I'm not saying that everyone should get a PhD in personal data security and possess all the necessary knowledge on the subject. All we need to do is develop a consistent level of awareness among the team (start with a basic one, which can then be expanded depending on the role/position within the company). And above all, let's do it in an engaging way that works best for you. Is it possible? I believe it is, so I'm sharing a few ideas below.
1. On-site training
It would be a good idea to start with the classic format, i.e., in-person training. It's nice because we either train
on your premises or at the conference center (with cookies, coffee, and lunch). There's interaction and exchange of insights. There's also time to organize training groups (if there are a lot of you, or if the company doesn't shut down for a day), travel, etc. It's probably suitable for training the entire current staff, but it might not be the first choice for onboarding a new employee. As with everything, there are pros and cons. I'd like to add that such training doesn't have to be led by a sad lawyer in a suit or pencil skirt, and it doesn't have to be legalese that will have participants frantically checking their emails even as the agenda is being presented. It's important that the scope is tailored specifically to your needs. It would be great to use this time and the opportunity for direct interaction to discuss specific cases from your own backyard.
2. Webinar/real-time online training
The COVID-19 pandemic has shown us that we can communicate effectively remotely. We have a wide range of tools that allow us—just like with in-person training—to gather even larger groups, deliver presentations, allow live question-and-answer sessions, and ensure accountability (we need to consider in advance how we want to confirm attendance, for example, by maintaining a logbook with an email address, noting the start and end date and time of each participant).
This type of training is essentially identical to in-person training, and the time and cost are significantly more advantageous. We conduct this type of training ourselves (in dedicated areas, such as GDPR in HR ) and know it works.
3. E-learning
Self-paced learning is a very convenient method and is suitable for training anyone – both all current employees and new hires. E-learning training takes place at a time and place chosen by the participant, a significant advantage we often hear about. It's up to the employee to choose a specific time that's convenient for them (it's important to meet the "regulated" deadline for completing such training, e.g., within two weeks). It's worth considering whether a tool for raising employee awareness in this format ensures the retention of information about who started and completed the training, when, and whether it was actually started or completed.
It's also a good idea to use the online platform to conduct a test to check the level of acquired knowledge. Such training doesn't have to be boring! A well-designed course (beyond the content) includes interactive elements, such as content read by the narrator, tiles revealed by the participant, or other content for the participant to actively click through. It's worth noting whether the employee completes the training at their own pace (or can rewind to previous stages) – such functionality is definitely a plus.
4. Downloadable material completed with a knowledge test
If, for some reason, you're opting for neither of the above options, you might consider something even simpler: pre-prepared material (e.g., in PDF format) for the employee to download and review. The advantage of this approach is that the material can be prepared on virtually any topic, one that interests you most and within the scope you're most interested in. It can also be varied, depending on, for example, the business areas or functions within your organization.
But be warned – to ensure valuable knowledge doesn't go to waste, I recommend supplementing this format with a knowledge test to assess your understanding of the material. How can I do this? I know special database of tools that offer such options. I'd be happy to share this knowledge, so feel free to contact us if you find this format interesting.
5. Sharing a recording (e.g. from a webinar)
Another way to train is to share a recording of another training session with everyone (webinar tools—at least most—have the option to record the meeting, so this will work too). Of course, remember to stick to the principle of minimalism. Such a recording should include nothing more than what's essential to the training, such as the presentation and audio, or an additional image of the presenter, and questions asked in the chat/comments (ideally, without displaying the full details of the participants asking these questions in the recording).
Is this a simple training option? In principle, yes. Just think about accountability first (how will you prove whether and which employees had the opportunity to receive this training?). Think of it as a supplementary option to other forms of training – it works best in conjunction with other, regularly scheduled training sessions.
6. Other materials to raise employee awareness
I know how it is – sometimes there's no time, no team, no conditions, and there's always something more important, more urgent to do. The worst thing in such a situation is to do nothing to meet the obligation to familiarize employees with applicable data protection regulations. You can also implement other measures in your organization that, while they won't replace "proper" training, will certainly confirm that you're working towards your goal.