How to focus data protection training on specific teams

January 2022

Is your GDPR training giving your teams the specific skills they need for their roles?

In any organisation, your people can be your greatest asset. But also from a compliance point of view, they might be your greatest risk.

We need to support the people who manage personal data in our businesses, to help them understand relevant aspects of the law and how the business expects them to behave.

Organisations are obliged to implement appropriate organisational measures under GDPR – staff awareness and training is a key part of this. I’d argue we should also show them how manage personal data securely, responsibly and ethically.

The good news is the DPN’s Privacy Pulse Report shows the message around training and awareness has landed – with 80% of responders saying their business had delivered data protection training within the last 12 months and a further 13% within 2 years.

But is the quality, depth and relevance of this training good enough? Does the training really help people in their day-to-day roles?

Different jobs require different levels of knowledge. Not everyone needs to know when to conduct a DPIA, not everyone needs to know how to go about this. Clearly some team members need to know more about international transfers, DSARs, processor due diligence and so on.

The Report shows 81% provide generic online GDPR / data protection courses, whilst 61% deliver face-to-face or online training tailored to specific departments or job roles.

Just 20% provide in-depth workshops or masterclasses for key people and 13% provide some other form of training.

It’s clear quite innovative approaches are being taken to get key messages across, such as ‘privacy moments’ (e.g. bite-sized topical themes), regular internal bulletins, drop-in data surgeries or intranet content. The pandemic has to be considered when most training and awareness activity of late has been provided remotely.

What does good training look like?

The ICO Accountability Framework gives some useful checklists covering training expectations (including specialised roles), such as:

  • Detail training and skills requirements in job descriptions.
  • Keep evidence to confirm key roles complete up-to-date and appropriate specialised training and professional development, and are subject to proportionate refresher training.
  • Keep records of the training material provided, as well as details of who receives the training.

Data protection training will have limited value if it’s ‘one-size fits all’ and doesn’t drill down and support teams who need to know more detail for their specific roles.

The application of the core data protection principles will vary enormously – from Marketing to Operations, from HR to a Contact Centre.

For example, marketers usually need to understand more about consent and legitimate interests, the right to opt-out, what the law says about profiling, and so on. Whereas HR teams need to understand how data laws apply to recruitment and the many different data tasks which take place for employment purposes; such as appraisals and development, health & sickness data, diversity, employee communications, payroll… and so on.

Ideally training should be provided separately to different key teams and tailored to provide useful examples, user-journeys or case studies, based on the different privacy aspects people need to consider for their own role.

Focusing on key teams

Naturally this could all become very time consuming and costly, so a pragmatic balance needs be found between benefits and time.

It’s worth thinking about where the biggest risks lie in your business, so you can focus your time and effort on the key teams which have greater exposure to, and influence over data risk. This will clearly differ for each business.

Some may choose to focus on their Sales & Marketing teams. Others may look to their HR teams to cover employee and contractors’ data, and recruitment practices. Whilst others may focus on customer-facing teams or developer teams.

Data Subject Access Requests (DSARs) and other data rights are usually handled by nominated people, who may need specialist in-depth training about how to handle them.

You’ll need decide, if you haven’t already done so, which teams to focus your efforts on.

Remember inductions and refreshers

Many organisations will include generic data protection training as part of a new starter’s induction. If this can be tailored to their role, all the better!

It’s also important to remind people of the principles, or expand on their knowledge. If you haven’t provided any data protection training for a year or two… now would be a good time to consider some refresher courses. Compare this to industry CPD requirements, such as HR or Financial Services which require regular training and refreshers. It’s all part of being able to do your job effectively.

To sum up, making sure people have appropriate skills and knowledge is one of the best ways to reduce the chance of privacy risks being overlooked and coming back to bite you! They say, a chain is only as good as it’s weakest link.

Take the initiative – it’s worth spending the time to pass on your knowledge to others. And just like any successful communication, it’s far more effective when you put your audience front and centre and tailor the message just for them.