GDPR and L&D - preparing to take a lead

Posted on Nov 10, 2016

L&D is needed to support the biggest change to data protection laws in 20 years.

The General Data Protection Regulations (GDPR) is an EU law scheduled to go into force in May 2018. It builds upon the Data Protection act of 1998 and includes some of the tightest controls on the use of personal data in the world.

The nature of today’s information-led businesses and the risk of severe consequences for non-compliance, means the GDPR has impact at the board level and then applies all the way to the shop floor at nearly every business in Europe. Keeping your learners up to date on what’s going to change and how the business is going to achieve these changes is an important a role for L&D teams.

A survey of IT professionals by Dell showed the majority of organisations don’t have a plan in place and many didn’t know the basic details of the regulations. But even the most prepared companies will need help from L&D teams to implement and communicate their plans for the new regulations.

Raising awareness of GDPR

So few people are aware of the new regulations that it’s likely to be a surprise to the majority of your workforce. The first step for L&D is understanding the implications. Any organisation that deals with the personal data of customers or employees will need to review all their current processes and implement new policies to take account of the changes.

It’s never too early to start raising awareness about an up-coming training programme. We’ve seen great results in compliance training through the use of campaigns to raise the profile of the issues that the business is facing. Materials can be designed and distributed that prepare learners for the training you will be implementing.

Can’t we just leave this until after Brexit?

The UK is not going to leave the EU before the GDPR comes into force in May 2018. And many experts predict that even after Brexit the UK government will choose to keep the GDPR rules in place to make it easier for companies who trade with the EU to comply.

Learners will need to understand that the GDPR is definitely going to affect them and there’s no way to avoid implementing the necessary changes. The Information Commissioner’s Office (ICO) have produced an overview of the main areas where the GDPR will affect organisations in the UK, Europe and worldwide.

Managing change for GDPR compliance

This is a timely opportunity for L&D to define its role in the process of GDPR compliance. The information commission are very clear that compliance will involve a review of all “internal data protection policies such as staff training”. Audits of the current data protection training will help establish where new training can be most effective.

When changes are driven from a shift in external regulations it can be harder for a business to drive the message home. Developing and leading a campaign and training programme to deliver that change should be part of the first steps in making a successful shift in culture.

Flexible training programmes

The GDPR rules suggest staff training as part of your data protection policy, as well as new roles like a Data Protection Officer where appropriate.

Training needs to be consistent and easy to deploy across the whole business. Using one digital training course with a variety of material and assessments tailored for specific types of workers balances consistency with the ability to adapt. Once training has been created, having a communications plan drives the message out and will raise awareness and encourage completion.

Sponge has worked on a wide range of compliance-related projects. Using an experienced external provider will ease the transition to the new regulations and ensure a successful roll out of your new data protection strategy.

7 of the most important things to do now on GDPR

A workforce training guide

You may also be interested in