Updated April 2022

The EU’s General Data Protection Regulation (GDPR) has now been in force for a while. The regulation increases the responsibility and liability of organisations, with hefty fines having already been handed to Google by French authorities and other giants such as Whatsapp and Facebook facing investigations.

GDPR training for employees

All staff who are involved in the processing and storing of data must be familiar with their organisation’s data protection policy and follow it. Training is one of the key measures a company can take to help their staff understand and follow their organisation’s data protection procedures and comply with the GDPR regulation. But a one-off generic course is not enough. Training should be relevant and speak to each user’s unique role and responsibilities.

How often should staff take GDPR training?

The Information Commissioner’s Office (ICO), the UK’s data protection authority, spells out that staff must be trained, and regularly. The ICO states:

The GDPR requires you to ensure that anyone acting under your authority with access to personal data does not process that data unless you have instructed them to do so. It is therefore vital that your staff understand the importance of protecting personal data, are familiar with your security policy and put its procedures into practice. You should provide appropriate initial and refresher training.

What is GDPR refresher training?

Refresher training means additional training after staff have been trained initially. Refresher training does as it says, it refreshes the knowledge gained in the initial training and assesses whether staff have retained the knowledge. Refresher training is not just about rolling out the exact same training course to staff all over again. It should be specifically designed to come afterwards, and can take a variety of forms, including knowledge checks, risk assessments, micro courses or reviews of recent cases or examples of breaches.

A good GDPR training suite will contain a variety of courses, micro modules, guides, articles and other resources to roll out to staff on a training schedule designed to meet the needs of the organisation.

Read more: VinciWorks’ GDPR refresher training and advanced modules

Which topics should GDPR training cover?

GDPR training is most effective when it is focused, role-based training which relates to the specific requirements of a person’s job. This means those in the marketing department understand the requirements and rules on marketing and consent, while those in IT know about encryption rules and keeping data safe.

Role-based, relevant training is more effective than standardised courses, both in terms of time not being wasted, and ensuring that actual requirements are understood and used in an individual’s working life.

Over 50% of organisations train employees on data protection every year

Since employee error is the number one cause of data breaches, we conducted a survey to find out how often organisations are training employees on data protection.

The survey asked organisations across a multitude of industries and sizes how often they train all staff, managers, HR professionals and marketing departments on data protection. We expected HR and marketing to train every year due to their exposure to sensitive personal data. However, we were surprised to discover that over 50% of companies train all staff every year, regardless of their role.

This underscores how seriously organisations take this issue. A single error by any employee could lead to irreparable damage.

For organisations with over 500 employees, the results were even more pronounced. Nearly 60% of larger companies reported that all staff are trained every year.