GDPR has been law across Europe since 25 May, 2018. It represented a sea-change in how companies must treat data. For any complex regulation, training is one of the best ways to mitigate the risk of things going wrong, and support staff to do it right. Online training is particularly effective when it comes to GDPR training because data protection is about the practical, every-day requirements of keeping data safe and secure.
An ongoing programme of effective GDPR training has many benefits, including:
- Increased job satisfaction amongst employees who know they are following best practice across the board
- Improved processes and procedures inside the organisation
- Reduced maintenance costs
- Improved consumer confidence and trustworthiness
- Better data security and reduced risk of a data breach
- Potential to enhance the reputation of the company as being at the forefront of data protection
European GDPR training requirements
GDPR might be heavy in regulations, but it’s rather light in training requirements. Only three out of 99 articles in GDPR even mention training.
Article 39 of GDPR specifies the tasks of the data protection officer. Not every organisation must appoint a DPO, but for those that do, the DPO must have at least the responsibility:
to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
Article 47 of GDPR expands on the tasks of the data protection officer in reference to binding corporate rules which allow for data transfers between a group of companies and states:
the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;
The only other mention of training in GDPR is Article 70 which discusses the tasks of the European Data Protection Board, a body of the EU similar to the European Commission and responsible for the application and upkeep of GDPR. One of the tasks of the board is to:
promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international organisations;
However, this is in reference to training programmes between supervisory authorities – the national bodies in each country responsible for data protection law – in the UK this is the ICO. GDPR only specifies training of individual staff members of a company in relation to the tasks of a DPO.
This does not mean, however, that a company can avoid training their staff if they decide not to appoint a DPO. It only means GDPR is a high-level explanation of European data protection law, and outwith the specified tasks of a data protection officer, it does not lay down how the regulation must be applied on a business level, because the next step down from GDPR is how each country interprets the Regulation.
UK GDPR training requirements
The Information Commissioner’s Office is the supervisory authority in the United Kingdom. This means it is the national data protection body tasked under EU and UK law with applying data protection law and setting regulations and standards.
The ICO discusses training in a number of places, and essentially makes staff training mandatory.
The ICO requires that an organisation be GDPR compliant. In addition, all organisations must ensure and be able to demonstrate that they are taking the necessary measures to comply with the law. One of the ways to do so is implementing staff training. At the very least, this would mean some kind of awareness training of staff to ensure they are aware of the rules.
In the ICO’s guide to GDPR for organisations, it further specifies when training is required.
Dealing with data protection rights, that is the right of access, erasure, to restrict processing, data portability and also to object to processing is required by data protection law. The ICO states:
you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.