Knowledge Hub
for Growth

GDPR Training Requirements

Every person in your organisation needs to have appropriate training so they understand how their role is impacted by UK GDPR and data protection rules, along with what is required of them to comply with these rules.

In this article we discuss how to develop a suitable training programme for your business and the additional benefits data protection training can provide.

If you’re unsure what you need to do to comply with UK GDPR and data protection laws, take a look at our Data health check package. This includes access to three online staff training videos. Our team can also provide specialist and bespoke training for organisation with more complex requirements.

Why is training important?

Training is key in educating your staff with the knowledge and skills they need to be able to do their job and to the best of their ability.  There are many reasons to train your staff, however, one of the most important, is the fact, that, it is mandatory. The General Data Protection Regulation (GDPR) mandates that organisations demonstrate they are taking the necessary measures to comply with the GDPR. The way to do this is to ensure staff are trained so they know what to comply with and why.

Training can reduce mistakes and also aid in mitigation should a breach occur. There is nothing worse than having a regulator knocking on your door and you not being able to show you have the organisational measures in place that could have avoided a breach or at least taken efforts to reduce the impact.  Staff should be comfortable in dealing with personal data such as handling requests, data sharing, information security, personal data breaches and records management. The ICO puts forward these as key areas to be included in an comprehensive GDPR staff training programme.

What should my training cover?

There is no right or wrong way in ensuring what should appear in your training deck, however, there may be a more workable way. This would be dependent on your organisations business model, and the type of personal data it processes. For example, larger organisations may take heed in buying an “off the shelf” online training course that all their staff members can undertake which can conform to compliance, and in turn ensure accountability and good governance. However, whilst you may be able to tick box that each of your employees’ have undertaken GDPR training, it may not always be effective. Effective training depends on different factors, such as the sector in which you operate, the size and nature of the organisation and what categories of personal data (and special categories of personal data your organisation processes. You may even need to consider different levels of training dependant on the type and amount of personal data it processes. For example, a corporate sales function will only deal with limited amount of personal data (such as, business contact personal data), whereas your Human Resources (HR) function will deal with more and high level personal data, so, the training for the HR team will need to be tailored to their job role in how to handle and process personal data.

Training for all staff

In order for your organisation to understand what personal data is, the importance of keeping it safe and being compromised – you may feel a simple training deck may be efficient enough to do the trick. This would provide basic information on what is required of the employee and the part they play in keeping personal data safe. This would not only help in understanding what personal data means at work, but also inform them as to the importance their own personal data is and how they should ensure others processing their personal data is keeping it safe – by making sure only minimal personal data is processed.  Once you have a basic training deck, you can then consider developing this further to tailor it for your different departments.

HR training

This department processes lot of personal data, including special categories of data and other sensitive data.  Training in how personal data is handled, with whom it is shared and where it is kept are all quite important features that someone in the HR department would need to know. One example would be ensuring personnel files are kept under lock and key, with no easy access to the private documents. This would ensure that there are minimal breaches as information is only shared on a role based and need to know basis.

Marketing department

This department would not only need to be trained on GDPR, but also on the Privacy and Electronic Communications Regulations (PECR). These regulations  govern sending of electronic marketing to customers. They would need to be made aware of information, such as consent, direct marketing, lawful basis of legitimate purpose, soft opt in and the rest. There are many scary anecdotes where the Information Commissioners Office (ICO) have fined companies for not complying with the regulations. One recent example is Homesense Limited, the home improvement company were fined £200,000 for making more than half a million unsolicited marketing calls. Investing in training, could mean no or minimal breaches or low impact. The ICO has published a draft Direct Marketing Code of Practice for consultation, this is for anyone who intends to conduct marketing that is directed to particular individuals or anyone that operates within the broader direct marketing ecosystem. Such training should take into account this Code and the information contained within it.

How can I fit GDPR training into my business?

Training is best conducted at induction or onboarding stage, to ensure compliance at the outset. Thereafter, it can be conducted annually.  E-learning can be best placed here as the dates can be built into the eLearning platforms’ processes, thus, sending out reminders at the allocated times as well as being able to pull reporting information.  Built in systems may pose better for larger organisations, as emails of non-completion of training can be sent to the compliance department to enforce.

Training can and should also be implemented ad hoc, such as where a breach may occur and using that particular breach as a training exercise, without targeting any individual or department that may have been at fault. When breaches are fresh and everyone is more alert, refresher training would appear valuable. As above, some functions that handle personal data, such as HR, may wish to conduct training at regular intervals, than the allocated annual slot in order for training to remain fresh which generally works towards good governance.

How often do I need to repeat the training?

As a general rule, GDPR training is conducted annually, but as said above, this would also be dependent on the business or the sector in which it operates. You can disseminate even further by considering the separate functions in an organisation as some may require GDPR training perhaps on a more regular basis. You may wish to build this into your processes having considered your organisations’ risk appetite. Annual training programs should be kept up to date, which sends a clear message to employees, that your organisation is committed to investing in them which in turn, improves performance and morale in the workplace. 

How often should I update my training materials?

Its fair to say, not every organisation is able to keep up to date with the latest data protection laws and ensure compliance. It’s necessary to either risk accept and ensure that the training you are providing is correct and up to date, or, consider instructing our team to assist in checking whether your training deck is current and fit for purpose. Many organisations choose to opt in with e-learning platforms in the hope that the training provided will be updated automatically, but, unless you ask the vendor the question - how often this the training updated, you cannot be sure that your staff are being trained on what is relevant and current.  Training decks need constant revision and updating as the world of privacy is fast pacing and is constantly evolving. You will also need to consider your business needs and any transformation your organisation is going through.  Our data protection specialists are able to keep you abreast of any privacy updates that can be incorporated into your training program.

What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no obligation to instruct us. We aim to respond to all messages received within 24 hours.

  • This field is for validation purposes and should be left unchanged.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
2-5 Velocity Tower, 1 St Mary’s Square, Sheffield, S1 4LP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.


To access legal support from just £125 per hour arrange your free no-obligation initial consultation to discuss your business requirements.

Make an enquiry