A data protection officer stands at a fork in the road, just months before the General Data Protection Regulation goes into effect.

For months, the DPO’s team has been working on getting their program in place. They can finally see their way past writing policies and conducting privacy impact assessments and leading their team as they document all their data classification procedures. Now it’s time to decide how they’ll handle the training requirements embedded within the GDPR.

You may be standing at that same fork in the road, burdened by the pressure of encroaching deadlines, limited budget, and an abundance of other tasks associated with GDPR readiness. There are two paths toward meeting your goals: a deeply cynical option and a hopelessly idealistic option. Which will you take?

The cynical path

The cynical path to GDPR training compliance is very direct. It could be as simple as this:require online training for all those who process data, and require these same people to attest to their commitment to following policies.Such a program would be easy to put in place. It could be as simple as purchasing an off-the-shelf online training course and could easily be completed in advance of the May deadline.

One could argue that such a program meets the (admittedly limited) mentions of training within the GDPR itself. Article 39 (which requires that “the data protection officer shall … monitor compliance with this Regulation … [through] awareness-raising and training of staff involved in processing operations”) and Article 47 (which requires “the appropriate data protection training [for] personnel having permanent or regular access to personal data”) are neither terribly specific nor sweeping in the demands that they place on controllers or processors. They leave a great deal to interpretation, and it’s easy to imagine a cynical DPO defending their efforts as meeting the requirement. (Would an investigating regulator buy the argument? That’s another story.)

But let’s not dwell too long on the cynical path. It is, after all, designed for minimum effort.

The idealistic path

The idealistic path to GDPR training compliance is long and complicated. In truth, it should have been selected well in advance of finding oneself at a fork in the road six months before a regulatory deadline! But let’s say that our DPO just landed in a company, and now faces the challenge of constructing a program that goes well beyond meeting the letter of the law (Articles 39 and 47) and instead aspires to meet the loftier goals of the overall regulation.

Admirers of the GDPR see in the regulation a prod to companies to prioritize the individual’s claim to their data above that of the company who uses that data, in whatever form they use it. Prizing the individual’s rights above all requires most companies to dramatically rethink all their processes for handling data, from beginning to end. And it’s that dramatic rethink — that cultural shift — that is at the heart of the idealist’s path to GDPR training compliance. Real GDPR compliance means Privacy by Design writ large across the culture of the organization.

The idealist would thus choose to construe the GDPR as an opportunity to change the culture around data protection in their organization. And they would start to put in place all the components of a comprehensive awareness program. It would look something like this:

  • Executive level embrace of GDPR data protection principles in all company-wide communications, both internal and external;
  • All-hands, required online training that emphasizes the centrality of data protection to the organization’s mission (It wouldn’t even have to be required, if you thought your culture was such that voluntary compliance would work);
  • Focused, role-based training for those whose role in data processing has unique requirements (marketing, software development, call centers, etc. Training that is relevant to the job is demonstrably more effective);
  • An organization-wide communication campaign that promoted all the positive aspects of protecting an individual’s data rights. The campaign might include posters, mailers, lunch-and-learns, etc. Anything to raise the profile of data protection in the organization; and,
  • Repetition. All of the above only work if the message conveyed to employees is reinforced so regularly and consistently that data protection principles become part of the culture.

And these are just the components of a program that are regularly associated with the training function within an organization.

In truth, the idealistic path to GDPR compliance is embedded within an organizational commitment to privacy that reaches into every part of the organization, from the top down. That’s why the idealist’s path is likely to be chosen by true believers with the stamina to see their goals through what will likely take many months and even years of effort.

What’s your path?

If you’re standing at this fork in the road yourself, you know this is not an either/or decision. The path you choose will be influenced by your risk exposure, the commitment of your executives, your budget and many other factors. But it will also be influenced by whether you view GDPR compliance cynically — as an imposition imposed on you, to be handled with minimal disruption to business as usual, or idealistically — as an opportunity for transformation.

Which path will you choose?