Setting up training courses
Privacy training is the way to go! It is the essence of your ‘obligation to inform’. Art. 39(1) of the GDPR specifies the requirement for all employees involved in the processing of personal data (including outside agencies) to be informed on their duty to protect these personal data.
Obligation to inform
The ‘obligation to inform’ is not limited to GDPR awareness. Article 39(1) explicitly expands the scope of information to include additional Union or Member State data protection provisions.
What does this mean for an organisation?
First of all, you need to be clear about which obligations under which laws and regulations apply to you and which activities you are, as a result, required to carry out. Next, you have to decide who will be carrying out which activities. Lastly, you need to inform the individuals concerned.
What we are talking about, is more than signing a document referring to a staff handbook or some code of conduct. Essentially, the obligation to inform means that you must provide periodic privacy training sessions, with specific learning objectives, attendance registration and content reflecting the latest developments in the field of privacy protection. Obviously, you will also have to record whether or not the goals set have actually been achieved.
One practical question often asked, is: ‘What if my organisation is not required to assign a Data Protection Officer? Does the ‘obligation to inform’ still apply?’
Article 39 of the GDPR describes the tasks of a Data Protection Officer. The list is not exhaustive, it merely indicates which duties a DPO should minimally perform. These, in other words, are the tasks the legislator attaches principal importance to, the tasks which, according to the law, have to be performed under all conditions. It is the same rationale which, for obvious reasons, also applies to the ‘obligation to inform’.
For your organisation to become ‘privacy accountable’, you have to inform your employees and processing agencies on how to implement personal data protection in accordance with all applicable laws and regulations.
Even if you are not required to assign a Data Protection Officer, a structural approach to complying with the ‘obligation to inform’ is nonetheless essential. In whatever way.