Do I need ongoing GDPR training?

In today’s world, we all end up processing personal data in some capacity even if we are not in a client or customer facing role. GDPR training has become essential for the whole team. Without good training, staff will lack the awareness required to complete their day to day tasks in a GDPR compliant manner. They are then more likely to make mistakes which can lead to fines or enforcement action.

To deal with this issue, most companies have rightly put in place some GDPR training. This may include an e-learning course that employees must complete before they start their roles, or it could be a classroom based data privacy training induction. 

But is that enough to stay compliant and avoid financial penalties?

In most cases, no.

In this article we’ll look at why GDPR training needs to be completed on an ongoing basis. We’ll examine how: changes to the meaning of GDPR; human’s natural forgetfulness, and the regulators own accountability frameworks set out the need for ongoing training. 

The meaning of the law changes often

The actual meaning of the law changes quite frequently. Whilst the GDPR legal text has not changed since GDPR came into force, besides some minor changes to the law following Brexit, many legal cases and enforcement decisions have changed how GDPR is interpreted. 

Let’s look some examples.

EU Schrems II – The case that invalidated the EU-US Privacy Shield

EU Schrems II. Arguably the biggest GDPR case since the regulations came into force. This ruling found that the EU-US Privacy Shield was invalid. It triggered a compliance headache for many companies across the EU, especially those that rely on US hosted tools like Mailchimp, Google Analytics, Google Workspace and Office365. For these companies it changed how GDPR applies to restricted data transfers from the EU to the US overnight. The impact was similarly felt by UK based companies who now operated in a grey area unless they implement other data transfer mechanisms such as SCCs. 

This is just one example of how a 2018 knowledge of GDPR would now be considered out of date in 2021.

The UK’s new Data Protection and Digital Information Bill

Although at the time of writing this bill has not become law yet it does provide a good example of how the law can vary between different countries/member states. The UK government is proposing to overhaul the UK’s data protection laws including making several amendments to the Data Protection Act/UK GDPR and PECR. The bill will change how the GDPR rules are applied within the UK. While many of these changes will reduce burdens on UK businesses there are some proposals which will require compliance action from UK businesses. Any company that does not take the initiative to train their team on these changes puts themselves at financial risk for penalties from non-compliance but they also can put themselves at risk of not taking advantage of the new commercial opportunities that this bill will unlock. For some companies making changes in line with the proposal will save them money in the long run considering the reduced administrative burden intended by these proposals.

Some other recent examples…

The Finnish DPA established that patients should be given copy of their medical files free of charge under Article 15(3) GDPR, even when the files include X-rays and magnetic resonance images which need to be burned on to a CD/DVD.

The Spanish DPA fined Vodafone €80,000 (reduced to €64,000) for letting a third party enter into a contract using the personal data of another individual, without their knowledge or consent.

The Belgian Supreme Court ruled that the lawfulness of a data processing activity should have been assessed under Article 6 GDPR even if no personal data was processed. The case related to a customer’s refusal to provide information relating to an electronic ID card to become part of a store loyalty program.

Each case can change how GDPR is applied. Supervisory authorities expect companies to respect their judgements, especially when they issue warnings or fresh guidance in the wake of these changes. To minimise your risks of fines and other compliance issues you should keep your whole team up to date on changes to GDPR by completing ongoing training.

Humans are forgetful

We tend to forget information over time. Especially a topic as dry as GDPR.

For me it’s high school chemistry, I studied it, I even passed it with a good grade. But I couldn’t tell you much about how atoms bond now. They get close, and there’s heat right? – I’m not sure anymore. The point is, we forget overtime. Especially if our primary job is not GDPR compliance. 

So if your team completed that one GDPR training course a year ago or sat through that one GDPR talk three years ago at a conference, then it’s probably time for a refresh. 

It’s probably not enough to just set a simple course to be completed at the start of an employee’s tenure. You should make plans to test retention throughout the year and when any major changes come into force you should make sure that staff are updated.

The regulators are making it clear that doing GDPR training just once isn’t enough

Supervisory authorities are the authorities within the UK and EU member states that enforce GDPR. Within the UK, some enforcement cases have highlighted how in the process of deciding what fine to apply and which mitigating circumstances are appropriate (factors which can reduce the fine) – it’s not just a case of, have you done GDPR training? In fact it’s more of a question of the quality of the training completed and how/when it was delivered. Some things that regulators like the ICO are considering are..

  • What GDPR training did you do?
  • When was it delivered?
  • How often have you completed GDPR training?
  • Who exactly was trained?
  • Was there a plan in place?
  • And did senior management give sign-off?

In the ICO’s accountability framework they clearly outline the requirement for refresher training at “appropriate intervals”.

Specifically they state that to meet their expectations refresher and interval GDPR training must fulfil these requirements:

  • Appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training.
  • Your staff receive induction and refresher training, regardless of how long they will be working for your organisation, their contractual status or grade.
  • Your staff receive induction training prior to accessing personal data and within one month of their start date.
  • Your staff complete refresher training at appropriate intervals

Wrap up

To wrap up, GDPR training doesn’t work as a one-off exercise. As we’ve identified above you will be leaving yourself open to enforcement action like fines if you fail to keep up with changes to the law. You also cannot rely on your team remembering everything you taught them in that super boring one-off training e-learning exercise. Even organisations that complete GDPR training annually can end up with fines. Training can be a mitigating factor to reduce or eliminate a fine after an investigation but only when you can prove that your training programme is truly effective and well organised. 

In short, do you need ongoing GDPR training? Yes.