As the EU’s latest privacy regulation rolls into effect, many businesses haven’t even broached the topic of GDPR training. While it’s not always top-of-mind as you scramble to achieve compliance, ensuring that your organization understands the regulation and what it takes to achieve and maintain compliance is critical to meeting this new regulatory requirement on an on-going basis.
As you likely already know, the EU’s General Data Protection Regulation (GDPR) is a sweeping change to consumer data protection and privacy. The essence of GDPR isn’t complicated: to help enhance EU citizens’ ability to control what data companies may hold about them. Many organizations have taken steps to become GDPR compliant and have put into place all of the core processes and procedures necessary to attain, maintain, and prove GDPR compliance. However, there are almost as many companies that have not even started down the road to meeting this new regulatory requirement, and don’t know where to start.
The reality is that within any complex computing environment, security and regulatory compliance simply isn’t possible without putting forth the effort and ensuring the right technical safeguards and supporting processes are always in place. These include continuously applying risk assessments, managing configurations so that software is kept up to date, maintaining sensitive data encrypted in transit and storage, and most other security controls that constitute contemporary security best practices. But to be effective, these safeguards and processes must be supported by knowledgeable, trained staff.
Start with GDPR Training
An organization can have as many processes and toolsets in place as it thinks it will ever need—but it takes only a single staff member to make a mistake that could jeopardize security and compliance efforts. The best defense here is training. Well-trained and informed employees are much less likely to make errors and more likely to help an organization comply with GDPR efforts. And the key is reinforcement; train your employees, train them again, and then train them again!
Below are some training starting points:
Who to Train
- Operates, maintains, and architects your cloud
- Works with or manages a cloud service provider
- Has access to stored data
- Handles the collection of personal data
- Controls communications to and from the data subject
- Specializes in data privacy or data protection
GDPR for Private Clouds
A guide to planning and maintaining GDPR compliance for your private cloud
Where to Find GDPR Training
- Lynda.com, a technology elearning leader, offers a broad overview on GDPR compliance: https://www.lynda.com/IT-Infrastructure-tutorials/GDPR-Compliance-Essential-Training/661799-2.html
- LinkedIn, now the owners of Lynda.com, produced a series of GDPR-related courses including this one that’s hosted by Kalinda Raina, their head of global privacy: https://www.linkedin.com/learning/learning-gdpr
- Udemy.com has several 1-2 hour courses that focus on specific topics like cloud service providers and building a security incident response plan.
- Deloitte Data Protection Officer training course: https://www2.deloitte.com/ro/en/pages/tax/events/Data-Protection-Officer-Training-Bundle.html
- IEEE (coming soon): http://sites.ieee.org/gdpr/training/
Or… How to Develop In-House GDPR Training
They are several key tenets to building a successful internal training program on your own.
- Make sure that everyone on the team who operates, maintains, and architects the cloud is fully aware of how important data privacy and security is and why it should be important to him or her personally.
- Make sure that the team knows exactly what it is responsible for, why, and what other roles are responsible for when it comes to GDPR compliance.
- Shoot for culture change. The only way to get this into the DNA of your private cloud management efforts is to repeat the training and reinforce the message that data protection is a core value of the organization. Train new staff upon their arrival, and retrain all staff on a regular basis.
- Run tabletop drills. If data are requested and are stored in the cloud, how would that data be deleted? What other places would need to know? Develop scenarios where GDPR potential violations surface and see how the team reacts. These mock drills are the best way to uncover gaps in your processes and procedures, as well as the knowledge-base of your team.
- Keep executive leadership educated. Make sure executives are aware of how compliant you’re maintaining your private cloud, how secure it is, and how well it helps the organization cost-effectively remain secure and regulatory compliant. Reporting out on how the organization is tracking against GDPR compliance on an on-going basis will keep this important regulatory requirement top of mind for all.
As your organization moves to achieve and maintain GDPR compliance, remember that processes and procedures alone won’t get you there. Your teams and staff — those who work both directly and indirectly with data — need to not only understand the GDPR regulation in principle and practice, but understand their personal role in ensuring that the organization maintains compliance going forward.