Menu

Awareness Training

Do your colleagues know what counts as personal data?

awarenesstraining-cover

Introduction

Do your colleagues know what counts as personal data? 

Training your colleagues on information security and related topics, such as GDPR and data protection, might be necessary for several reasons.

First of all, building a strong awareness of security within your organisation is important for improving your organisation's overall security posture, as all processes and technologies are driven by people's actions, and 68% of breaches involve a human element, like errors or falling victim to a phishing attack

Additionally, the GDPR requires organisations to implement organisational security measures, and awareness training is such a measure. The EU directive NIS2 requires organisations in critical infrastructure to educate employees in basic cybersecurity, and for those seeking ISO27001 certification, awareness training is also a control objective.

GDPR training is also necessary for GDPR compliance because your colleagues can’t process personal data properly if they can’t recognise personal data when handling it.

In this article, we will explore the topic of awareness training, and we will start with security awareness training. 

Security Awareness Training

IT security is everyone's responsibility, not just IT’s or your boss’. It's important that everyone, from the intern to the CEO, understands the basics of cybersecurity, including threats, vulnerabilities, and preventive measures. One security incident is enough to affect your organisation significantly, and it could happen with the click of a button when opening a phishing email. 

Cyberattacks happen frequently and evolve, so recurring security awareness training is important to stay on top.

Examples of training topics include:

  • Phishing emails
  • Password Safety
  • Safe internet usage
  • Mobile Device Security
  • Incident reporting

By using security awareness training colleagues with more practical IT security skills, you also empower them to be more alert and take action in their work. A product owner might begin to take the initiative to add security features or limit access to certain information in the product. 

The training also enables shared language, which enables better conversations on IT security within the organisation. When everyone speaks the same 'security language,' it becomes easier to talk about potential risks and solutions. In many organisations, business as usual wins when discussing adding new security features. 

When everyone can work together and spot issues within their work processes and the technologies they use, then it becomes easier to strengthen security. 

GDPR Awareness Training

Your workforce is not static; new employees will join and need training in GDPR and information security. Additionally, people tend to forget things over time, but staff mustn’t lose sight of best practices for handling personal data. Since it’s a legal requirement to process data correctly at all times and be able to demonstrate this, ongoing training in data protection is necessary.

For example, you can educate them on the following topics:

  • What is personal data?
  • Legal bases for processing personal data
  • Data protection principles
  • How to conduct risk assessments
  • And much more...

Do your colleagues know what counts as personal data? What about the rules for processing it? These might seem like simple questions, but without them knowing the answers, GDPR compliance will be difficult to achieve.

By training your colleagues, you also build the organisation’s capacity to collaborate on GDPR matters. Suddenly, departments like marketing and sales can discuss data handling with a more informed perspective and start identifying issues and solutions independently.

When you ask them to adopt more appropriate data protection practices, they will better understand and be more equipped to engage in this dialogue with you. This reduces the day-to-day communication load for the GDPR coordinator, who otherwise might spend much time responding to basic queries on “what is personal data?” or similar.

Role-Specific Training

How your colleagues handle personal data can vary significantly in the scope, frequency, and sensitivity of the data.

For example, HR handles sensitive personal data, while Customer Support handles basic contact details and other common personal information. Therefore, it makes sense to provide targeted training to each job role, although this requires more training resources.

New Employees

There’s no guarantee that new employees are familiar with IT security or GDPR, and they might even be in their first job. Plus, they won’t know your organisation’s workflows, IT systems, or how the company expects them to use these tools.

New employees must, therefore, be introduced to these topics and understand how to comply with GDPR rules in their daily tasks. 

Onboarding is also a chance to positively influence your organisation's culture, as new employees bring fresh perspectives and eagerness to get things right.

Departing Employees

Employees leaving the organisation should also receive training as they exit the organisation. They should be informed about how their data will continue to be processed for purposes such as tax filings and how they can exercise their rights regarding this data.

