Data Protection Training

In order for a company to meet its data protection requirements, all employees must be trained in the area of data protection. This training is also referred to as “data protection training”.

ISO27001 and EU GDPR documentation and data protection audit

Data protection training should address the following questions:

  • Overview of data protection
  • What is personal data?
  • How do I handle data?
  • How do I avoid unpleasant data breaches?
  • How do I react if something goes wrong?
  • How can I integrate data protection into my everyday professional life?

What is a data protection briefing?

Companies must regularly train their employees so that they do not forget to handle personal data carefully. Lawmakers sometimes use strange terms that sound strange to laypeople. However, we would prefer to use the term training here, as it does not have any negative connotations.

How often do employees need to be trained in data protection?

Employees should ideally be fully trained once and then receive a refresher on their basic knowledge of data protection 1-2 times per year. The legislature uses the word “regularly.” The GDPR means repetition with a regularity appropriate to the employee and his work. Sometimes it can be enough to train once every 2 years. If you combine it with the requirements from information security (ISO27001), you realize that the training must take place at least once per year. It must also be possible to provide evidence of this training.

Which employees need to be trained in data protection?

Every employee must be trained in data protection. This means that every employee, trainee, assistant and temporary worker must be trained in the correct handling of personal data with the help of general and industry-specific training.

Is data protection training mandatory?

The GDPR does not explicitly prescribe how and when and whether data protection training is mandatory. Nevertheless, one must always take into account the entirety of the various regulations and third-party requirements that must be met. Companies that have to take data protection seriously for sales reasons go one step further: They introduce an ISO27001-compliant management system (ISMS) in the company. The ISO27001 standard expects that all employees working in critical areas have received the required cyber security awareness training.

In the Occupational Safety and Health Act, it is mandatory to provide employees with appropriate and sufficient instruction. This may result in an obligation to also address data protection during the instruction. According to the accident insurance regulations, every company is legally obliged to instruct its employees.

Why is employee training important in terms of data protection?

The legislator as well as customers and suppliers have a legitimate interest in the company’s employees handling the personal data entrusted to them in accordance with data protection regulations. It is not a given that employees know what is permitted and how to avoid data protection violations. Therefore, a data protection officer usually trains his work colleagues so that they better understand the way of working expected of them.

ACATO enables its customers to train employees in the area of data protection cost-effectively and effectively through its own academy. For companies with an integrated management system, it is important to train their workforce in a flexible and controllable way. Our own Econry Academy can provide data protection instruction and cyber security awareness training online in several languages.

If companies do not train their employees correctly, data breaches can occur. A supervisory authority or auditor will then examine the business in detail. Normally, a supervisory authority will ask the company to correct the identified deficiencies without immediately imposing penalties. If management intentionally prevented or failed to provide instruction, the company and individual employees could be subject to significant fines.