6 common mistakes people make with GDPR training
Posted on Nov 01, 2018
Games & gamification
Comms & campaigns
It’s official. Your people are the biggest cause of data breaches. Human error is behind the majority of incidents reported by organisations, rather than malicious cyber-attacks.
The last two years has seen a 75% increase in the number of breaches being self-reported to the UK regulator, the Information Commissioner’s Office (ICO). The cases compromised individuals’ personal data including medical, financial and employment details.
A deeper dive into the figures for the past year by Kroll₁, reveals that, of those cases where the type of breach is specified:
2,124 were attributed to human error
292 were due to cyber attacks
It’s another reminder that protecting data in your business relies on your employees and their ability to apply best practice around data safety. Of course, GDPR has raised the bar on data protection, but it seems many businesses are still failing to include training in their GDPR compliance strategies, despite the risk.
A new survey₂ of 1,000 UK office staff found that 47% don’t know if their companies are doing anything to comply with GDPR – so there’s obviously no training happening there! Meanwhile, another study₃ of 600 US and EU firms found that over a quarter (27%) haven’t yet made a start on their GDPR implementation phase.
So, roughly six months on from the introduction of GDPR, we’re focusing on where organisations are getting stuck with data protection training and the most common mistakes holding them back.
The big six errors
1. Doing nothing
Ignoring the need for training puts your organisation at greater risk of a breach and the subsequent reputational meltdown. GDPR places a responsibility to embed data protection “by design and default”. As part of this, “regular and refresher training is a must” according to Elizabeth Denham, the UK’s Information Commissioner.
2. Forgetting the audience
Rolling out the same GDPR compliance training to everyone means no-one gets the right training. High risk data users need a different approach to the general workforce., so high risk employees benefit from a bespoke programme. Meanwhile, introduce the basics of GDPR to lower risk data users in an engaging and accessible way, such as Sponge’s
3. Overwhelming everyone
Handing out wordy documents with every GDPR dot and comma to all your people and saying ‘remember that’ is a recipe for failure. Instead, focus only on what they need to know about GDPR for their jobs, and which behaviours related to data protection are most important for them.
4. Once a year
Annual GDPR training isn’t enough. GDPR compliance requires continuous learning and reinforcement opportunities to avoid potential costly lapses. Continuous learning helps people to apply their training daily, keeping the company safe and contributing towards a data safety culture.
5. Ticking a box
With GDPR training, don’t tick the box, think outside the box! If your GDPR training is dull and boring employees won’t engage and they won’t learn. To be effective, learning about GDPR has to be memorable, so ‘rebrand’ it as an experience that people want to do.
6. In isolation
GDPR learning loses effectiveness when it’s delivered in isolation or is bolted on as a ‘p.s’. For maximum impact, build awith preparation, activation and sustain phases. Use a mix of learning activities so there’s something for everyone. It’ll increase engagement and help people to understand the wider picture.
GDPR is here to stay. Indeed, other parts of the world are following the EU’s lead – such as theData protection is a global requirement and organisations can’t afford to make the training mistakes we’ve highlighted, especially with being handed out. What’s more, the public are just fed up – still don’t trust organisations with their data. It’s high time to fix GDPR training and empower your people to reduce the risk of a costly data breach.
An off the shelf learning game
A fast-paced, engaging game designed to embed core GDPR principles to reduce the risk of data breach by employees.
You may also be interested in
Join us at the GDPR, Eprivacy & Digital Marketing Conference, hosted by the Executive Leaders Network, in Reading on Thursday, 8 November.
In this guide, we cover five steps to move your organisation closer to implementing a continuous learning strategy around GDPR.
Karl Kapp, learning games expert, explains why a well-designed game can be particularly effective for a compliance topic like GDPR.
Join the Sponge team
Great people are fundamental to Sponge. We employ many industry-recognised leaders and are busy growing the next generation of leaders. We don’t just look for talented people who can do a particular job – we look for people who share our passion and values.Read more