As a DPO it’s your task to foresee adequate awareness. The accountability principle requires you to be able to objectively demonstrate compliance. So, here are some tips to do just that:
Map the Personal Data Inventory activities to the GDPR requirements, see article ‘30. records of processing’
The DPO and CISO can create a combined awareness matrix to optimise educational and time-efficiency synergies.
Examples:
- The sales department is involved in direct marketing and they use cookies.
Therefore, it is important to make them aware about consent and E-privacy regulation.
- The R&D department writes new software.
Therefore, it is important to make them aware about Privacy by Design & Default and Secure Development.
It is important to prioritise the awareness sessions, taking into account the inherent privacy and security risks of the different departments. Departments with more privacy and information security risks should receive more extensive awareness training. Also, make sure to engage top management and the board of directors when developing the awareness roadmap as experience proves that top management awareness, support and involvement is an important factor for a successful implementation of any management system.
The GDPR states that organisations must be able to prove that they are compliant (= accountability principle). Hence it is important to keep attendance records of awareness trainings.
Do you want to go the extra mile? Let your employees fill in a test to monitor their privacy and security knowledge after the awareness sessions.
Scientific research has proven that the role of top management support for the implementation of privacy and security management systems, including but not limited to awareness, may not be as critical as external privacy and information security expertise, in the form of specialized consultants and vendors.
Local Privacy Champions are key employees in existing business departments with an above average knowledge of GDPR requirements. These individuals support the DPO by monitoring compliance and advocating compliance within their respective departments. Make sure to create a job description for and overview of the privacy champions as evidence.
Repetition works. It is important to make awareness a recurrent activity to ensure that privacy and security remain embedded in the operational activities. Recurrent awareness sessions also prevent any awareness drain in your organisation when key employees leave or when newcomers enter the organisation.
Make use of marketing tactics to optimise the reach of your awareness actions. Use different communication channels (class sessions, email, posters …) to maximise audience reach.
Your awareness message will be much better received and remembered by Keeping It Simple Stupid.
