The early part of the week was spent running 90-minute classroom sessions about the GDPR and how it affects the client’s operations – a social housing provider in Sussex, and mid-week it was a detailed look at managing processors, datasharing arrangements and disclosures in Surrey.
I rather like doing data protection training – sure it requires an awful lot of preparation but it’s good fun and I like injecting a bit of interaction into the proceedings to make data protection law a bit less daunting and dry. And so this week I have played “Breach or No Breach” complete with interactive flash cards which is turning out to be a good little game, “Pin the processor on Eaore’s behind” – processors on one cheek, data sharing on the other, and “Pass the Bomb” – a pretty good ice breaker to get the group in the zone and the session motoring repurposing parts of a game my children used to play when they were younger.
Of course providing training about the GDPR is necessary and useful, but I think the key to making a difference is to provide training in how to work within the policy framework set out by the client organisation and how to operate the procedures that they have implemented. Our ultimate goal in providing training is not just to impart knowledge – the long-term aim is to change behaviour and culture.
I often recount the tail of turning up at a client site early one morning and taking note of 20 white sacks of confidential waste – 60% or so of which were open –sitting by the front door in reception awaiting collection by the waste contractor and then noting that they were still in the same place when I left late in the afternoon. “Most of these bags are open Jamie”, I said to my host, “who’s responsibility is it to make sure the confidential waste bags are sealed?” “Well it’s mine Phil”, said Jamie, “only I have been with you most of the morning so I’ve not been able to deal with them.” I put my hand into one of the sacks (as you do) and pulled out several sheets of neatly typed A4 sheets documenting an HR meeting dealing with a staff complaint about a colleague. “But Jamie”, I said, “surely it is everyone’s responsibility? It could be their personal data which is left lying around like this.” What seemed obvious to me clearly hadn’t registered with the employees of this particular company.
So while we talk in training sessions about the principle of restricting access to information etal. – why is it that there is often a gap between nodding in the training session and applying the principle in the work-place?
14 December 2018