3 things you need to know about training staff for GDPR

3 things you need to know about training staff for GDPR

This is a guest post by Patrick O'Kane, Author of "GDPR - Fix it Fast!  Apply GDPR to Your Company in 10 Simple Steps"

Staff training is a crucial part of protecting data privacy. One recent study found that human error is the leading cause of data breaches, featuring in 37% of data breaches. Providing staff training is an important part of avoiding GDPR fines.

Despite its importance, staff training is perhaps the most under-emphasised part of any GDPR project. Companies have been busy fixing their processes, working on their information security and updating their customer consents; however, there seems to be seems to be little attention paid to how staff training will need to be revamped in order to keep your company in line with the requirements of GDPR.

These are my 3 tips on staff training:

ISO 37001: Checking the Box on “Doing Compliance”

In October 2016, the International Organization of Standardization (“ISO”) published ISO 37001, the first global standard for the development and implementation of an anti-bribery management system.  The emergence of ISO 37001 was a welcomed development as it provides a universal framework for managing bribery risk that can be used by organizations of all sizes, industries, regions and risk profiles.  To date, Peru, Singapore and the Philippines have adopted ISO 37001 as their respective government’s standard, and other countries are expected to follow their lead.

A unique feature of ISO 37001 is that an organization can demonstrate compliance with the standard by obtaining a certification from an independent, accredited auditor.  The certification brings substantial value to an organization as it provides an objective means by which it can outwardly demonstrate its commitment to combating bribery.  Not only does this provide a competitive advantage over an organization’s non-certified competitors, but it also levels the playing field (from a bribery risk management perspective) for smaller organizations competing against large multinational corporations or foreign domestic firms. 

ISO 37001 is not without its critics.  The criticism, however, is generally not directed at the standard itself.  Instead, the critics take issue with the certification of the standard.  A common theme of their arguments is that the certification process is merely a check-the-box exercise where an auditor only confirms the existence of a “paper program”.  The critics argue that the process falls short because it makes no determination as to whether the program is actually put into action.  They also contend that the certification only reflects the status of the program at a given moment in time (i.e. the evaluation period) and, thus, lacks any predictive value as to how the organization will conduct itself in the future.   In short, they conclude the certification is worthless because it does not ensure that the certified organization is “doing anti-bribery compliance” or will “do anti-bribery compliance” in the future. 

There are three fundamental flaws with the critics’ argument...

How to fix your company policies for GDPR – Three things you need to know

For everyone struggling with implementation of the new European General Data Protection Regulation (GDPR), Patrick O’Kane has written a fabulous new book called GDPR – Fix it Fast: Apply GDPR to Your Company in Ten Simple Steps.  I wrote the Foreword for the book, and am so proud to be involved.  The following is a guest post by Patrick O’Kane.  The Kindle edition of the book can be found here on Amazon.  The hard-cover edition will be available Jan. 1.

How to fix your company policies for GDPR – Three things you need to know