In this post we are going to legally frame one of the star measures to mitigate risks in Risk Analysis and Data Protection Impact Assessments within the regulatory requirements of the RGPD and the LOPDGD: training.
We all usually recommend training as a transversal measure to mitigate risks and we advise our clients to carry out training and awareness on data protection and information security, but why? If it is not directly required by the GDPR, what is its basis then?
There are several reasons which we will present below:
Organizational and technical measures:
The need for data protection training It is deduced from the organizational and technical measures that the Controllers and Data Processors must apply.
The concept of application of organizational and technical measures is present in several articles (Art. 24, art. 25 and art. 32 of the GDPR)
Let us remember that we no longer have a list of security measures to implement, but rather these will be chosen based on a risk analysis.
Thus, the Data Protection Impact Assessment Guide of the Spanish Data Protection Agency, in its annex VI, constantly recommends training as a control to mitigate risks and not only training in data protection, but also in the security and proper use of ICT.
Proactive Responsibility Principle:
The very principle ofe Proactive responsibility implies that the Data Controller will be responsible for compliance with the provisions of the RGPD and will be able to demonstrate it. Compliance with the GDPR is not exclusive to the High direction, or from the systems or legal departments; but requires the involvement of all personnel with access to personal data. Therefore, all these personnel must know what their obligations are and, this is where training becomes a backbone element of compliance with data protection regulations by all personnel.
Data Protection Policies:
He art. 24.2 of the GDPR establishes that “When provided in relation to the processing activities, the measures mentioned in section 1 will include the application, by the data controller, of the appropriate data protection policies.”.
The adoption of internal policies and standards addressed to the employed personnel, both in general and focused in relation to the functions they perform within the company, will play a decisive role in this objective. To do this, it will be necessary to begin with correct training for all personnel with access to data.
Functions of the Data Protection Officer (DPD):
He art. 39.2 of the GDPR establishes among the functions of the DPD:
“Monitor compliance with the provisions of this Regulation, other data protection provisions of the Union or Member States and the policies of the controller or processor regarding the protection of personal data, including the allocation of responsibilities, awareness and training of personnel involved in treatment operations, and the corresponding audits”
That is, if the functions of the DPO include raising awareness and training staff, this implies that said obligation exists for the Data Controllers and that, if a DPO has been designated, it will be assumed by them.
Right to digital disconnection
Additionally, it must be added that the LOPDGDD in its article 88.3 (Right to digital disconnection in the workplace) establishes specific training, in this case, in digital disconnection:
3. The employer, after hearing the workers' representatives, will develop an internal policy aimed at workers, including those in management positions, in which they will define the modalities of exercising the right to disconnection and training and awareness-raising actions for staff on reasonable use of technological tools that avoid the risk of computer fatigue. In particular, the right to digital disconnection will be preserved in cases of total or partial remote work, as well as at the employee's home linked to the use of technological tools for work purposes.
We see again, how within the policies aimed at workers, training is an essential part of it
For all this and in conclusion, training becomes an essential backbone and transversal measure of compliance with data protection regulations in any organization.
