The new European Union data protection law (General Data Protection Regulation, GDPR) is already here and will directly affect those responsible for training and development. When it enters into force on May 25, 2018, all companies will have to implement new measures for data auditing, protection, security, and management; not only for their European customers, but also their employees, job applicants, and Learning Management System (LMS) users.
In this article, we’ll tell you everything you need to know about the new data protection regulation and how the Training and Development department should adapt to it.
The New Data Protection Regulation (GDPR)
After several years of negotiations and its approval in 2016, the European Union’s new data protection regulation seeks to adapt to today’s Internet age and offer greater protection for European citizens. Among increased concern regarding the use of personal information, with companies accumulating millions of pieces of data on their servers and facing new privacy and security challenges, the GDPR sets new standards and represents a radical transformation in company data management.
New changes in the law include companies now being required to ask for specific permission when dealing with sensitive customer information, implementing stricter security measures, actively warning of any attack on or failure in their computer systems, and allowing users to modify or delete their data.
Moreover, even if a company is not physically located in the European Union, as long as it manages the data of European citizens it will have to follow the GDPR to the letter.
Those companies that violate the GDPR may be hit with fines of up to 20 million euros or the equivalent of 4% of their global turnover.
In Spain, this new data protection law replaces the local version (Ley Orgánica de Protección de Datos de Carácter Personal), passed in 1999.
How does the GDPR affect the Training and Development department?
As professionals who collect and manage employee personal information, those responsible for training and development must also comply with the new data protection regulation. In matters such as the training offered, LMS management, and, above all, employee training (we will talk about this later in depth), it is important to take measures to respect the GDPR. These are the five most important points:
1. Auditing and notifying employees
The first thing you need to do is know what kind of employee data you have and what you are using it for. It may be highly useful to do an inventory of all the information you have and the specific reason you are managing and storing it.
It is also advisable to contact workers to explain the new legislation and their rights. Although employees had to also grant their permission in the past, the new data protection law explicitly states that the “specific, informed, and unambiguous” consent of workers is required.
2. For only one purpose and a certain period of time
The GDPR explains that employee data can only be stored for a specific purpose and for a certain period of time. If you have requested information for a training course, for example, you may not use it for other purposes. If an employee has consented to the use of his or her data for a training program during the month of May, you cannot use it for another training initiative in November.
If there are many temporary workers, self-employed workers, or freelancers in your company, the new European data protection regulation could require you to delete their data once they have left the organization, as you no longer have a specific purpose (unless they have granted their prior consent).
3. Transparency and flexibility in data protection
Employees now have the right to know what information the company has on them, what it is being used for, and where it is stored. Employees can also request access to this information at any time, so you must have a system capable of responding to their demands.
Furthermore, you must ensure that all information is correct and up to date. If you provide your employees with software that facilitates data entry or modification, it is important that you can control its management and ensure it works properly.
In Training and Development, you must also inform employees of why you are collecting their data, and it may not be used for any other purpose without notifying them. Employees can now also withdraw their consent at any time, so you must have a flexible system that is easy to edit.
4. Data protection security
Of course, your number one priority should be to make sure there are no security breaches and that your employees’ data is protected. Any data collection and management in the Training and Development department must be encrypted. To fully follow the GDPR, you should also encrypt all transmissions and communications so you can avoid any cyberattack.
In the event of data theft or unauthorized access to employee data, you must inform them within 72 hours. Any employee who might be harmed by this data theft must be informed “without undue delay”, according to the GDPR itself.
Depending on the size of your business and the type of information you manage, you may also be required to have a Data Protection Officer.
5. The new data protection law and your LMS
All of the above is vitally important when it comes to managing your Learning Management System (LMS), which is where you most likely store and manage the bulk of the information concerning your corporate training initiatives. At the risk of being redundant, make sure that:
- all LMS users give their explicit consent for you to store and manage their data, for a specific purpose and for a certain period of time.
