Research indicates that an estimated 28,000 new DPOs (Data Protection Officers) will be needed to guide organisations engaged in the processing of Personally Identifiable Information (PII).
The research was conducted by the IAPP, The International Association of Privacy Professionals, who are ‘the world’s largest and most comprehensive global information privacy community’.
According to the GDPR, Article 39, Section 1B, any person handling PII must receive training
The mandatory DPO is one of many provisions within the GDPR, effective May 2018, as is the delivery of privacy awareness training. According to the GDPR, Article 39, Section 1B, any person handling PII must receive training, and this is the responsibility of the Compliance Officer or DPO if one is required. So how must you think about approaching this regulatory demand?
Let’s start by understanding the handling of PII, who might be included? It’s a broad term, and consensus indicates that this shall include store clerks handling loyalty cards or any person required to view identification documents. It ranges from the obvious – the receptionist at a doctors or dentist office – through to the surprising, such as the hairdresser who asks for an email address for marketing.
Not-for-profit organisations have obligations: a community amateur dramatics club might require it’s members to have DBS checks (Disclosure Baring Service, previously referred to as a Criminal Records Check or Police Report), since they might be working with children on occasion. By necessity, the documents are highly intrusive and there’s no doubt that the sensitivity of the data collected is extremely high. How are the documents retained, where, and under what security?
Clearly, the regulation is far-reaching. To comply with the demand for privacy awareness training, there’s no ‘one-size-fits-all’ solution. Departmental managers need a higher level of training and awareness than the general workforce, and for a directors in marketing or human resources this might require one day or several days. For the general workforce, at least one hour of initial training is quite routine, and this might be delivered in a classroom environment or even via e-learning.
Training on privacy isn’t enough: there needs to be on-going awareness on matters of privacy. This may be fulfilled via posters, leaflets, emails and other routes, with the objective of encouraging privacy to be considered as routine.