The principles of GDPR require that personal information:
- Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met,
- Shall be obtained only for one or more of the purposes specified in the Act, and shall not be processed in any manner incompatible with that purpose or those purposes,
- Shall be adequate, relevant and not excessive in relation to those purpose(s)
- Shall be accurate and, where necessary, kept up to date,
- Shall not be kept for longer than is necessary,
- Shall be processed in accordance with the rights of data subjects under the Act,
- Shall be kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information,
- Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Individuals/Service Users in relation to the processing of personal information, without the knowledge and agreement of the data-subject.
[Organisation Name] will, through appropriate management and strict application of criteria and controls:
- Observe fully conditions regarding the fair collection and use of information
- Meet its legal obligations to specify the purposes for which information is used
- Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements
- Ensure the quality of information used
In addition, [Organisation Name] will ensure that:
- It has a Data Protection [Role Title of Data Protection Person] with specific responsibility for ensuring compliance with Data Protection
- Everyone processing personal information understands that they are contractually responsible for following good data protection practice
- Everyone processing personal information is appropriately trained to do so
- Everyone processing personal information is appropriately supervised
- Anybody wanting to make enquiries about handling personal information knows what to do
- It deals promptly and courteously with any enquiries about handling personal information
- It describes clearly how it handles personal information
- It will regularly review and audit the ways it holds, manages and uses personal information
- It regularly assesses and evaluates its methods and performance in relation to handling personal information
- All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them
LEVELS OF TRAINING
You may want to consider different training for different people
Training For The Board
This needs to cover the big picture about GDPR and the impact on policies, products and services, as well as the messages to customers. This also has to explain the Board responsibilities and the necessary implementation plan and progress.
Training For The Management
Inevitably it will be the management who need to update the policies, procedures and practices and who will know what data is held where, and for what purpose. Training for the management is largely about implementing GDPR and communicating with staff and customers.
Training For The Staff
Staff at the front-line and good policies and procedures are of little value if staff do not understand and follow them. Training for staff needs to focus on the practical aspects if, for example, a customer asks a question or staff plan to use, share or disclose data.
Practical What Happens 9 To 5, Monday To Friday
Staff training is vital, but posters are an every-day reminder to clear the desk, lock the cabinets, check the caller. As important as a training session is, it needs reinforcement for knowledge to become habit.
SCOPE OF TRAINING
Training and/or Guidance relevant to the role and responsibilities of all staff, volunteers and those handling personally identifiable information will be given
When joining the organisation
When taking on a new or changed responsibility towards handling personally identifiable information
At least annually as a reminder and part of quality control.
CONTENT OF TRAINING
It is good to mix theory and practice and have small interactive discussion groups
Data Protection principles as outlined in the Data Protection Policy
Data Protection practices as part of day-to-day operational procedures
Cyber Essentials principles
Secure your Internet connection
Secure your devices and software
Control access to your data and services
Protect from viruses and other malware
Keep your devices and software up to date
You may also consider testing people on their knowledge and awarding certificates and score sheets to evidence the learning, understanding and agreement.
EXAMPLE OF A ROLL-OUT PLAN
Session 1 Directors (2 hours?)
1.Board responsibilities for GDPR
2.Reporting obligations
3.The need to consider different legislation GDPR vs UK, Jsy, Gsy and other
Sessions 2,3,4 Management and Staff (max 90mins each, incl Q&A)
Part I will be theoretical using a slide presentation to cover the main areas of GDPR
Theoretical elements
a.Definition of personal and sensitive data
b.Core principles of data protection
c.Rights of data subjects
d.Definitions and responsibilities of Controllers, Processors and DPO
e.Breaches and consequences
f.Subject Access Requests
g.The importance of DPIAs (Data Protection Impact Assessments)
Part II will be run as a discussion exercise using stories/examples
TRAINING AUDIT FORM
| Name of Person | Date of Training | Grade | Comments |
