Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
The European Union General Data Protection Regulation, the EU-U.S. Privacy Shield and Binding Corporate Rules for data transfers all contain data privacy training requirements that may be more important than many organizations might think. Inadequate training is a low hanging fruit for regulators, so don't make it easy for them to find fault, the author writes.
By Daniel J. Solove
Daniel J. Solove is a law professor at the George Washington University Law School. He is president and chief executive officer of TeachPrivacy, a company that provides training on privacy awareness and security awareness, as well as many other privacy and security topics. Solove has published 10 books and more than 50 articles, including the leading textbook on information privacy law and a short guidebook on the subject.
With the powerful new European Union General Data Protection Regulation (GDPR) and huge potential fines looming on the horizon, organizations are scrambling to step up their privacy programs to become compliant.
The GDPR requires workforce privacy awareness training. So does the EU-U.S. Privacy Shield Framework, the arrangement reached between the EU and U.S. for companies to transfer data about EU citizens to the U.S. The Privacy Shield replaces the Safe Harbor Arrangement, which was invalidated in 2015 in the case of Schrems v. Data Protection Commissioner (14 PVLR 1825, 10/12/15).
Under Article 37, the GDPR tasks the Data Protection Officer (DPO) with “awareness raising and training of staff involved in the processing operations.”
Under Article 43, in connection with Binding Corporate Rules (BCRs), the GDPR requires “the appropriate data protection training to personnel having permanent or regular access to personal data.” Further guidance isn't supplied.
Training is also required by the Privacy Shield framework. The Privacy Shield, like its predecessor, the Safe Harbor arrangement, consists of seven principles, which remain largely the same, the key differences being heightened accountability, redress, and enforcement.
With training required by GDPR, BCRs, and Privacy Shield, it can be confusing to know which to follow. The GDPR covers more organizations than BCRs or Privacy Shield, as many organizations fall under the GDPR's wide scope. BCRs and the Privacy Shield are mechanisms for transferring data about EU citizens to the US.
So those organizations that gather data about EU citizens will be covered by GDPR's training requirement. Those organizations that transfer data about EU citizens to the U.S. will also be covered by the training requirements for BCRs or Privacy Shield.
The content of the privacy awareness training for the GDPR, Privacy Shield and BCRs will overlap a lot. The main difference is that for Privacy Shield, the training should touch upon the Privacy Shield principles. Because these principles are designed to protect data in light of GDPR, the privacy awareness for GDPR and Privacy Shield need not diverge too much. For BCRs, the awareness should be on the rules that an organization adopts, but these, too, will need to be consistent with GDPR.
People who are in management roles that involve implementing the privacy program or engaging in activities such as transferring personal data to third party vendors, will need to know about the law. People in these roles don't need to become legal experts, but they need to know more details about the rules they must follow and implement.
For the general workforce, people don't need to know a lot of details about the GDPR and Privacy Shield. Indeed, I recommend that privacy awareness training not focus on specific laws and regulations and speak more generally and practically about what employees must do to protect personal data.
The core of the training should focus on three dimensions:
If people don't care, they won't pay attention and won't change their behavior. People need to understand why privacy matters and the concrete implications that violations of privacy can have.
People need to know what data is covered. People need to learn roughly how to identify personal data and sensitive data. A challenge is that the GDPR's definition of personal data differs from the many ways U.S. law defines it. People don't need to know each particular definition—otherwise, their heads would spin. The key goal is to get people to understand that a lot of data that they might not think is personal data in fact can be personal data. My strategy is to deepen people's understanding and teach them enough so they will ask when uncertain and avoid making false assumptions.
People need to be taught how an organization handles data protection responsibilities as well as their role in the process.
The Privacy Shield doesn't say much about the content of training. Nevertheless, because privacy policies are implementing and following the Privacy Shield principles, training should address these principles.
Key GDPR rights and requirements and Privacy Shield principles can be taught by focusing on the Fair Information Practice Principles (FIPPs). The FIPPs are the backbone to most privacy laws, and despite all the differences in privacy laws around the world, the FIPPs have widespread consensus. FIPPs relating to the following broad categories of activities should be discussed:
In the coverage of the FIPPs, the Privacy Shield principles will get covered. An organization's policies are typically built around the FIPPs. These policies (and BCRs if the organization has adopted them), should be consistent with the GDPR and the privacy laws in all countries where the organization does business. The FIPPs are where the circles of the Venn diagram all intersect. If trainees understand them, then they have a solid grasp of what it means to protect privacy.
Training is more important than many organizations might think. Inadequate training can lead to more privacy incidents, which can damage an organization's reputation. There are big fines. GDPR's potential fines are gargantuan. And there will be a cavalcade of regulators from various U.S. federal agencies and state attorneys general and the EU and other countries. In short, it's a world of pain!
Inadequate training is low hanging fruit to a regulator. It's an easy thing that regulators can use to find fault and is one of the most common things regulators go after.
So I strongly recommend: Don't make it easy for the regulators to find fault. Don't make their fines bigger. Don't let your organization be an easy target. The choice is simple: Train … or pain!
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)