One-off data protection training isn’t enough – are you getting the message across?
GDPR has been a driving force for organisations to get to grips with the protection of personal data. Training is an essential requirement for the ICO to consider you as being compliant. There’s no question the Regulator will look kindly on any organisation which has taken the trouble to adequately train their staff.
Let’s face it, it’s unrealistic to expect people to manage personal data properly if they’ve never been given the right knowledge and tools to do so. Imagine asking people to work at height without health and safety training?
And if something does go wrong and it comes to the attention of the ICO or another regulator, gaps in your training and awareness levels will quickly come under scrutiny and become exposed. To quote a tweet by the ICO;
“Staff training is absolutely key. We will nearly always ask about this and will expect to see evidence that it has been delivered to an appropriate standard.”
You may have had a flurry of activity when GDPR was enforced, but have you kept up with your training programmes? It’s clear a one-off online training course is unlikely to cut it in the eyes of the ICO.
Have you managed to breathe life into your carefully crafted data policies and processes to guide your staff on how to act when handling personal data. Are your employees aware of policies and do they use them? Do they truly understand why data protection is important to your organisation and its benefits?
Within the ICO Accountability framework there are some helpful checklists covering training expectations and to help you identify which groups of employees should be attending which course. Here’s my summary of what the Regulator would expect.
Data protection training programmes
A training programme for all staff who handle data in their day-to-day work. As a first step, identify who needs training and what training content they need. It’s very likely some employees will require additional in-depth role/function-specific training.
Data protection induction and refresher sessions
The training does not stop with one session. You need to maintain some momentum.
- Induction – as new members of staff arrive, they need to understand your organisation’s data protection practices in the same way as they might be inducted to Health & Safety rules. It should be an essential part of the starter pack.
- Refresher – if you haven’t done any GDPR training since 2018 now would be a good time to consider some refresher courses. Again, compare this to industry CPD requirements for HR or Financial Services. It’s just part of being able to do your job effectively.
Specialist data protection training
It’s likely particular teams or departments need to build their skills with more in-depth training on certain topics.
For instance, DSARs are usually handled by nominated individuals in an organisation and they may need some in-depth discussions about how to handle them. Some masterclasses or clinics may suit these groups.
Others may need to understand in more detail how to conduct Data Protection Impact Assessments or Legitimate Interests Assessments.
If a training course has not been completed or an individual did not attend, you need a process for following up. Whoever is organising the training needs to make sure attendance is checked, maybe even with a certificate of attendance.
There needs to be good awareness of who has done what course. It’s important to ensure the DPO, or those responsible for data protection, have oversight and evidence of which training has been completed. Training course tests can also be a helpful way of demonstrating a good level of understanding was achieved.
Ideally data protection training would be embedded with all the other training staff are required to undertake.
The DMA carried out research suggesting awareness levels of GDPR and other matters declined in 2019 compared with 2018. Basically, people had moved onto something else. To make matters worse, Covid will not have helped, with businesses being forced to focus on other pressing matters.
It’s useful to ask staff for feedback on past training as well as raising awareness of training opportunities and sign ups. An awareness programme for data protection can be used to support and reinforce training. Awareness campaigns can be delivered through a variety of different methods and on an on-going basis.
As an example, core data protection messages can be promoted through internal newsletters, pop-up intranet messages, posters, meetings, break-out sessions and so on. The more fun and engaging you are, the more effective you’ll be.
And as unlikely as it sounds, it’s possible to make data protection interesting and fun! If you have creative, innovative teams in your organisation – get them to help.
How do you deliver your data protection training?
Training can be delivered in a number of ways, such as;
- Instructor-led workshops/classes (delivered by an internal or external instructor)
- Instructor-led webinars/video links
- Q&A sessions
- Online or offline learning
For any large organisation, it would be worth considering the use of a training platform. These platforms can be used to deliver online training programmes as well as monitoring compliance with the individual courses.
What does the regulator think?
You might think the ICO, has been relatively quiet since GDPR was enforced in May 2018. The announcements of the big fines have been few… but be careful. In addition, and not publicly, many organisations have been receiving information notices from the ICO.
Such notices can be sent when the Regulator would like further information following a complaint submitted to them. Your response to these notices may be considered sufficient with no further action required. However, most, if not all, of these notices will contain a key message to ensure appropriate policies and procedures are in place AND that staff are appropriately trained. The ICO takes training seriously. You should too.
More information on the ICO’s training expectations can be found in their Accountability Framework.
Julia Porter, Partner, DPN
We have developed and regularly deliver general and specialist data protection training. All of which can be done remotely. We’re flexible and can tailor our workshops and clinics to suit your needs. Find out more about DPN Data Protection Training.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.