Getting Non-tech Employees Onboard with the GDPR
Effective May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) significantly expands electronic privacy protections for EU residents. But that doesn’t mean you have to be in an EU member state for the law to apply to you. Any company or person who collects or processes personal data (or makes decisions about collecting or processing the data) of EU residents is covered by the GDPR.
The GDPR replaces a prior EU Directive, but the GDPR provides much stronger protections. And it has teeth: failure to comply with the GDPR can result in heavy fines — up to the higher of €20 million (around $25 million, depending on conversion rates) or 4% of an organization’s annual gross revenue.
Companies covered by the GDPR have long prepared for the law to come into effect. IT professionals have had almost two years to plan for the GDPR, which the EU adopted on April 27, 2016. For example, companies meeting certain criteria should have established and filled the position of data control officer (someone who reports to the CEO, monitors data security, and protects personal data), and all GDPR-covered companies should have baked data privacy into the process of data-gathering and -storing.
IT obviously needs to be on board with the GDPR, but what about non-technical employees? Actually, workers who are less familiar with IT may be the most challenging to educate, and the ones most in need of education to ensure they do not mishandle personal data or fail to appropriately respond to a data breach.
Although the GDPR requires data protection officers to train their technical staff, the law says little about training non-tech employees. However, companies with employees who lack even a basic understanding of these things could run afoul of the GDPR’s data privacy and data breach reporting requirements, resulting in hefty fines. Savvy industry leaders understand the importance of educating everyone in the workforce who handles personal data.
That’s why EVERFI has catered to a non-technical audience in our new course. Every employee of a company that collects or processes data of EU residents needs to know the basics of the GDPR if they handle private data in any manner. This is because you don’t have to be a specialist to handle personal data, which includes almost any data that identifies a person as an individual. Personal data under the GDPR can include credit card numbers, race, religion, ethnicity, and even the person’s name. So you can see how all kinds of employees might wind up handling personal data.
For example, if your company keeps an electronic database of customer or prospect information for your sales and customer service employees to use for business-related or marketing reasons, the GDPR applies to you, and those employees need GDPR training to avoid violating the GDPR’s requirements to keep personal data private (or get consent to use it).
About Our Course
The course’s learning objectives are therefore simple. After taking the course, your employees will understand:
- The general concept behind the GDPR
- Why the GDPR matters
- To whom the GDPR applies
EVERFI’s 10-minute course achieves these learning objectives by using “engaging and informative content, including motion graphics, to explain how the GDPR reshapes the way organizations must approach data privacy and how this applies to employees. It also covers the duties of data protection officers, data breach notification requirements, and data owner rights.” The course also includes a glossary of important legal terms and suggestions for further reading to learn more about the GDPR.
Your employees need to understand that the GDPR has strict rules for gaining consent to use personal data; what counts as legitimate business reason to use personal data and how long to keep the data (i.e., no longer than needed); the requirements for reporting data breaches; and the expanded right to privacy the GDPR provides, including the “right to be forgotten” (relating to erasing data) and the “right to data portability” (relating to data-owner rights to access and take their data with them).
The GDPR booster course is available now to ensure your employees understand the new rules and reporting requirements as they take effect. If you want to learn more about how you can train your employees on the GDPR requirements, you can request a demo here.