GDPR, BCR, AND PRIVACY SHIELD TRAINING
REQUIREMENTS FAQ

by Daniel J. Solove

With the powerful new EU General Data Protection Regulation (GDPR) and huge potential fines looming on the horizon, organizations are scrambling to step up their privacy programs to become compliant.

The GDPR requires workforce privacy awareness training. So does the EU-US Privacy Shield Framework, the arrangement reached between the EU and US for companies that want to transfer data about EU citizens to the US. The Privacy Shield replaces the Safe Harbor Arrangement, which was invalidated in 2015 in the case of Schrems v. Data Protection Commissioner.

I have spent a lot of time reviewing the training requirements and thinking about training in light of these new developments. Below is some information and advice about global privacy awareness training in light of the GDPR and Privacy Shield.

What does the GDPR require for privacy awareness training?

Under Article 39, the GDPR includes among the tasks of the Data Protection Officer (DPO) “awareness raising and training of staff involved in the processing operations.”

Under Article 43, in connection with Binding Corporate Rules (BCRs), the GDPR requires “the appropriate data protection training to personnel having permanent or regular access to personal data.”

Training is also required by the US-EU Privacy Shield Framework.

The GDPR doesn’t say a lot more about what training should entail, but I will explain below what topics and content should be contained in such a training program.

What is the difference between the GDPR’s privacy training requirement and that of BCRs and the Privacy Shield?

The GDPR covers more organizations than BCRs or Privacy Shield, as many organizations fall under the GDPR’s wide scope. Under Article 3, the Regulation “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”

BCRs and the Privacy Shield are mechanisms for transferring data about EU citizens to the US. An organization can do business in the EU without transferring personal data to the US. If they want to transfer personal data about EU citizens to the US, they must use one of the mechanisms for doing so: (1) BCRs, (2) Privacy Shield, or (3) model contracts.

So those organizations that gather data about EU citizens will be covered by GDPR’s training requirement. Those organizations that transfer data about EU citizens to the US will also be covered by the training requirements for BCRs or Privacy Shield.

The content of the privacy awareness training for the GDPR, Privacy Shield, and BCRs will overlap a lot. The main difference is that for Privacy Shield, the training should touch upon the Privacy Shield principles (discussed below). Because these principles are designed to protect data in light of GDPR, the privacy awareness for GDPR and Privacy Shield need not diverge too much. For BCRs, the awareness should be on the rules that an organization adopts, but these, too, will need to be consistent with GDPR.

What do BCRs require for privacy awareness training?

GDPR Article 43 states that for BCRs, organizations shall have “the appropriate data protection training to personnel having permanent or regular access to personal data.”

So training should be “appropriate.” That guidance sure helps!

Basically, the training should inform people about what they need to know and do to carry out the organization’s obligations under the BCRs.

If you’re interested in learning more about BCRs I wrote a short guide to BCRs with Maggie Gloeckle that you can access for free here.

What does the EU-US Privacy Shield say about privacy awareness training?

The Privacy Shield Framework, like its predecessor, the Safe Harbor Arrangement, consists of 7 principles, which remain largely the same. The principles have been made stricter, especially the parts about accountability, redress, and enforcement.

In its 7th Supplemental Principle (a series of principles that follows the primary 7 principles), called “Verification,” the Privacy Shield requires verification via self-assessment. One of the things that must be attested to is that the organization has “a published privacy policy regarding personal information” that “conforms to the Privacy Shield Principles” and that it “has in place procedures for training employees in its implementation, and disciplining them for failure to follow it.”

The Privacy Shield doesn’t provide more specifics about what a training program should address.

How much should training focus on the GDPR and Privacy Shield specifically?

The answer to this question depends upon the audience for the training.

For the general workforce, details about the GDPR and Privacy Shield can be quite limited. Indeed, I recommend that global privacy awareness training not focus on specific laws and regulations and speak more generally about privacy and more practically about what employees must know about privacy and do to protect personal data.

People don’t need to become experts in EU law or international law. They don’t need to know about the myriad of privacy laws around the world. Focusing on all these details will be too much information for people.

Instead, my advice is to focus on three core things:

(1) MOTIVATION: Why should people care?

(2) DEFINITION: What is personal data?

(3) RESPONSIBILITIES: What should people know about the way the organization handles privacy? What should people do in their jobs to protect data?

I’ll speak about these things more later on.

For people who are in management roles that involve implementing the privacy program or engaging in activities such as contracting with third party vendors where the transfer of personal data is involved, they need to know something a bit more specific about the law. For example, if a person is sharing personal data with an outside vendor, that person must know the policies and rules about how to properly do so.

People in these roles don’t need to become legal experts, but they need to know more details about the rules they must follow and implement.

What topics should be covered in privacy awareness training under the Privacy Shield?

The Privacy Shield doesn’t say much about the content of training, but several things can be inferred logically about what ought to be covered.

1. Privacy Shield Principles

Because privacy policies implementing the Privacy Shield must follow the Privacy Shield principles, training by inference should address these principles. The principles are:

Notice. Informing people about the data gathered about them and how it is used or shared.

Choice. Providing people with a right to opt out of certain data uses or opt in via explicit affirmative consent to uses involving sensitive data.

Accountability for Onward Transfer. Responsibilities when sharing data with third parties.

Security. Reasonable and appropriate data security measures.

Data Integrity and Purpose Limitation. Requiring that personal data must be relevant to the purposes for its collection and processing. Personal data must be reliable, accurate, complete, and current.

Access. People must have a right to access their data and to correct errors.

Recourse, Enforcement, and Liability. People whose personal data is involved have a right to complain and seek recourse.

