Here is a brief outline of training requirements outlined by the GDPR regulations and the ICO. With regards to the training, GDPR places the following obligations on the companies
- Article 39 (which requires to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits, and
- Article 47 (which requires “the appropriate data protection training [for] personnel having permanent or regular access to personal data”)
- The ICO audit scope includes staff data protection training and awareness amongst other things to audit.
- The ICO also requires that ‘Your business incorporates records management within a formal training programme. This comprises mandatory induction training with regular refresher material, and specialist training for those with specific records management functions.’
- In the ICO breach notification form, there is an explicit question “Had the staff member involved in this breach received data protection training in the last two years”
The IAPP (International Association of Privacy Professionals) in one of its publications recommends that to meet the above requirements, a comprehensive awareness program would look something like this:
- Executive level embrace of GDPR data protection principles in all company-wide communications, both internal and external;
- All-hands, required online training that emphasizes the centrality of data protection to the organization’s mission (It wouldn’t even have to be required, if you thought your culture was such that voluntary compliance would work);
- Focused, role-based training for those whose role in data processing has unique requirements (marketing, software development, call centers, etc. Training that is relevant to the job is demonstrably more effective);
- An organization-wide communication campaign that promoted all the positive aspects of protecting an individual’s data rights.
- The campaign might include posters, mailers, lunch-and-learns, etc. Anything to raise the profile of data protection in the organization; and,
- Repetition. All of the above only work if the message conveyed to employees is reinforced so regularly and consistently that data protection principles become part of the culture.
We hope you’ll find this useful in designing your training and awareness programs.