GDPR compliance does not rest just with IT – it is everyone’s responsibility. Organizations can help their employees comply with the new regulation and protect against breaches by developing a comprehensive communication and training strategy. In fact, the GDPR requires that companies train their workforces on how to handle personal data under the new law. For training to be effective, it should not be limited to an annual off-the-shelf online course. Instead, training should begin at the top of each organization with a demonstrated commitment to creating awareness and a compliant culture, whether through townhalls or other company-wide communications. Supplement online training with in-person role-based training tailored to meet each functional area’s unique requirements.

Training, however, is not enough. With Privacy by Design now mandated by the GDPR, messages about information protection must be integrated throughout the business. This begins with emphasizing the value of information protection in the Code of Conduct and Ethics. Put this language into practice by embedding privacy and security in operational procedures, aligning it to business goals, and measuring it regularly. Encourage employees to champion information protection by inviting them to the conversation.

With May 25th just around the corner and 59% of U.S. employees reporting they know little to nothing about GDPR, there is still much more work to be done in creating employee awareness. And with fines of up to 4% of annual global revenues or €20 Million (whichever is greater) for non-compliance, lack of awareness could prove to be costly. Organizations with any questions about the applicability of the GDPR to their activities or how to prepare should contact their regular Fisher Phillips attorney or any of the attorneys in our Data Security and Workplace Privacy Group.