GDPR might not be everyone’s favourite topic but it is important. With financial penalties for non-compliance soaring over the last few years, there’s never been a more appropriate time to review your current training programme or to put one in place. When deciding on what steps to take you may be wondering who exactly needs to do GDPR training and what the actual GDPR legal text says about training. In this article we’ll answer all of these questions and we’ll look at what the lead regulatory body (ICO) in the UK says about how you can meet your data privacy training requirements as part of their accountability framework.
Table of contents
What does the law say about GDPR training?
The UK GDPR & EU GDPR legal text make limited mentions of “training”. The clearest example is from Article 39 which discusses the role and responsibilities of the Data Protection Officer:
Art. 39 GDPR:
When discussing the role of the Data Protection Officer it states that their responsibilities include “to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;”
While the number of times that training is specifically mentioned is limited. The GDPR still comes with a number of obligations under the Accountability principle of GDPR that would be supported by a training programme for employees that handle personal data.
The UK’s supervisory authority identifies their opinion on the role of data privacy/GDPR training in the notes of recent enforcement case (fine) against a Scottish charity:
“Whilst there is no fixed requirement within the DPA or the GDPR as to the type of data protection training an employee should undertake, or when it should be provided, as part of a controller’s organisational measures to safeguard personal data the Commissioner would expect an organisation to train employees handling personal data, and in particular data which is special category in nature or by inference before an individual is given access to such data.”
All of the above in addition to the fact that GDPR fines for non-compliance can reach up to to £17.5million or 4% of worldwide annual turnover, means that the justification for a good training programme that covers all employees who process personal data is strong.
Side note
The proposed changes to UK GDPR brought by the Data Protection and Digital Information Bill state that the “Senior Responsible Individual” (a new data protection role that will be required within some companies) will be responsible for organising or delegating the “training for employees of the controller who carry out processing of personal data”. We expect this bill to become law by the end of 2022. However it is still subject to change. You can join our email newsletter if you would like to be updated about this.
Who needs to do GDPR training?
If your aim is to reduce the risk of receiving a financial penalty or legal order in relation to a breach of GDPR compliance, then anyone that processes personal data within your organisation should receive GDPR training.
The scope of employees that are processing personal data is likely to be wide, because the definition of “personal data” and “processing activities” under GDPR is broad.
Personal data can include any information relating to your employees, customers, suppliers and external parties. For example the names of your customers, their email addresses or their personal addresses. It can also include digital information collected through devices, for example the IP addresses of the computers or mobile phones that your employees are using to access your IT network. Or the time and date (metadata) of phone calls that customers or suppliers have made to your organisation. All of this data needs to be protected under GDPR.
The definition of “processing” personal data under GDPR is also very broad. Simply “accessing” – looking at personal data can be considered as data processing. As can common actions like recording personal data, for example adding customer details to a CRM tool or digital contact book.
With the scope of GDPR being so broad it’s likely that at least 90%, if not all of your employees are processing personal data in some form in order to fulfil their role. And therefore would benefit from GDPR training in order for you to:
- Reduce your risk of financial penalties.
- Reduce your risk of personal criminal prosecution.
- Reduce your risk of damage to your brand or reputation because of poor data privacy management.
- Be able to demonstrate your compliance with the accountability principle of GDPR.
- Be able to demonstrate mitigating circumstances if a GDPR breach does occur at your organisation.
Does training need to be repeated or refreshed?
Yes. Unless the staff member is working in a legal or compliance/policy role then their knowledge of GDPR will likely fade over time as they continue with their core working tasks. Staff do not need to learn everything again from the ground up, but it is good practice to issue staff with regular refresher training at least once a year.
This can also help staff to keep up with the latest changes in data privacy law. Since GDPR was first introduced there have been several changes which have altered the way that we apply GDPR. Each time a court, regulatory body or supervisory body makes a decision on GDPR or releases new guidance – how GDPR should be applied changes.
Keeping up with all of these changes as they happen can be difficult, especially for staff with no formal legal training. It is therefore wise to condense this information into regular refresher training so that your team can get the information that they need quickly and then get back to their core working tasks.
What does the ICO suggest?
The ICO is the lead supervisory authority for the GDPR within the UK. They enforce GDPR through legal orders, investigations and financial penalties. They also support businesses and organisations in their compliance journey and handle complaints from the public about the misuse of their personal data.
The ICO discusses the role of training in their Accountability Framework.
They cover the following expectations in the framework:
All staff training programme
Induction and refresher training
Specialised roles
Monitoring
Awareness-raising
All staff training programme
An all staff training programme requires that all staff receive at least basic data privacy law training.
Ways to meet the ICO’s expectations for an all staff training programme:
- “Your programme incorporates national and sector-specific requirements.
- Your programme is comprehensive and includes training for all staff on key areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management.
- You consider the training needs of all staff and use this information to compile the training programme.
- You assign responsibilities for managing information governance and data protection training across your organisation and you have training plans or strategies in place to meet training needs within agreed time-scales.
- You have dedicated and trained resources available to deliver training to all staff.
- You regularly review your programme to ensure that it remains accurate and up to date.
- Senior management sign off your programme.”
Induction and refresher training
- Appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training.
- Your staff receive induction and refresher training, regardless of how long they will be working for your organisation, their contractual status or grade.
- Your staff receive induction training prior to accessing personal data and within one month of their start date.
- Your staff complete refresher training at appropriate intervals.
Specialised roles
- You complete a training needs analysis for information governance and data protection staff to inform the training plan and to ensure it is specific to the individual’s responsibilities.
- You detail training and skills requirements in job descriptions.
- You have evidence to confirm that key roles complete up-to-date and appropriate specialised training and professional development, and they are subject to proportionate refresher training.
- You keep on record copies of the training material provided as well as details of who receives the training.
Monitoring
- “You conduct an assessment at the end of the training to test staff understanding and make sure that it is effective, which could include a minimum pass mark.
- You keep copies of the training material provided on record as well as details of who receives the training.
- You monitor training completion in line with organisational requirements at all levels of the organisation, and you follow up with staff who do not complete the training.
- Staff are able to provide feedback on the training they receive”
Awareness raising
- “You have evidence that your organisation regularly uses a variety of appropriate methods to raise staff awareness and the profile of data protection and information governance, for example by emails, team briefings and meetings, posters, handouts and blogs.
- You make it easy for staff to access relevant material, and find out who to contact if they have any queries relating to data protection and information governance.”
Do I need to keep records of staff training?
The GDPR does not specifically state that you must keep records of your training efforts. However, keeping documentation of this would help you demonstrate your compliance with the accountability principle of GDPR.
The ICO’s accountability framework advises keeping records of training. These records include which staff completed training and when and what training materials they completed. It also advises that you regularly review your training materials and schedule staff to complete refresher training at appropriate intervals.
From analysing recent ICO enforcement action (fines) notes we can see that a robust training programme can be considered as mitigating circumstances when deciding on the value of a financial penalty or set of legal orders. Demonstrating that your training programme is adequate is arguably difficult without keeping some records.