Are your employees GDPR compliant in practice?
GDPR is not just for the DPO. It’s everyday decisions that determine whether you are compliant.
Are you on top of GDPR? Many would say yes – because the courses have been completed and the policies are in a folder somewhere.
But in practice, we see again and again that the breaches happen in small ways:
- A misdirected email with no clear response
- Uploading customer data to an AI service like ChatGPT
- A form that still asks for information without a valid basis
Written by Anders Schultz-Møller
GDPR COMPLIANCE
Compliance is not just about law. It’s about habits, processes and behaviors throughout the organization – from HR and IT to sales and reception.
We’ve put together 12 concrete questions to help you find out:
– Where do you stand strong?
– Where is there a risk of breakage?
12 QUESTIONS FOR GDPR COMPLIANCE IN PRACTICE
-
Email sent in error – what then?
Do employees know what to do if they accidentally send an email with personal data to the wrong person?
Example: An HR employee sends an employment contract to the wrong recipient.
→ Is there a known reaction and escalation?
-
Lost laptop or mobile – what is the procedure?
Is there a clear process for lost devices – and do employees know it?
Example: IT is notified, incident is recorded, data is assessed – but only if the employee knows what to do.
-
Forms and data minimization – are you collecting only what you need?
Is it documented why you are collecting the data you are asking for?
Example: An old enrollment form contains a field for “parent’s social security number” – but no one has considered why.
→ How do you ensure data minimization over time?
-
Reusing data – without new consent?
Do you check if it is legal to use data for a new purpose – and do you inform the user?
Example: Can a customer’s email be used for both purchase and newsletter?
-
Consent – is it documented?
Have you documented what legal basis you use – and how it was obtained?
Example: A check mark in a form is not enough if there is no clear text and documentation.
-
Explanation – can you justify data usage?
Can employees explain why certain data is collected – and refer to policies?
Example: A receptionist asks for ID – but why? Where does it say?
-
Who owns and updates the data?
Do employees know who is responsible for correct and up-to-date data?
Example: Who updates contact information or consent status?
-
Do you delete data when you need to?
Are there routines for deletion – and documentation?
Example: Are candidates deleted from the recruitment system after 6 months?
-
Secure sharing – and approved tools?
Is everyone using approved systems – and sharing data securely?
Example: Dropbox personal vs. corporate SharePoint – do employees know the difference?
-
Do you know your role in requests?
Can employees handle or forward requests correctly?
Example: A customer asks for insights – can support respond?
-
Do you know what the 72-hour deadline means?
Are employees equipped to act quickly in the event of a breach?
Example: A USB stick goes missing – what to do? When does the countdown start?
-
AI and data sharing – can you share with ChatGPT?
Do you have an AI policy – and do employees understand it?
Example: An employee uploads a customer report to ChatGPT to write a summary.
→ Do you know what can be shared with AI services?
When GDPR-compliance training needs to turn into behavior
In many organizations, GDPR training is something you “have done”. But not necessarily something that has changed behavior.
More companies are opting for realistic and targeted awareness training where the rules are translated into everyday situations.
At Bauhaus(see case) GDPR and IT security were made concrete with short e-learning modules based on everyday dilemmas.
At EDC(see case) awareness became an integral part of the compliance program – with targeted content and documentation.
Grape not only delivers GDPR training, but an entire portfolio of compliance courses. All courses can be customized to your organization – and combined with your own policies and procedures.