Employee training in GDPR: is it mandatory?
There are a lot of clients and potential clients who ask me if employee training in GDPR is mandatory or not. The confusion is based on the fact that not a few offers of this type of services include a “mandatory” training for workers trying to sell it as a requirement of the GDPR.
Although it is not the object of this post, it is worth remembering the notorious “LOPD at cost 0” in which some companies used the discounts in Social Security contributions for training employees to offer consulting services and, that, the AEPD has been busy remembering his illegality (last time in July 2019).
The question here anyway is: do I need to train my staff to comply with the GDPR?
The answer is NO although, like everything in life, with nuances. Let’s see them:
The company responsible or in charge of the treatment must ensure the confidentiality of the personal data it handles (art. 5.1f of the GDPR and 5 of the LOPD) and, for that, it is necessary to transfer this obligation to the workers who access this data.
Does this necessarily involve training them? Well no. What the company must do is to inform them of this obligation and make sure they understand it. For this, nothing better than a Declaration of Confidentiality.
An important nuance to the non-obligation of training workers can be found in those companies or organizations that have a Data Protection Delegate, since among their functions is: art. 39.1.b) GDPR: the “training of the personnel who participate in the treatment operations”; In these cases, yes, a certain formality is required. But, as I have already commented in some other post, having a DPD is not always mandatory.
And if I decide to do employee training in GDPR, what should I take into account?
That said, training staff with access to personal data in your company is never a bad decision since, in the eyes of the AEPD, it can serve to demonstrate the proactivity of the company in terms of compliance with the GDPR and to prove that the company is taking steps to mitigate or minimize risks.
In any case, and in my view, a good training in GDPR must meet these requirements:
a) Not all companies are the same or treat the same type of data: the demands of a hospital are not comparable to those of a mechanical workshop, although the employees of both can access personal data. It requires that they adapt the training to the sector or type of activity of your company.
b) In large or medium-sized companies, not all departments carry out the same treatment or use of the data; Human Resources is not comparable with Marketing or Customer Service with IT; seeks adequate training for the job and that that training has a meaning in the worker’s day-to-day life.
In short, run away from general training in which they endlessly navigate data protection principles, without responding to real situations of your employees and that only serve to comply with the file.
c) If you decide to implement training, let it be on a continuous basis and not a specific training to comply with the file. Workers can change and the realities of your company too, so you must adapt the training to these circumstances.
In short, if you train your staff, bravo for you, but do it periodically and in a manner appropriate to their job position and sector of the company.
If you have questions about this or any other topic, don’t hesitate to contact us!
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.