Equally important is raising awareness about respecting personal data as they leave the organisation. For example, a sales employee might be tempted to copy the company’s customer database for use in their new role, which would be unacceptable. Awareness training will reinforce best practices to ensure that departing employees respect workplace data protection procedures during their transition.

Frequency

Regular training keeps employees updated on IT security and GDPR compliance. 

Knowledge fades quickly if not reinforced, so brief awareness trainings could be held monthly to counter this. This frequency strikes a balance between maintaining awareness and minimising disruptions to daily work while keeping security and compliance in mind without being overwhelming.

Learning Formats

There are many ways to deliver training, from emails and online platforms to live sessions with your team.

If you do the training in person, it will likely take the form of a 30-minute or 60-minute session biannually or annually, which will require some preparation. If you don’t have the time, skills or resources to do in-person training, you can also buy access to an e-learning platform with awareness training. This will save you and your organisation time, which comes at the cost of paying for access. The upside is the online awareness training is high quality and can be taken by the employees whenever it fits their workday. 

Training Materials

Creating effective training materials can be challenging, and maintaining their quality over time adds another layer of difficulty. However, it’s important to ensure your colleagues receive proper, up-to-date training. The alternative is to use an e-learning platform, which will maintain the quality of the training.

Evaluating the Effectiveness of Training

It is difficult to evaluate the effectiveness of employee awareness training, and there are no perfect metrics. However, some metrics might be good enough. 

Though helpful, test scores after a completed training don’t guarantee real-world security, but it might be our best.

You could also survey your colleagues regarding their reactions to the training content, delivery and relevance to them. We tend to remember the things we are enthusiastic about, so if the training creates excitement, it might be more impactful, but again - it is not necessarily a source of truth.

Another way to test the effectiveness of the training is through simulated attacks, like phishing simulations. Running simulated phishing attacks could test how well employees apply what they've learned. However, this only tests for one aspect of cybersecurity, and there are risks beyond phishing.

You could attempt to test the effectiveness of the training by simulating attacks on your organisation via phishing simulations, but this is also somewhat vague, as it only tests for one aspect of cyber security, “phishing”, which is often only done through email. 

Documentation

Your awareness training also serves a role in your organisation’s compliance, and you should ensure some kind of documentation to demonstrate that the training has been done. This could be as simple as showing the emails sent out with the monthly training or, for example, downloading a report on the e-learning platform with the employees’ accomplished training.

Processing activities

.legal compliance platform Start your compliance journey today

Curious to try it yourself? Experience our free compliance platform and kickstart your compliance journey today.
  • No credit card needed
  • Unlimited time on Free plan
  • No commitment
Get started
Book a Demo
+290 large and small companies use .legal
Region Sjælland
Aarhus Universitet
Zwipe
aj_vaccines_logo
GJ
Realdania
Right People
IO Gates
PLO
Finans Danmark
geia-food
Vestforbrænding
Boligkontoret danmark
Evida
Klasselotteriet
NRGI1
BLUE WATER SHIPPING
Karnov
Ingvard Christensen
VP Securities
AH Industries
Energi Viborg
Lægeforeningen
InMobile
AK Nygart
ARP Hansen
DEIF
DMJX
arp-hansen-hotel-group-logo-1
Axel logo
qUINT Logo
KAUFMANN (1)
Footer topswirl

Info

.legal A/S

hello@dotlegal.com
+45 7027 0127

VAT-no: DK40888888

Support

support@dotlegal.com
+45 7027 0127
Need help?

status page badge

Platform status

Offices

Aarhus

Store Torv 14, 2.
8000 Aarhus C

Copenhagen

Vesterbrogade 26
1620 København V

Products

Let me help you get started

mads-i-blob
Reach out to me on phone
+45 7027 0127 and I'll get you started
arrow-right-white Get a demo

.legal is not a law firm and is therefore not under the supervision of the Bar Council.

Footer bottomswirl