2. Definition of “Personal Data” and “Sensitive Data”

Training about the principles wouldn’t make much sense without a discussion of what constitutes “personal data” under the Privacy Shield principles. Because the Choice Principle has different consent rules for when “sensitive data” is involved, people should be taught about what constitutes sensitive data.

3. Why Privacy Matters

An important component to privacy training is why it matters. This isn’t required, but I recommend having this as a component in a privacy awareness program. I’ll explain more later on.

What topics should be covered in privacy awareness training under GDPR?

GDPR doesn’t specify the topics that should be included. The training should ultimately cover the organization’s privacy policy. Because of the GDPR’s requirements as well as requirements in various laws and regulations in the US and around the world, the privacy policies of many global companies have a surprising amount of similarities — at least at the level that the general workforce needs to know.

How do you cover GDPR, US privacy law, Privacy Shield or BCRs, and other training requirements without taking 100 hours?

The key is to avoid getting bogged down in the details of each specific law or rule and to focus on privacy conceptually. By this, I don’t mean that training should be overly theoretical and abstract. To the contrary, it should be practical. But the core of the training should focus on the three dimensions I set forth earlier:

(1) MOTIVATION: Why should people care?

(2) DEFINITION: What is personal data?

(3) RESPONSIBILITIES: What should people know about the way the organization handles privacy? What should people do in their jobs to protect data?

1. Motivation

If people don’t care, they won’t pay attention and won’t change their behavior. People need to understand why privacy matters and the concrete implications that violations of privacy can have on individuals, on the organization, and on the workforce members involved in a violation. People pay a lot more attention when they are told why they should be paying attention.

2. Definition

People need to know what data is covered. People need to learn roughly how to identify personal data and sensitive data. A challenge here is that the GDPR has a definition of personal data that is different from how US law defines it. US law defines it in many different ways.

People don’t need to know each particular definition — otherwise, their heads would spin. The key goal here is to get people to understand that a lot of data that they might not think is personal data in fact can be personal data. Data that alone is not identified to a particular person can be combined with other data and become identified to that person. So it isn’t possible to provide a comprehensive list of all personal data.

My strategy here is to deepen people’s understanding and teach them enough so that they ask when they are uncertain and avoid making false assumptions.

3. Responsibilities

People need to be taught what they should know about how an organization handles its responsibilities for protecting data as well as their role in the process. This can be accomplished by teaching people what protecting privacy entails more conceptually. By this, I mean that training should focus on the Fair Information Practice Principles (FIPPs). The FIPPs are the backbone to most privacy laws, and despite all the differences in privacy laws around the world, the FIPPs have widespread consensus.

What FIPPs should be discussed?

FIPPs Regarding Data Collection – principles about lawful and limited data collection.
FIPPS Regarding Data Processing and Use – principles such as data quality, limited access, confidentiality, data minimization, purpose specification, and security.
FIPPs Regarding Individual Knowledge and Participation – individual rights such as access and correction, as well as the obligation to provide notice to individuals. Consent should also be covered, and the training should note the range of different approaches and which are used under which circumstances.
FIPPs Regarding Transfer and Sharing – sharing data across borders or with third parties.
FIPPs Regarding Accountability – internal policies and procedures for ensuring data protection; the role of the DPO (or CPO).

In the coverage of the FIPPs, the Privacy Shield principles will get covered, such as notice, choice, and access (individual knowledge and participation); security, data integrity, purpose limitation (data processing and use); and onward transfer (transfer and sharing).

An organization’s policies are typically built around the FIPPs. These policies (and BCRs if the organization has adopted them), should be consistent with the GDPR and the privacy laws in all countries where the organization does business. The FIPPs are where the circles of the Venn diagram all intersect. If trainees understand them, then they have a solid grasp of what it means to protect privacy.

How long must privacy training be?

At least 10 hours per year! Just kidding. . . .

Most laws do not specify any particular length for the training. Obviously, training for just a few minutes wouldn’t be sufficient, but training does not have to go on for hours.

A common mistake I see in training programs is that they are often too long and bombard people with a lot of information they don’t need. The human attention span is very short. What matters more than time is the content of the training and how effectively and memorably the information is taught.

How often must privacy awareness training be given?

There is no definitive answer, as most laws don’t say. The most common practice is to do the training annually.

People forget quickly. I personally love a sustained and periodic awareness campaign, one that has short training bursts each quarter or every two months. But more periodic training might be a challenge for many organizations.

What are the consequences for inadequate privacy awareness training?

The consequences are bad. Very bad. Inadequate training can lead to more privacy incidents, which can damage an organization’s reputation. There are big fines. GDPR’s potential fines are gargantuan. And there will be a cavalcade of regulators from various US federal agencies and state attorneys general and the EU and other countries. In short, it’s a world of pain!

Inadequate training is low hanging fruit to a regulator. It’s an easy thing that regulators can use to find fault. Inadequate training is one of the most common things that I’ve seen regulators go after.

So I strongly recommend: Don’t make it easy for the regulators to find fault. Don’t make their fines bigger. Don’t let your organization be an easy target. The choice is simple: Train . . . or pain!

About Professor Solove and TeachPrivacy

This resource page was written by Professor Daniel J. Solove. Professor Solove is a law professor at George Washington University Law School and the leading expert on privacy and data security law. He has taught for 15 years, has published 10 books and more than 50 articles, including the leading textbook on information privacy law and a short guidebook on the subject. His LinkedIn blog has more than 1 million followers. Click here for more information about Professor Solove.

TeachPrivacy provides privacy awareness training, security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics. TeachPrivacy was founded by Professor Solove, who is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience.

Please Contact Us If You Are Interested In Privacy Awareness Training

We can provide you with a login so you can evaluate the programs. Click here for our catalog.

Save