GDPR has been a driving force for organisations to really get to grips with the protection of personal data. However one of the big areas of weakness which is still all too common is where organisastions require their staff to process data without providing appropriate training on data protection. It’s unrealistic to expect people to manage personal data properly if they’ve never been given the right training. And if something does go wrong and it comes to the attention of the ICO or another regulator, gaps in training and awareness levels will quickly come under scrutiny and become exposed.

To quote a recent tweet by the ICO, “Staff training is absolutely key. We will nearly always ask about this and will expect to see evidence that it has been delivered to an appropriate standard.”

An organisation should have clear data policies and processes to guide their staff how to act when processing personal data. But they’re meaningless if those who process the data haven’t been told about them and requested to follow their guidance. When were your data policies and documented procedures last reviewed? Are your employees aware of policies and do they use them to guide their ways of working? Do they truly understand why data protection is important to your organisation? The message that data protection is important has to come from the top. If the board don’t take it seriously, if senior or mid-level managers don’t value its importance and necessity, it will be near impossible to get the message through to other employees.

Some companies have shown they can implement cultural change across any number of thematics – aligning data protection commitments with your broader organisational values will drive this message home. Think of it as a two-pronged approach – Awareness and Training


An awareness programme for data protection can be used to support and reinforce training. Awareness campaigns can be delivered through a variety of different methods and on an on-going basis. You need to be clear what messages you want to deliver – for example, keeping passwords safe, confidentiality, how personal data breaches might occur, individuals’ rights etc. Messages should be simple and appropropriate to the threats your organisation faces. Core messages can be promoted through internal newsletters, pop-up intranet messages, posters, meetings, break-out sessions and so on. The more fun and engaging awareness is, the more effective it will be. And as unlikely as it sounds, it’s possible to make data protection interesting and fun! If you have creative, innovative teams in your organisation – get them to help.


As a first step, identify who needs training and what training content they need. Regulators would expect anyone who handles personal data in their day-to-day work to have received an appropriate level of data protection training. It’s likely too that other employees will require more in-depth role/function-specific training.Training can be delivered in a number of ways, such as;

  • Instructor-led workshops/classes (delivered by an internal or external instructor)
  • Instructor-led webinars/video links
  • Online or offline learning

What is crucial is being able to track who has been trained and what training they received. Not doing so means there’s no way to clearly demonstrate your diligence. Remember the ICO for one says it would want evidence. It can also be helpful to ensure you include some form of test to assess levels of understanding and getting feedback from those who’ve been trained is a valuable way of evaluating the effectiveness of your training programme.Training can’t be just a one-off and ticked-off activity. It needs to be an ongoing process, with content refreshed as necessary. Those responsible for data protection should work closely with HR and/or training teams to ensure data protection training is implemented and effective. Creating and embedding training that includes information security, data protection and privacy, e.g. collecting data, lawful use, data retention, following company policies etc. is not easy, but can perhaps be encouraged by using motivators and incentives.

The regulatory view

You might think the UK’s Regulator, the ICO, has been relatively quiet since GDPR was enforced last May. The announcements of the big dreaded fines have been few… but be careful. The ICO has been taking action under previous legislation (for infringements prior to 25 May 2018), under GDPR, and continues to take action under the Privacy and Electronic Communications Regulations (PECR) – which sit alongside the GDPR. You can see a full list of actions they have taken here.

Furthermore, and not publicly, many organisations have been receiving information notices from the ICO. Such notices are sent when the Regulator would like further information following a complaint submitted to them. A response to these notices may be considered sufficient with no further action required or further action may be taken. However, most if not all, of these notices will contain a key message to ensure appropriate policies and procedures are in place AND that staff are appropriately trained.The ICO takes training seriously. You should too.

I am reminded of the Heathrow Airport (HAL) case, in which a fine was imposed following the loss of a USB stick. Among other things, the ICO found, “At the time of the incident HAL had limited data protection training in place. There we no specified documented processes for determining which staff should receive training or for monitoring uptake”. Furthermore, “HAL estimated that only 2% of its 6,500 employees had received data protection training, being those deemed to be at greatest risk of exposure to personal data”.

Help is at hand

Opt-4, in conjunction with  others, has developed an online training course – “GDPR Fundamentals” – aimed at providing employees with a solid, generalist-level of data protection knowledge. It’s an easy to roll-out solution, which includes an end of course test, reporting for employers and it’s refreshed twice a year.

Philippa Donn, Senior Associate, April 2019