Why do employees have to be trained in data protection?

The General Data Protection Regulation (GDPR) has been in force since 25 May 2018. One of the main changes concern the increased fines imposed by the GDPR, which can amount to up to 20 million euros or 4% of annual sales.
Penalty enforced violations of the GDPR are usually committed by employees. It is therefore of great importance to increase awareness in terms of sensitive data protection law processes and to provide them with the necessary knowledge to be able to comply with the new requirements of the GDPR. In our guest post, lawpilots clarifies the following questions: Are there legal training requirements according to the GDPR? What are the benefits of regular data protection trainings? Which content must be discussed and which areas of the company should be given special attention to?

Why should employees be trained regularly in data protection and what are the benefits?

Almost every company processes personal data several times a day, using IT systems in accordance to Article 4 of the GDPR. For this reason, complying with GDPR´s data protection regulations follow an important obligation for companies in their areas of work. As already described, the requirements will primarily have to be met by employees. Accordingly, their training is a logical prerequisite for compliance with the requirements of the GDPR. In addition, employee training in data protection law can be easily combined with other teaching content, such as specifications on data security and company secrets, without diluting the boundaries between the two areas. In this way, employees learn how to recognize personal data, separate it from security issues and company secrets, and develop a special sensitivity in handling personal data. Only this way, holistic compliance with the data protection regulations of the GDPR can be guaranteed.

According to the GDPR, there is no explicit obligation to train employees in data protection. Also, the GDPR does not contain an obligation to require employees at the beginning of their work to data secrecy as contained in §5 of the currently still applicable Federal Data Protection Act. However, different GDPR regulations impose indirect obligations on companies to train their employees accordingly. Although the failure to provide training cannot in itself be punished with fines, the breaches of data protection resulting from the absence of such training can.
Articles 33 and 34 of the GDPR contain reporting obligations for companies towards supervisory authorities and data subjects if the violation of data protection regulations entails a high risk of violating the rights and freedoms of natural persons. Violation of these reporting obligations is subject to a fine under the GDPR. Companies can effectively consider this reporting obligation, but only if their employees are trained to recognize the violation of data protection regulations and to assess the existence of high risk for the violation of the rights and freedoms of natural persons.
In particular, if the core activity of a company consists in the extensive processing of particularly sensitive personal data (according to Articles 9 and 10 of the GDPR this is e.g. health data, data on origin or trade union membership), a data protection officer must be appointed (Article 37. GDPR). Article 3

Article 7 of the GDPR also mentions other cases in which such an appointment is necessary, e.g. in the systematic monitoring of people or in certain administrative activities. Article 37 Para.4 of the GDPR contains a so-called opening clause by means of which national legislators can specify the ordering obligations for data protection officers.  For example, German legislation makes this specification in § 38 Paragraph 1 BDSG-neu. This regulation is largely based on former § 4f Abs.1 BDSG-alt, so that public and non-public bodies must appoint a data protection officer whenever they process data automatically.

Today, this applies to a large number of companies. In particular, a data protection officer must be appointed if there is a case which would require a data protection impact assessment according to the GDPR. This is particularly the case with highly sensitive data or other significant risks to the rights of the data subject. In contrast to the other cases of § 38 BDSG-neu, it is no longer relevant for the ordering obligation whether more than 10 employees process personal data.
In accordance to Art. 39 of the GDPR, the data protection commissioner must inform "employees carrying out processing operations" of their data protection obligations under the GDPR. Under certain circumstances, violations by the data protection officer can also be attributed to the company and thus be punished, especially if the company does not sufficiently fulfil its obligation under Art. 38 of the GDPR to support the data protection officer in the performance of his duties.

Which divisions should be trained in data protection law?

In addition to the data protection officer himself, the IT department is of particular importance, as it must implement the requirements of the GDPR, particularly with regard to the principles of data economy and data protection friendly technical settings (privacy by design, privacy by default). The same applies to product developers. In addition, all employees should have a basic knowledge of data protection law, since not only customer advisors and consultants, but in principle all employees can be involved in the processing of personal data. It is important to train the HR department and works committee separately to ensure compliance with internal data protection regulations.

What information should be taught in an employee training course?

First, a basic understanding of "personal data", "processing" and "rights and freedoms of natural persons" should be taught. When do such processes take place? Why are such processes particularly worthy of protection?

The most important basic principles of data protection law should then be presented. This includes e.g. the principles of data economy, transparency and information obligations.
Furthermore, the guidelines for lawful data processing must be outlined, i.e. the principle of prohibition with the reservation of permission through consent and balancing of interests.

Finally, the specificity of data processing according to the GDPR in comparison to the old legal situation should be addressed.
Overall, company and industry specific features should always be taken into account, such as special regulations for personal data, transferred via servers in the US.

How should employees be trained in data protection law?

In principle, employees should be trained both with regard to the existence of the processing of personal data and with regard to the technical possibilities for implementing the requirements of the GDPR. It makes sense, to repeat online courses as well as role-plays, lectures, etc. at regular intervals in order to not miss the latest developments and also to consolidate the knowledge of employees in the long term according to the principles of the learning spiral.

Online courses offer an easy and uncomplicated way to start training your own employees without software installation and a lot of preparation time and to take advantage of the benefits of data protection training.

Companies are urgently advised against the possibility of having training conducted by non-expert employees who have themselves taken part in external training courses. Compliance with the sometimes complex requirements of the GDPR is unlikely to succeed in this way. The certification for training courses in the field of data protection serves precisely the purpose of enabling training of employees in accordance with the requirements of the GDPR.

Conclusion

Since the GDPR is already effective, companies should take action now to train their employees in data protection law. Not only for the threats of high fines from the GDPR, but also for the ease with which data protection law training courses can be implemented, combined with opportunities to integrate the principles of data security, should encourage companies to take advantage of appropriate offers of expert advice.

"Many companies want to train their employees in data protection, but are often undecided on which method to choose. Classroom training is far too time-consuming and expensive for all employees, but in many conventional e-learning courses the design is outdated, the content is not relevant to the real challenges of the employees and the set-up is complex. lawpilots closes this gap and offers practical and truly innovative data protection courses that are easy to understand and fun".

Dr. Dieter Kerkfeld, CEO of lawpilots.

About lawpilots

lawpilots offers innovative and practical online trainings around the legal issues of digitization. The central promise: "Law. Simple. Understood."! lawpilots develops relevant examples and recommandations from practical experience of the renowned partners SCHÜRMANN ROSENTHAL DREYER lawyers and ISiCO data protection consultancy.

Courses: