Employees should be ‘in the know’

It is important that every member of an organisation understands how their role is impacted by a regulation and how they can contribute towards complying with it. With the GDPR, we expect that:

– the product development team to know what “privacy by design” means and how it should be incorporated into product workflows;
– a marketing team should know when they have a legal right to send emails to customers (and when they don’t);
– IT departments are expected know what good security looks like;
– HR teams should be ready to respond to requests from individual members of staff in relation to their personal information.

Please note also that:

– If the regulator’s expectations are not met by an organisation then that organisation will not be compliant with data protection law, including the GDPR.
– If your product development team doesn’t understand its responsibilities, non-compliant products will be released which could lead to customer complaints.
– If your marketing team sends out marketing communications to individuals when they have no right to do so, a complaint could be made to the regulator.
– If your IT department does not understand what good security looks like there could be a data breach which has to be notified to the regulator.
– And if your HR team does not respond to an information request from an individual, a claim could be made against your organisation by that individual.

In all these scenarios, there is a risk of bad publicity and huge fines. This would be a direct result of staff training failure.

However, let’s not be too alarmist about all of this. There are very positive reasons to train all your staff in GDPR compliance.