Is it mandatory to train your employees in data protection?
Data protection regulations establish the obligation for organizations that process personal data to implement security measures and proactive responsibility in the processing of personal data, including organizational measures. One of the measures recommended by the supervisory authorities is the provision of training (data protection training) and awareness-raising for employees on data protection and information security.
This may be particularly important to mitigate the liability of these organizations in the event of a sanction, especially in the event of a security breach.
An example of this can be seen in a Resolution of the AEPD that considers it a deficient security measure to train employees in data protection and awareness when it does not meet a series of requirements. In this resolution:
Key facts in the case of data protection training:
- The sanctioned entity suffers a security breach in its systems.
- It presents its training plan as a measure to demonstrate its diligence in complying with data protection regulations.
- The AEPD considers that the training and awareness-raising provided is deficient, for the following reasons:
-Most of its courses are generic, not addressing the specific needs of the organization.
-There is no evidence of which attendees and speakers attended the training courses, nor the date on which they were given.
-The training was not mandatory for all company personnel.
What conclusions can be drawn from the AEPD's findings?
For training to qualify as a consistent security measure, it must meet certain minimum requirements:
- The courses must be adapted to the needs of each organization, taking into account the nature, typology and risks associated with their treatments.
- A record must be kept of the attendees, speakers, and date of delivery.
- The courses should cover all workers.
