EU General Data Protection Regulation, Binding Corporate Rules And Privacy Shield Training Requirements

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Privacy & Security Pros

The European Union General Data Protection Regulation, the EU-U.S. Privacy Shield and Binding Corporate Rules for data transfers all contain data privacy training requirements that may be more important than many organizations might think. Inadequate training is a low hanging fruit for regulators, so don't make it easy for them to find fault, the author writes.

Daniel Solove

By Daniel J. Solove

Daniel J. Solove is a law professor at the George Washington University Law School. He is president and chief executive officer of TeachPrivacy, a company that provides training on privacy awareness and security awareness, as well as many other privacy and security topics. Solove has published 10 books and more than 50 articles, including the leading textbook on information privacy law and a short guidebook on the subject.

With the powerful new European Union General Data Protection Regulation (GDPR) and huge potential fines looming on the horizon, organizations are scrambling to step up their privacy programs to become compliant.

The GDPR requires workforce privacy awareness training. So does the EU-U.S. Privacy Shield Framework, the arrangement reached between the EU and U.S. for companies to transfer data about EU citizens to the U.S. The Privacy Shield replaces the Safe Harbor Arrangement, which was invalidated in 2015 in the case of Schrems v. Data Protection Commissioner (14 PVLR 1825, 10/12/15).

Training Requirements

Under Article 37, the GDPR tasks the Data Protection Officer (DPO) with “awareness raising and training of staff involved in the processing operations.”

Under Article 43, in connection with Binding Corporate Rules (BCRs), the GDPR requires “the appropriate data protection training to personnel having permanent or regular access to personal data.” Further guidance isn't supplied.

Training is also required by the Privacy Shield framework. The Privacy Shield, like its predecessor, the Safe Harbor arrangement, consists of seven principles, which remain largely the same, the key differences being heightened accountability, redress, and enforcement.

In its 7th Supplemental Principle (a series of principles that follows the primary seven principles), called “Verification,” the Privacy Shield requires verification via self-assessment. One of the things that must be attested to is that the organization has “a published privacy policy regarding personal information” that “confirms to the Privacy Shield Principles” and that it has “procedures for training employees in its implementation, and disciplining them for failure to follow it.” The Privacy Shield doesn't provide more specifics about what a training program should address.

GDPR vs. BCRs vs. Privacy Shield

With training required by GDPR, BCRs, and Privacy Shield, it can be confusing to know which to follow. The GDPR covers more organizations than BCRs or Privacy Shield, as many organizations fall under the GDPR's wide scope. BCRs and the Privacy Shield are mechanisms for transferring data about EU citizens to the US.

So those organizations that gather data about EU citizens will be covered by GDPR's training requirement. Those organizations that transfer data about EU citizens to the U.S. will also be covered by the training requirements for BCRs or Privacy Shield.

The content of the privacy awareness training for the GDPR, Privacy Shield and BCRs will overlap a lot. The main difference is that for Privacy Shield, the training should touch upon the Privacy Shield principles. Because these principles are designed to protect data in light of GDPR, the privacy awareness for GDPR and Privacy Shield need not diverge too much. For BCRs, the awareness should be on the rules that an organization adopts, but these, too, will need to be consistent with GDPR.

Content of the Training

People who are in management roles that involve implementing the privacy program or engaging in activities such as transferring personal data to third party vendors, will need to know about the law. People in these roles don't need to become legal experts, but they need to know more details about the rules they must follow and implement.

For the general workforce, people don't need to know a lot of details about the GDPR and Privacy Shield. Indeed, I recommend that privacy awareness training not focus on specific laws and regulations and speak more generally and practically about what employees must do to protect personal data.

The core of the training should focus on three dimensions:

  • (1) Motivation—Why should people care?
  • (2) Definition—What is personal data?
  • (3) Responsibilities—What should people know about how the organization handles privacy? What should people do in their jobs to protect data?

1. Motivation

If people don't care, they won't pay attention and won't change their behavior. People need to understand why privacy matters and the concrete implications that violations of privacy can have.

2. Definition

People need to know what data is covered. People need to learn roughly how to identify personal data and sensitive data. A challenge is that the GDPR's definition of personal data differs from the many ways U.S. law defines it. People don't need to know each particular definition—otherwise, their heads would spin. The key goal is to get people to understand that a lot of data that they might not think is personal data in fact can be personal data. My strategy is to deepen people's understanding and teach them enough so they will ask when uncertain and avoid making false assumptions.

3. Responsibilities

People need to be taught how an organization handles data protection responsibilities as well as their role in the process.

Though the GDPR doesn't specify specific topics, training should ultimately cover the organization's privacy policy. Because of the GDPR's requirements as well as requirements in various laws and regulations in the U.S. and around the world, the privacy policies of many global companies have a surprising amount of similarities—at least at the level that the general workforce needs to know.

The Privacy Shield doesn't say much about the content of training. Nevertheless, because privacy policies are implementing and following the Privacy Shield principles, training should address these principles.

Key GDPR rights and requirements and Privacy Shield principles can be taught by focusing on the Fair Information Practice Principles (FIPPs). The FIPPs are the backbone to most privacy laws, and despite all the differences in privacy laws around the world, the FIPPs have widespread consensus. FIPPs relating to the following broad categories of activities should be discussed:

  • (1) Data Collection—Principles about lawful and limited data collection.
  • (2) Data Processing and Use—Principles such as data quality, limited access, confidentiality, data minimization, purpose specification, and security.
  • (3) Individual Knowledge and Participation—Individual rights such as access and correction, as well as the obligation to provide notice to individuals. Different approaches to consent should also be covered in the training.
  • (4) Transfer and Sharing—Sharing data across borders or with third parties.
  • (5) Accountability—Internal policies and procedures for ensuring data protection; the role of the DPO (or chief privacy office).

In the coverage of the FIPPs, the Privacy Shield principles will get covered. An organization's policies are typically built around the FIPPs. These policies (and BCRs if the organization has adopted them), should be consistent with the GDPR and the privacy laws in all countries where the organization does business. The FIPPs are where the circles of the Venn diagram all intersect. If trainees understand them, then they have a solid grasp of what it means to protect privacy.

Why Training Ought to Be Taken Seriously

Training is more important than many organizations might think. Inadequate training can lead to more privacy incidents, which can damage an organization's reputation. There are big fines. GDPR's potential fines are gargantuan. And there will be a cavalcade of regulators from various U.S. federal agencies and state attorneys general and the EU and other countries. In short, it's a world of pain!

Inadequate training is low hanging fruit to a regulator. It's an easy thing that regulators can use to find fault and is one of the most common things regulators go after.

So I strongly recommend: Don't make it easy for the regulators to find fault. Don't make their fines bigger. Don't let your organization be an easy target. The choice is simple: Train … or pain!

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security