The lifeblood of any successful company are the employees. That said, investing in employee education is one of the best moves any company or organisation can make. When the GDPR (General Data Protection Regulation) was introduced, training employees in matters related to privacy has become close to obligatory.
In Singapore, employees also have the option to take a PDPA course to learn more about the competencies and foundation required if they want to have a career in personal data protection. The PDPA course will also teach participants the best PDPA practices.
The huge financial risks presented by massive fines in the GDPR has forced many companies and organisations to do whatever is necessary to ensure compliance with the provisions. While having technical measures is crucial, the importance of having competent staff that can handle the requirements stipulated cannot be overstated.
To get the staff up to speed when it comes to data protection, below are some of the basics they need to be familiar with:
Teach them how to handle personal information requests
It is stipulated in the GDPR that individuals have the right to get a copy of all the personal information a company holds on them. The information should be safely stored, readily available, and tagged. However, it should not end there.
The staff should be made aware that they need to accommodate every reasonable request. Individuals must be provided with a copy of the information they want, free of charge and within a month, unless the requests are repetitive and onerous.
The individual’s identity must also be verified and should be referenced against the data possessed by the company. This can be done through security questions and ID scans. When providing data, it is recommended that it is provided in the commonly used format if it is in electronic form.
Teach them about phishing
Staff should be advised not to disclose any personal information about any users or clients to any person over the phone. As mentioned earlier, an ID verification mechanism should be used to verify the identity of the caller.
Checks should also be done when making outgoing calls as you can’t always be sure if the individual has changed number or if their phone has been stolen. As a general rule of thumb, it would be best to avoid receiving or giving out personal information over the phone.
Teach them about the proper way to deal with clients
It is of primary importance to keep the users and customers up to date when it comes to the use of their data. Clients have every right to update their data. That said, staff should allow the update of clients records any time. This is especially true when it comes to their preferences when it comes to marketing (i.e., opt-outs).
Ensure staff also knows that they need to obtain consent before collecting and processing data. They also need to prepaid consent forms and allow explicit opt-ins (for instance, during registrations). Data that is no longer required should be deleted by the staff and should be outlined in the security policy.
Teach them about personal data safeguards
Easy organisational guidelines can already go a long way towards ensuring user data is safe. This can include intuitive and very easy practices. It would also be a good idea to mandate routine password changes (for instance, every three months). It would be best not to require them to make changes often as they will have the tendency to write it down.
You can also impose staff and employees to log off their workstation when they are not physically present in the office. This can help prevent unauthorised access. Installing anti-spam and anti-virus programs can also help. However, it is also important to educate everyone not to open any emails with suspicious attachments.