Is it good enough to run compliance training courses for employees? Or do you also have to check your workforce understand the training? A European court has just ruled that unverified training is insufficient to avoid compliance fines if a security breach happens.
Here is the story.
In July 2020, a personal customer of the Banca Transilvania, a large Romanian bank, was asked to document his reasons for making an €85,000 withdrawal. Upset at being asked to justify this, he sent a satirical message to the bank suggesting he would use the money to travel to the Netherlands, where he’d spend the money on various controversial activities (and use some of the money as toilet paper). The private message included his email address, telephone number, and workplace.
Later that day, a bank employee shared the message on WhatsApp with other bank employees, and it subsequently got copied widely, including on Facebook and across the Internet (with all the personal and financial details included). The bank customer was upset about this security leak and told journalists that “The negligence of the bank caused me serious personal problems (at home with my family) and at work”.
The Romanian data protection authority (the ANSPDCP) investigated the issue and ruled the bank was at fault. Banca Transilvania did not ensure its employees processed personal data only for authorized purposes and did not have sufficiently strong technical and organizational measures. The bank was fined €100,000.
However, the bank appealed–saying it had internal regulations on the use of personal data and had delivered training courses on proper handling of personal data. In its view, such a large fine was not fair.
In April 2022, the Cluj Court of Appeal ruled on the appeal and upheld the ANSPDCP decision and the fine. The Court concluded that although there were training courses on handling personal data, there was no evidence the employees involved had understood the training:
“In this case, in order to prove its diligent conduct regarding the training of personnel in the field of personal data protection, the plaintiff submitted a series of internal regulations as well as proof of organising courses on this subject, but it is important to emphasize that neither the effective attendance of staff to these courses nor the effective enforcement of any means of verifying the acquisition of such knowledge and information could be demonstrated.”
The court considered that because sensitive l data was shared via WhatsApp, this suggested an acute lack of effective training. They also conceded that perhaps employees didn’t even understand that the information shared was, in fact, personal data.
Although the ruling is specific to this case, it is likely generalizable to other cases and countries. It’s clearly not good enough just to have internal procedures and training courses on privacy. Companies that are subject to the GDPR (and likely other personal data laws) need to ensure that employees actively participate in such training. And crucially, there must be a way to verify that employees genuinely understand the information provided during training and that they are able to apply it in practice. Giving quizzes and tests after training is the obvious way to measure training effectiveness. Quizzes and tests can genuinely check understanding and identify which employees understand the rules and which need further training or other remediation
Finding ways to check training is effective is a hobby horse that I have been riding for around a decade. In my article on the SCCE Compliance and Ethics blog, I suggested there are three ways to document training:
- By gathering attendance records
- By asking people to sign a document confirming that they have understood the training
- By giving a test to check understanding
Clearly, people can attend courses but not pay attention. Simply attending a course does not verify knowledge and understanding. Signing a document showing that you will comply with rules is more helpful. But it can easily happen that an employee signs a document saying they will do something without genuinely understanding. However, if someone passes a test following training, then this provides clear evidence of learning and understanding. This both helps a company ensure its employees actively understand available training while also validating the process for a regulator.
Numerous Questionmark customers use our OnDemand service to check knowledge and understanding after compliance training, including following security and privacy training. Such tests often not only check the rules but give scenarios to check whether people know how to apply them in realistic scenarios. Questionmark also has some compliance tests on the GDPR and cybersecurity.
Thanks to my colleague Paula Baciu, Questionmark’s Assessment Content Manager, who works out of Romania, for helping check the facts of this case and editing this article.
The key takeaway – if you are training your employees on privacy and security, make sure that you don’t just run the training –also verify employees understand the rules and how to apply them.
For more information or to get a demo of our platform, talk to us today.