The training of staff in the field of Data Protection is often considered unnecessary due to the belief that the degree of accountability of an organisation can only be expressed by purely documental compliance.
On the contrary, the training of staff who process personal data and company information on a daily basis by means of IT tools, must be considered as the fundamental step in a more complex process aiming at a lawful, organised through fluid procedures, and secure data management.
The Italian legislator had to abandon the paternalistic conception of privacy and move towards an approach that tends to make those who process personal data, be they data controllers or data processors, accountable.
Minimum security measures no longer exist. In view of the principle of accountability, organisations that process personal data must independently determine the appropriate technical and organisational security measures to ensure a level of security appropriate to their level of risk.
Only organisations that know their data and organisational structure are in a position to assess which measures need to be implemented, taking into account a number of factors: the state of the art, the costs of implementation, the nature, subject matter, context and purposes of the processing, the level of risk in relation to the probability and severity of the resulting impact on the rights and freedoms of individuals.
Training as an organisational measure
What an organisation generally underestimates is the set of organisational security measures because most of the time it tends to focus on technical and technological security measures.
However, the highest risk factor is the human factor.
The creation of a training plan for its employees is certainly a key to achieving more efficient organisational security measures.
Provisions such as Article 29 GDPR and Article 2-quaterdecies of the Privacy Code refer to authorisations to process personal data and instructions on how to process personal data, which must be given to staff by the organisation. However, the documents appointing a data controller or a person authorised to process personal data are "empty boxes" if the recipient/employee has not received adequate training on Data Protection in relation to the company function held and the activities that the person actually performs on a daily basis.
The only exception to the lack of a reference standard on training is Article 39 of EU Reg. 2016/679. The standard, with respect to the tasks to be carried out by a Data Protection Officer, offers a specific reference to training as a component of an Organisation's policies when it states that the DPO must (i) inform and advise employees who carry out processing and (ii) monitor compliance with and enforcement of data protection provisions as well as the owner's or manager's policies which include awareness raising and training of staff involved in processing.
The risk for any type of organisation is to consider "privacy" and the protection of personal data as mere paperwork.
So, how is training also a security measure? And above all, what are the tools that make training effective?
We will discuss this in a second article 😉
At NSI - Think Outside the box, we are digital enablers and believe that technology enables innovation. Quite simply.
NSI Academy is our dedicated training space, where you can acquire the fundamental principles and operational skills essential for the proper management of personal data.
Write to us!