No doubt your organisation has been delivering a significant amount of GDPR training over the past couple of years, but has it worked? Your GDPR training should deliver frontline impact, helping your staff to protect your organisation against data breaches and to protect the rights of individuals. However, a recent personal experience suggests that this might not always be the case.
It’s my data
Have you ever tried to make a subject access request? Last month I found myself having so many service issues with my broadband provider that I felt I needed to see the records containing my personal data. It was quite an eye-opening experience.
After a particularly frustrating call (one of many) with my service provider, I told the customer service adviser that I wanted to make a subject access request. She told me that she didn’t know what that was. I explained that the GDPR gives individuals a right of access to their personal data. She told me she didn’t know anything about GDPR or data privacy and that she had never had any training, but that she would speak to her manager.
I subsequently received an email telling me that, having spoken to her manager, she could inform me that I had to send my request in writing, by post, to the Data Protection Manager who would then help me with my request.
What went wrong?
This organisation is a major player in a sector that handles huge volumes of customers’ personal data and I think it’s highly unlikely that they are simply unaware of GDPR. I’m pretty sure that they will have amended their processes and trained their staff, especially their frontline call centre staff who deal with customers, and their personal data, on a daily basis. So, what went wrong?
Put simply, it looks like their training didn’t work and that they had failed to transfer new process changes effectively into day-to-day operations. The customer service assistant I spoke to did do the right thing by saying that she didn’t know and then seeking advice from her manager. Unfortunately, the manager had clearly not been equipped with the necessary knowledge or resources to help their team.
How can we fix it?
If you manage data privacy risk for your organisation, you have probably undertaken some form of training, but do you know if it worked? I would strongly recommend mystery shopping your business for key customer facing privacy issues, such as subject access requests and the right to be forgotten. You will quickly get a sense of how effective your training was.
If you do uncover any concerns, it’s possibly because your training simply wasn’t memorable enough. Research suggests that as soon as learning events end forgetting begins. In learning and development circles, this is known as Ebbinghaus’s forgetting curve.
The curve shows how information is lost over time when there is no attempt to retain it. The longer we go without repeating key messages, the more forgetting will happen. If your data privacy training is an annual, or even less frequent event, then don’t be surprised if people remember very little by the time the next training session comes around. The risk in the intervening period is clear. If you want people to remember your training, you need to regularly repeat key messages over time. Little and often is the best approach:
“The spacing effect is one of the oldest and best documented phenomena in the history of learning and memory research.”
Harry Bahrick and Lynda Hall, Journal of Memory and Language (2005)
Good training is, of course, vital to helping employees understand data privacy risk, but are you helping people transfer their learning to the workplace in practical ways? As Atul Gawande writes in The Checklist Manifesto:
“The volume and complexity of what we know has exceeded our individual ability to deliver its benefits correctly, safely, or reliably. Knowledge has both saved us and burdened us.”
Supporting on-job performance
Supporting on-job performance with simple tools to help employees manage risk “in the moment” can deliver tangible benefits. Consider building simple job aids, checklists and other tools that are easy to access, understand and use.
Checklists have been shown to improve the performance of surgeons and airline pilots in performing complex processes. It’s therefore likely that they can help to support performance in other sectors by protecting against failure and establishing a higher standard of baseline performance.
Finally, as my subject access request example shows, line managers are an important source of support, advice and information for their teams. Are you equipping line managers with the tools and knowledge that they need to help their teams stay compliant?
How to remember GDPR
So, here are four things you can do to help your employees remember what they need to know about GDPR:
- Mystery shop. This will help you to understand if you have a problem and, if so, what that problem is.
- Deliver memorable training. Use the principles of spaced repetition to fight forgetting.
- Provide employees with performance support tools. These tools can be used to help transfer learning effectively throughout the workplace.
- Equip line managers. Ensure line managers have the tools and knowledge to support their teams effectively.