Are we making the same mistakes all over again? As organizations continue to work hard to be compliant with the new GDPR that comes into force in May 2018, I worry that we still don’t understand how we can most effectively engage and collaborate with our workforce to ensure they understand their responsibilities under the GDPR and what it means for them and their behaviours.
Delivering effective and engaging awareness training to your workforce is a critical element in your accountability regime under the GDPR. As Ashley Winton, Technology and Cyber Law attorney at McDermott Will & Emery LLP says: “Many years of experience working with data protection regulators has taught me the importance of effective awareness training and in managing the outliers in your organisation properly.” But there’s a challenge.
I was recently listening to my 10-year-old son reading an article to me about the creator and writer behind The Horrible Histories series on children’s TV – Terry Deary. The programmes have helped to transform the way youngsters engage with history. Deary was an outsider to the Education system. He says: “In the past educators asked experts…’Write a book for children about the Norman Invasion’. And because they were teachers or textbook writers, their author voice was always the same: ‘Shut up and listen!’. My voice is: ‘You’ll never guess what I just discovered about the Normans…wow!’.
Are we running the same risk with GDPR where we put the responsibility of writing the training we need to give to all our staff in the hands of legal, risk or security experts. Over the last few months I’ve seen and heard so much GDPR training that fails to understand their audience – instead of focusing on what their workforce really needs to know they instead think they need to communicate the full intricacies and complexities of the GDPR. It’s not effective and will fail to create and sustain the right behaviours. A different mentality and approach is required.
Angela Sasse, Professor of Human Centred Technology at University College London has said: “One of the key starting points for managing health and safety in organizations is that you need to make it easy for people to do the right thing. If we just applied those things in cyber security, things would look very different to what they look today.” The same approach applies to data protection.
So how do we make it easy for our people to do the right thing under the GDPR? We can’t expect our board directors to be experts in security to respond to the cyber-risks they face – in the same way our staff do not need to be GDPR experts. Critically we need to make any GDPR learning engaging and relevant. We need to answer: What does GDPR mean to me? How would I expect organisations to best protect my own personal and family data? What are the risks to me in my role? What simple, practical guidance do I need to help my organisation better protect their personal data and manage their cyber risks more effectively?
We need to move from a position where GDPR training is regarded as yet another piece of ‘tick-box’ compliance training to one where we our people understand and want to play their role.
Let’s ask ourselves some simple questions about the value of the training we provide. Is it short and does it provide simple advice? Does it engage through real-life scenarios? Are we reinforcing the training through refreshers and reminders? Does it make it easy for our people to do the right thing?
Only then will we have a fighting chance in provide training that’s effective and compliant.
This is the first in a series of blogs. Next month, I will outline what and how organizations can do to deliver effective GDPR training.