Let’s start with the hard facts.
Breaching the UK General Data Protection Regulation (UK GDPR) rules is serious and the number one cause of data security incidents is staff error.
Handling personal data incorrectly and in breach of mandatory legal requirements could have several negative implications for your business.
- Regulatory action and legal consequences, including heavy fines as high as £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.
- Negative publicity for your business – i.e. bad press if there is a personal data breach.
- Loss of business and goodwill damage - customer mistrust could be incredibly harmful.
It is vital that everyone in your organisation is properly trained up on the UK GDPR rules and how to comply with them. Staff are often the biggest risk when it comes to personal data breaches and training can really help avoid this.
In the ICO’s guidance on common data protection mistakes, the regulator cites sending emails to the wrong person and opening unfamiliar web links or attachments as common mistakes – both issues could easily be fixed with data protection training.
In this article we’ll explore 3 of the most frequently asked questions around UK GDPR data protection law training and how to run it effectively. To understand the wider benefits of staff training, see our article.
Here are some of the most frequently asked questions around staff training, and our answers to them:
Why do I need to train my staff on the UK GDPR?
Training is extremely important under the UK GDPR rules. Under the UK GDPR, there’s an obligation for businesses to make sure they have appropriate ‘technical and organisational’ measures in place to protect personal data.
Training can reduce mistakes and help with damage control if a data breach occurs – often, breaches happen by just simple human error (which training can help avoid).
In the worst case if the ICO investigates what has gone wrong if there is a data breach at your business, showing them that you have organisational measures in place that could have avoided a breach or reduced the impact could help when it comes to the ICO deciding upon appropriate action to take against you.
All of your staff need to understand UK GDPR and be comfortable in dealing with personal data such as handling requests, data sharing, information security, personal data breaches and records management. The ICO has published guidance on a comprehensive GDPR staff training programme, making the need for training all the more important.
What should my staff UK GDPR training cover and who should I train?
This isn’t a one size fits all approach for every organisation. The type of training you need depends on your organisation’s business model, and the type of personal data it processes.
Smaller organisations using minimal personal data may feel comfortable with basic training, whereas larger organisations processing high volumes of personal data (including special category or highly sensitive data) might need more bespoke training and different types of training for different teams (for example, a marketing team might need specific training on rules around email marketing rules and a HR team might need training on handling staff data).
As the very basics, staff should understand:
- The basics around UK GDPR and what is means, e.g. what personal data is and the 7 key UK GDPR principles.
- How personal data is collected and how it flows through your organisation, including who it’s shared with and why.
- The lawful basis for processing personal data in your organisation.
- What they can and cannot do with personal data.
- What to do if there is a data subject request such as a subject access request.
- What to do if there is a data breach.
- How long personal data can be retained the process for deleting it.
Certain members of staff will require a higher level of training, depending on how much personal data they process in their everyday roles and the risks around that data. However, training should be rolled out to everyone at your business, from your marketing to IT to HR teams.
Training can be delivered in person or online, but it can also help to contextualise your training sessions, so that each member of staff remembers the training ‘in real life’. Recommended methods include case study simulations, e-learning courses for interactive classes, posters with visual guides, and easily accessible email updates on policies. Q&A during training sessions can be particularly helpful, so that staff can ask questions when they need to and fully get to grips on this topic.
It’s crucial you maintain full records of all training sessions given to staff i.e. the time, date and any absences. You might need to provide this documentation if your business is ever investigated, for example in the event of a personal data breach.
When should I run the training and do I need to repeat it and update the training materials?
Staff training should be conducted right at the start at induction or onboarding stage, to ensure compliance at the outset. After that, we suggest conducting it at least annually. It really must be part of your organisation’s systems and not just seen as a ‘tick box’ exercise. Testing the knowledge of staff can help to ensure that they’ve digested the materials, for example by using a quiz.
You can also run extra training sessions for certain departments who need specific training on a regular basis and training can also be rolled out ad hoc when needed, such as where a breach has occurred and staff need a refresher on how to handle and prevent personal data breaches. When breaches are fresh and everyone is more alert, refresher training is hugely valuable.
The length of training can vary, depending on whether it is introductory ‘basics’ training (e.g. for new joiners) or in depth, bespoke training for senior staff such as data leads and IT and data security teams. In particular, staff with particular responsibility for personal data (such as DPOs or Heads of HR) should be given bespoke training to ensure that they are fully equipped for their roles and any data protection issues arising.
UK GDPR compliance needs to be an ongoing process and organisations should update their training materials when needed, to make sure they stay compliant. For example, where a business changes internal processes and this has an impact on how personal data is used, staff training should be updated to reflect it. In addition, training materials should be updated to reflect fast-changing data protection laws, when necessary.
How can Harper James help me with training my staff?
A lot can go wrong if an organisation breaches the UK GDPR rules, including serious fines and huge damage to reputation. Staff training is critical, not optional, and can really help a business prevent damage.
This can be a daunting topic so if you’re unsure what you need to do to comply with UK GDPR and data protection laws, take a look at our Data health check package. This includes access to three online staff training videos.
Our team can also provide specialist and bespoke training for organisations with more complex requirements. It’s fair to say, not every organisation is able to keep up to date with the latest data protection laws and ensure compliance. Our team can help check whether your training deck is current and fit for purpose. Our data protection specialists can also keep you up to date on any privacy updates that need to be incorporated into your training program.
Our friendly team can help if you're struggling to produce or maintain a suitable training deck. We have also developed a Data Protection health Check package to help businesses understand their compliance and training requirements.
Please contact us if you’d like our support with training your staff on the UK GDPR or compliance generally – we’re here to help.