Data protection training for employees
Companies usually deal with the personal data of third parties on a daily basis. If mistakes are made in handling this data, there is a risk of high fines under the GDPR and, in the case of data breaches, damage to the company's reputation due to the reporting obligation.
To avoid this, one should start directly at the source of possible errors in the handling of personal data: With the employees. If employees are not sensitized to data protection, they will make serious mistakes completely unintentionally.
You can find out how and why such sensitization should be carried out here.
Training present or online?
Especially for the training of entire departments, classroom training is often preferred. The company books a provider who trains the employees together on site and answers questions.
In times of increasing digitalization and home offices, however, online training or webinars are also an option (eLearning). The advantage is that employees can be trained regardless of where they are working at the moment and actively learn the subject themselves instead of just having to go through another classroom training session. In addition, this solution is more flexible and requires less organization. Online training is also suitable for both large and small groups of employees.
Care should be taken to ensure that the training is followed by a short test to check whether the learning objective has been achieved.
Are you looking for suitable online training courses, you will find here found.
What content should be included?
As a first step, employees should first be familiarized with the basics of data protection: What is the purpose of data protection? What is personal data? Which obligations of the data controller are opposed to which rights of the data subject? What must be observed when giving consent to processing? When may personal data be disclosed? What technical requirements must be met? What happens if something goes wrong?
You can find these topics for example here to the point in an online employee training course.
In addition, employees should also be trained in data privacy specifically adapted to the area in which they work. For example, different things need to be observed in a home office than in the company's own office, and an employee in a kindergarten must pay attention to different things than an employee in the HR department.
You will find online employee training courses specifically tailored to typical work areas and environments, for example here.
Is training mandatory?
In fact, there is no explicit obligation in either the GDPR or the BDSG for data controllers to train their employees. However, failure to provide training has unpleasant consequences under the GDPR:
- It is much easier to comply with the accountability obligation under Art. 5 II GDPR if all employees are trained.
- The level of protection of Art. 32 GDPR can only be maintained if employees are trained and obliged to comply with what they have learned. This is particularly important for processors, which is also stated in Art. 28 III lit. a GDPR.
- If a data breach does occur, proof that employees have received sufficient training can mitigate the sanctions imposed by the supervisory authority.
How often should training take place?
There is no legal regulation on this issue either. However, it is only logical that training in data protection law must be repeated regularly in order to check, refresh and update the state of knowledge.
Each training session should be documented and certified with a final test to demonstrate sufficient training at a later date.
Be sure to consult with your data protection officer to find the best solution for your company and answer any questions that may arise.