The 2020 Dutch Data Protection Authority’s year report shows human error to be the cause of more than 75% of data breaches. Most commonly, these mistakes, in turn, are the result of a lack of privacy awareness on the part of the employees involved. Which only goes to show the cruciality of the role played by an organisation’s staff in compliance with privacy legislation.
In any organisation, GDPR compliance depends on, that is to say succeeds with the existence or fails through the absence of privacy awareness among employees involved in the processing of personal data. And there are numerous everyday professional tasks which may by their very nature fall under the heading of ‘personal data processing’, examples including such trivial operations as checking a file of contact details, shredding documents that contain personal data or sending publicity mails. All of these operations have the potential of causing data breaches, possibly resulting in fines imposed by the DPA or serious damage to reputation.
Even when the organisation’s IT security system is perfectly watertight, there may still be privacy risks if employees are insufficiently aware of possible or inherent ‘red flags’ and, as a result, fail to handle personal data with the necessary caution and care. Recently, the 2020 Dutch Data Protection Authority’s year report showed human error to be the cause of more than 75% of data breaches. The mistakes commonly made include sending personal data to the wrong recipient or losing various documents or media containing personal data, like letters, documents or memory sticks.
So, the question we will be trying to answer in this week’s blog is: ‘How best to create privacy awareness among employees directly involved in the processing of personal data?’
Accomplishing GDPR compliance is not an exercise in checking a number of required boxes and then sitting back to enjoy the feeling of a job well done. Compliance starts with the creation of privacy consciousness, more commonly referred to as ‘awareness’, on the part of all employees involved in personal data processing. The term awareness here means that the employee understands, is aware of, the importance of adhering to applicable privacy rules and knows what privacy risks may occur. This has the effect of making the employee more careful in handling personal data, while also knowing what steps to take in suspicious situations.
Although in many organisations a significant proportion of staff are involved in some form of data processing, explicit privacy tasks are not part of the core duties of all employees. Which makes it all the more important to present privacy knowledge in a clear, accessible manner.
Efficient and effective transfer of knowledge
The level of privacy awareness among employees, in other words, is highly dependent on the way in which knowledge is being transferred to them. A single classroom training session or putting up a poster in the workspace to remind people of potential privacy risks will probably not be very effective. In the classroom scenario, most of the lessons learned will soon be forgotten, whereas with the poster, once the novelty effect wears off, most employees won’t even notice its messages anymore. The best way to truly absorb new sets of knowledge is based on the power of repetition.
In his studies on the mechanisms of learning, German psychologist Hermann Ebbinghaus found that usually, test subjects were able to almost completely reproduce newly introduced knowledge immediately after having studied it. As time goes by however, this ability of reproduction is subject to an ongoing process of degradation.
Based on this ‘Ebbinghaus forgetting curve’ and other scientifically founded theories, methods of learning have been developed to enable the effective memorisation of new knowledge.
First of all, it is important to present the subject matter in small, manageable portions. Next, the educational content has to be repeated after a certain amount of time has passed, to make sure that it has been committed to memory. If parts of it haven’t, they must be repeated as many times as turns out to be necessary. Also, consecutively providing direct, ‘live’ feedback on correct and incorrect answers alike, proves to be much more efficient than only providing feedback at the end of a prolonged period of study.
The proper combination of all these elements allows for a process of smart learning with time savings of up to 20 to 40%.
So, coming back to our original question: ‘How best to create privacy awareness among employees directly involved in the processing of personal data?’, it now seems safe to say that the way in which knowledge is being transferred ranks among the key drivers of creating awareness.
For our awareness training aimed at employees involved in the processing of personal data, we have worked together with the Institute of Microtraining and aNewSpring in developing a mobile app specifically based on the scientific theories mentioned above. The content this employee awareness app provides, is presented in manageable subsets, users are given direct, instant feedback, and content apparently experienced as complicated is repeated at varying intervals.
The way in which our awareness training transfers knowledge gives you the certainty that your employees understand the information presented to them and that the lessons they have learned have been committed to long-term memory. Once employees have fully mastered their new knowledge, then – and only then – your organisation can be said to have truly created privacy awareness among its employees.