9/6/21

Data Protection Training: the most effective training vol. II

In a previous article we talked about the value of training as an expression of the principle of empowerment and as an organisational safety measure. We now assess the benefits and characteristics that make training effective.

Training as a safety measure.

Organisations must include the H(-human) Factor among the most impactful risks to business resilience. Have your staff been trained to recognise, mitigate and manage a personal data breach?

IT security, as a technical measure under Article 32 GDPR, is not just a product, which can be purchased at any cost, but represents a process in which the focus that keeps the threshold of attention and culture of personal data privacy and information confidentiality high is the (physical) person.

By adopting and implementing an effective staff training plan, a data protection culture can be instilled in the organisation. All personal data and corporate information represent a digital asset that must be known in order to be exploited.

A training plan must be effective. Training activities, possibly repeated over time, must be modulated and differentiated, taking into account the different training needs of authorised persons, on the basis of the different level of responsibility for processing personal data.

The organisation must regularly verify the effectiveness of the training plan from a (i) quantitative point of view, e for example by verifying the number of persons who have participated in each training activity, and (ii) qualitative point of view, verifying the level of knowledge and awareness reached by its personnel. On this point, an organisation can assess the effectiveness of its training plan by, for example, testing its staff, through so-called phishing or vishing tests. The tests must be conducted without affecting the dignity of the workers involved. The results of the activity must express, by means of aggregated data, the level of attention and prevention of the authorised persons.

Training? How?

An effective training plan can be delivered through face-to-face meetings and training courses, delivery of digital materials, or through training courses in eLearning format.

In order to be effective, a distance learning tool should have the following technical features:

  1. Propose videos of short duration, in order to keep a high attention level;
  1. Provide intermediate and final tests to check learning;
  1. Demonstrate participation.

An eLearning course on Data Protection, in addition to analysing the definitions and the legal background, should focus on and deepen those "minimum" organisational measures that an organisation should implement: criteria for the composition of a secure password, behaviour to prevent phishing attacks, correct use of IT tools, behaviour in case of a security incident, Clean Desk Policy, management of privacy information and consents. Digital learning (eLearning) is certainly the easiest way to train one's staff, given the intuitiveness and usability of this tool.

A training plan must aim to raise the level of attention, responsibility and, consequently, security, in the people who make up an organisation.
The training activity will lead to:

  1. Proper handling of requests by data subjects to exercise a right;
  2. A proper handling of personal data breaches or an incident responce;
  3. Reducing the risk of sanctions: in the recent sanctioning measures, it is noted that the inspections of the Guarantor, very often, have found defects in compliance that concerned the lack of adoption of security measures of an organisational nature, declined, more often than not, in an absent or inadequate training of the staff of the organisation.