- any user can request a copy of all the information you hold on them, including an explanation of the purpose and whether it is being used by third parties.
- employees must be able to refuse consent or delete their information at any time.
- talk to your LMS provider (and any other training provider) to make sure they follow the new data protection regulation.
You may be interested in: Gamelearn, the world’s most awarded game-based learning platform (and 100% adapted to the GDPR)
How to train your employees in the new data protection regulation (GDPR)
Of all your missions as head of Training and Development, probably the most important is the dissemination of information on the new data protection regulation.
Although the GDPR is not so specific, it does state that “data protection training to personnel having permanent or regular access to personal data” (Article 47) is an important element. Meaning: your employees need to know what the GDPR is in order to respect the rights of European citizens and, in doing so, save the company from any potential fines.
For successful training on the new data protection regulation, we recommend that you follow these tips:
1 – Start with yourself. Before launching a training program for your employees, take the opportunity to lead the way and train yourself. This way you will not only learn GDPR basics, but you will also have the necessary background to choose the best training program for your employees.
2 – Review the courses you are already offering. Before diving into the new data protection regulation, we highly recommend adapting other training courses (data protection, customer relations, cybersecurity, etc.) that your employees are already doing. Make sure that they all cover the changes introduced by the GDPR.
3 – Adapt the training to different profiles. Not all employees need the same level of knowledge about the new data protection regulation. Depending on the type of data you collect and manage, your level of understanding of the GDPR may vary considerably. Although it is advisable for all employees of the company to be aware and cover their bases, this is especially true with profiles such as:
- customer service personnel
- marketing teams
- data or big data analysis departments
- human resources (managing employee data, as well as that of job candidates, is highly important)
- IT, technology, and telecommunications departments (particularly on those platforms that collect and store customer data)
- legal teams within the company
- senior managers of the company (so that they are aware of the challenges the GDPR poses and can pass them on to their teams)
4 – Make sure you can update the content. Considering how fast our world is changing on a technological and social level, this is probably not the last time the data protection regulation is going to change. Try to offer a training program that can be reviewed and updated quickly and easily, adding the possible specifics of your business.
5 – Content is king. In a law of this kind, with 88 pages and 99 articles, it is highly important that the content be clear and simple, that it touch on the key points of each section, and that it can be adapted to various employee profiles. The GDPR is full of technical and bureaucratic jargon, so make sure that the content of your training courses uses a language that your employees understand (without sacrificing full understanding of the law).
6 – A training program without bounds. If you work in a multinational organization, make sure that all those who work with the data of European citizens are trained. Remember: even if some departments of your company are not physically located in the European Union (even the whole company may be in another country), they may be affected by the GDPR if they obtain, store, or manage information from European citizens.
7 – Gamify the training program. For this type of compliance course (full of technical explanations), it is important to make the training program appealing and interesting. To do this, you can use gamification or video games. This way you’ll be able to increase employee engagement and interest, transforming a training session into a fun, appealing experience. For example, the ADA GDPR video game turns learning the articles of the new data protection regulation into a post-apocalyptic adventure with the goal of saving the planet.
8 – Repeat the training program. To be sure that the training sinks in, it’s important to repeat it from time to time. Use different formats, change the way courses are presented, introduce new features, and offer rewards for achieving better results. If you only do one training and then leave it, it’s likely that in a few months (or a year) most employees will have forgotten the key points of the new data protection regulation.
Don’t forget the most important thing in training programs regarding the new data protection regulation (GDPR)
Considering the daily obligations of employees and the technical nature of the GDPR, you run the risk of your training initiatives becoming a mere bureaucratic procedure. In addition to understanding and applying the rules set out in the new data protection regulation, it is important that all employees understand what lies behind the new legislation: the rights of European citizens. The GDPR seeks to protect how their data is stored and managed, something increasingly important in the digital age; this is something we can’t ever forget in the Training and Development department.