Training your people in data protection: where to begin?

In most organisations, your people are your greatest asset. However, from a compliance perspective, without proper training, knowledge and understanding, employees might make mistakes with potentially serious consequences. They could miss key legal requirements – whether this be compliance with Health & Safety, Employment, Data Protection or any other relevant laws.

Organisations need to give people relevant training and guidance, but when it comes to data protection, establishing the most effective approach can be tricky.

Legal requirements

There’s a requirement under GDPR for organisations to ‘implement appropriate technical and organisational measures’. The ‘organisational measures’ part is where employee awareness and training comes in, but the law doesn’t say how organisations should do this. Alongside this, organisations are required to meet GDPR accountability requirements.

Regulatory expectations

The UK’s Information Commissioner’s Office’s Accountability Framework provides helpful pointers on what a ‘good’ data protection training and awareness programme would look like. To summarise, the following are key components:

Appropriate training in data protection and information security for all employees
Refresher training on a regular basis
Data protection and information security in induction programme for new starters
More specialist training for specific employees where relevant.
Ongoing exercises to keep raising awareness

One size doesn’t fit all

Each organisation needs to work out its own approach. Some organisations (and indeed some teams within organisations) will handle much more sensitive data than others. Some employees may have very limited contact with personal data in their roles. While some may need to know how to conduct a Data Protection Impact Assessment, others may need to understand the nuances of fulfilling Data Subject Access Requests. Some teams may need to understand more about supplier due diligence, controller to processor contracts and the rules for international data transfers, and so on.

How the core data protection principles and lawful bases are applied in practice will vary enormously for different business functions – from Marketing to Operations, from HR to a Contact Centre.

For example, marketers usually need to understand more about consent and legitimate interests, the right to opt-out, what the law says about profiling, and so on. They also need to be very familiar with marketing rules under different legislation, such as PECR.

Whereas HR teams need to understand how data protection laws apply to recruitment and the many different tasks which take place for employment purposes; such as appraisals and development, health, sickness and absence data, diversity, employee communications, payroll… and so on.

What does good training look like?

‘All’ staff training

Often, to cover baseline training for all employees, organisations will look to use an outsourced providers’ data protection training module(s). Alternatively, they may customise an external solution or develop their own training content internally.

In my experience, the quality of outsourced training modules can vary enormously, so it pays to do your homework and find an effective solution which suits your organisation well.

Just be mindful; outsourced generic online training which is not customised is unlikely to be enough on its own. For example, it won’t tell your people how to internally report a suspected data breach, or who to forward privacy rights requests to. It won’t cover your own internal standards or policies. Additional internal materials will be needed – be these policies, procedures, guides, factsheets, short videos and so on.

It’s worth repeating; the law doesn’t tell us how we embed necessary knowledge and understanding. If you have certain roles where people’s handling of personal data is very limited, you may decide making them sit through an online training module really isn’t necessary. You could choose different methods to instil simple, relevant and important ‘dos and don’ts’.

More specialist training

Training is likely to be most effective if it’s bespoke or tailored to the needs of specific functions or teams and provides useful examples, such as user-journeys or case studies. Aligned to the different data protection requirements people need to consider for their own role.

However, this could become time consuming and costly, so a balance needs to be struck between the benefits and time. It can help to think about where the biggest risks lie in your business, so you can focus your efforts on the key teams which have greater exposure to, and influence, over data risk.

Does training need to focus on the Sales & Marketing team, the HR team, customer-facing teams, development team, anyone else?

Data Subject Access Requests (DSARs) and other data rights are usually handled by nominated people, who are highly likely to need more specialist knowledge in how to handle them. But if your organisation has never had any privacy rights requests, this is unlikely to be a priority area.

Organisational culture

Ideally you’d want training to align with your organisation’s culture. Training doesn’t have to be provided in a specific format and there’s nothing to say you can’t be creative. Some organisations use gamification, bite-sized videos, ‘win a prize’ quizzes and so on. Try and include humour if you can; a joke just might make a key message hit home.

To sum up, making sure people have the right skills and knowledge for your business is one of the best ways to reduce the chance of data protection risks being overlooked. Prevention is usually better than cure!

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.