Following the enactment of the Data Protection Act (the ‘Act’), 2019 and its supporting regulations, many organisations are gearing toward compliance. Privacy compliance has several aspects to it including determination of privacy governance structures; data mapping; privacy gaps assessments; development and implementation of policy and procedural frameworks; data security; and training & awareness. When embarking on the project, it is tempting to overlook initial training and sensitisation, but if properly executed it can guarantee the success of your compliance program. Let us consider some of the reasons why a privacy leader or manager should give priority to training and awareness as they develop a privacy compliance program.
Why stakeholder sensitisation?
Sensitisation of key stakeholders at the outset of your compliance program is beneficial in many ways. First, it gives you an opportunity to equip them with a basic understanding of the law and the compliance expectations. In addition, the stakeholders get the opportunity to ask questions and seek clarifications on legal requirements and on what is expected of them by the organisation. Thus, in a sense, the forum serves to increase internal buy-in and support for the program’s implementation
Secondly, the sensitisation sessions give the privacy managers or leaders an opportunity to outline the roadmap to compliance. This is essentially an overview of the key program milestones, responsibilities, and timelines for completion. Sensitisation trainings also provide an opportunity for the management to set the tone for privacy compliance across the organisation. Leaders can share the vision for privacy compliance within the organisation including their thinking around governance and compliance expectations. This in turn ensures the organisation handles the project with the seriousness it deserves.
Lastly, because data protection is a relatively new concept, some stakeholders in your organisation may not think it applies to them or may believe that it is not a pressing concern. A study commissioned by Amnesty International shows that Kenyans are still not taking data protection seriously despite the Act being in effect for over two years. Fostering an understanding of the Act and the consequences of non-compliance within your organisation will shift the attitude in favour of data protection compliance.
Contents of the training program
Since data protection is an entirely new area of law, it would be prudent to give your stakeholders a basic understanding of the law. In this you should cover concepts such as the legal framework on data protection and the key terminologies used in the various data protection laws. Secondly, you should consider matters such as the scope of the application of the law and the sanctions for non-compliance. This answers questions such as what type of processing activities are covered under the law? Which ones are exempt? What are the consequences for non-compliance with the law?
Third, outline the key compliance obligations. Under this you may discuss: –
- the principles of data protection
- the lawful bases for processing personal data
- rules on processing data relating to children
- rules on processing marketing data
- handling sensitive personal data
- personal data breaches
- data protection impact assessments
- privacy by design and by default
- international data transfers
Finally, you should share your roadmap to compliance. The roadmap should address when the compliance shall kick off, key project milestones, the expected deliverables and the roles and responsibilities of the team members. The roadmap gives clarity on the compliance plans that the organisation has put in place and how to achieve them.
Who should be trained?
Ideally, the entire organisation should attend the training program to establish a baseline understanding of the law and the privacy compliance program among all the stakeholders. However, different stakeholder groups may receive additional training. For instance, the board of directors and senior management may have customised sessions to facilitate decision-making. Teams that interact closely with personal data may also have in-depth sessions to ensure deeper awareness of the compliance expectations.
Mode of training
The training exercise should be an interactive session that brings different teams together to understand the provisions of the Act. Therefore, the mode of delivery chosen should foster questions, clarifications and detailed explanations on the data protection process, all of which ultimately boost corporate buy-in. The sessions can be held as workshops, seminars/webinars, round-table discussions, classrooms or online courses etc.
Conclusion
The Data Protection Compliance roadmap is a long and tasking one, but starting the organisation off on the right footing through relevant training makes the journey seamless and stress-free.
Next week’s article tackles the second step in the privacy compliance process which involves establishing governance systems for the project.