In other words: If any piece of information is about a particular person or leads to a particular person, then it is considered personal data.
As you can see in the image, personal data includes a lot of things! Even shoe size and hair colour can be included. I’m sure you can think of many more examples that aren’t shown here.
It’s important to note that personal data doesn’t only include text. An audio recording, a photo, or a video with identifiable information is personal data as well.
Unfortunately, the confusion does not end there. Personal data can further be divided into two categories, depending on how sensitive a piece of information is. It is important that your team can recognise sensitive personal data because stricter rules apply for handling it. This is due to that fact that a breach in such sensitive data could have more significant consequences for the people affected. It could for example lead to discrimination or threats of physical harm.
These do not necessarily require permission to be handled, but you still need to be considerate and use common sense.
These are sensitive personal data, and any handling requires special attention – and often permission.
A good way to remember how to properly handle personal data is to think of it as something you are borrowing from a friend, illustrated in the poster here. You can download this poster and others from here.
Now you know what personal data is. You also know that it is important to safely handle personal data. The key question of course is: does everyone else in the company also know that? And if they do, do they know how to go about it?
It is indeed very important that this knowledge rests not just in the IT department but that all staff in the organisation are aware of it and know how to act on it. However, as we mentioned earlier, it can be difficult for staff to keep up with data regulations on their own.
To illustrate the importance of this, let us look at what could happen when safe data handling practices are not well understood.
A security breach generally means that some or all personal data that is handled in the organisation is, accidentally or maliciously, released outside the organisation.
When people think about security breaches, think about malicious, expert hackers attacking the organisation’s IT systems and stealing data.
However, often security breaches happen due to human error. This problem has two sides. One side is people making mistakes or handling data trivially because they lack knowledge about the importance of safe data handling practices. For example:
On the other hand, people being unaware means that most hacking attacks try to exploit humans instead of IT systems. Thus, they are more likely to fall prey to social engineering attacks, such as phishing emails, that may lead to a data breach.
Of course, technical cybersecurity remains a vital part of keeping your organisation safe. Various technical tools can be used to reduce the risk of security incidents, like:
However, while technical tools certainly succeed at being very complex, they are not 100% effective at keeping out all threats. They are only half the battle and cannot improve:
These are things that only the staff themselves can fix and prevent. And luckily, all staff are easily capable of this, given the right tools and training.
Your strongest defence against security incidents is a comprehensive awareness among all staff combined with clear processes for handling data. Simply put: all staff need to clearly understand the what and how of GPDR and personal data.
Awareness training is one of the tools your organisation can use to greatly improve your team’s knowledge about cybersecurity and safe data handling.
As we described earlier in this blog post, personal data can be complicated. You cannot expect that all staff are experts in the GPDR. Therefore, an awareness training programme that regularly provides staff with clear, simple, and practical explanations and examples about how to safely handle personal data can be of great help in improving staff’ behaviours.
Furthermore, when people are aware of the dangers that cybercriminals pose, they are more likely to detect phishing attacks and less likely to make other errors, such as storing data incorrectly.
Next to awareness about cybersecurity and the importance of safe data handling, staff also need to be aware of the specific processes and responsibilities regarding information security in your organisation. Simply put, it is the task of the IT department and the management team to set up clear processes that staff can follow and to appoint people that can function as a central point of advice regarding everything relating to GDPR and information security.
Getting started with awareness training is easier than you might think. It all comes down to giving people knowledge about personal data and cybersecurity in a way that they can easily understand and remember it.
That’s why it’s a good idea to transfer this knowledge in multiple ways and through multiple channels, to really make awareness about cybersecurity present in everyone’s mind.
You could, for example, combine various forms of e-learning and classroom learning. E-learning to achieve a certain continuity and to encourage staff to learn at their own pace. Classroom learning to exchange ideas and put knowledge into practice. You can read more about how to optimally combine these two forms of learning here.
However, there are many more possibilities for organising a good awareness training programme. You can get pretty creative if you want to, for example with the use of gamification elements. Below we list some examples of different awareness training formats:
E-learning: Short online learning modules consisting of videos, text, quizzes, and more.
Classroom learning: Longer sessions given by an instructor. This can encourage discussion or to invite an expert.
Simulations: Phishing and other cybersecurity simulations give people the opportunity to practice their knowledge in realistic security incident situations.
Workshops: For example, a workshop where staff can place themselves in the shoes of a cybercriminal and learn to understand how a cybercriminal thinks.
Freely available online material: There are many learning sources and other materials available online for free. This ranges from YouTube videos to government campaigns to posters and diagrams you can hang up around the office.
Group activities & games: These can be in a variety formats, for example an escape room or a Cluedo-like scenario where the team must figure out how and by whom the company was infiltrated.
Just know that there are many more possibilities of organising awareness training. You can choose the formats that best fit your organisation and needs, as long as you ensure that it adds value to your team. A good awareness training is one that staff do not see as a burden, but one they may even look forward to.
Successfully applying awareness training techniques results in staff that are intuitively aware of what they need to do in their own daily workflow to comply with the GDPR, while also improving the general cybersecurity in the organisation. In the end, staff who are aware might just turn out to be your strongest line of cyber defence! You can read more about measuring the effect of your awareness-training here.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.