We’re now six months into the formal adoption of the General Data Protection Regulation (GDPR), and while the initial flurry of emails asking people to update their content preferences may have died down, the number of pop-ups on websites wishing for users to comply with whatever their cookies policy may be continues apace.
While the Information Commissioner (ICO) has, for now, stuck to its word and not made many ‘early examples’ of non-compliant organisations, many organisations have been keen to toe the line and ensure they don’t get caught out by the new rules, infringements of which could result in fines of up to €20 million.
However, certainly in the accountancy world, it seems that preparations for GDPR’s implementation didn’t necessarily extend to educating employees about the new regulation. AAT surveyed over 650 of its members and student members as part of the AAT Omnibus Survey 2018, finding that of those working in full-time employment, just 48% said they have, so far, received any form of GDPR training.
This figure falls further when focusing on the levels of engagement with GDPR training amongst the self-employed (34%) and part-time employees, of whom just one in three people (33%) had received training.
Training isn’t a pre-requisite of GDPR; however, compliance with the new regulations is a must, and it is, essentially, every member of staff’s responsibility to get it right. This means that anyone in a position of ever handling personal data – which is most of us – needs to be aware of how they process this information, and what data needs to be deleted (and by when).
The UK’s information commissioner Elizabeth Denham called GDPR a ‘step change’ for businesses that were already complying with previous data protection rules, with few or no changes to the way their company operates with regards to data.
Whilst not everyone or every company will consider that comprehensive training acts as an aid for them or their firm, for many others investment in some training would be advisable, so that employees can take appropriate responsibilities when processing personal information. It’s not enough to simply appoint a senior person who looks after compliance – the risks need to be assessed across the firm. To that end there is a variety of online training materials available from the likes of Engage in Learning, among many others.
Punitive action to follow?
As yet, the Information Commissioner has allowed a certain ‘bedding-in’ period, taking until late September to issue its first formal notice under the GDPR to Canadian analytics firm AggregateIQ, for processing data “for purposes which they would not have expected”.
This is surely the tip of an iceberg. They will likely take many more actions on non-compliant firms, and the scale of the new sanctions means it is of critical importance to have the right processes in place.
AAT has itself published an article containing five myths about GDPR, which can be accessed via the AAT Comment blog site.
AAT surveyed 661 of its members, with 464 of these working in full-time employment.
Adam Harper is Director of Strategy and Professional Standards at AAT