GDPR has been law across Europe since 25 May, 2018. It represented a sea-change in how companies must treat data. For any complex regulation, training is one of the best ways to mitigate the risk of things going wrong, and support staff to do it right. Online training is particularly effective when it comes to GDPR training because data protection is about the practical, every-day requirements of keeping data safe and secure.

Does GDPR require employee training?

All staff who are involved in the processing and storing of data must be familiar with their organisation’s data protection policy and follow it. Training is one of the key measures a company can take to help their staff understand and follow their organisation’s data protection procedures and comply with the regulation. But a one-off generic course is not enough. Training should be relevant and speak to each user’s unique role and responsibilities.

Is GDPR training mandatory?

While GDPR training may or may not be mandatory, depending on your jurisdiction and the type of organisation, the bottom line is that GDPR compliance is mandatory. Training that is relevant to each user’s specific role and responsibilities and that includes realistic scenarios and the option to customise can go a long way in ensuring that staff understand and have the tools they need to comply with the regulation.

Benefits of GDPR Training

An ongoing programme of effective GDPR training has many benefits, including:

• Increased job satisfaction amongst employees who know they are following best practice across the board
• Improved processes and procedures inside the organisation
• Reduced maintenance costs
• Improved consumer confidence and trustworthiness
• Better data security and reduced risk of a data breach
• Potential to enhance the reputation of the company as being at the forefront of data protection

GDPR Staff Training Requirements

EU GDPR does not include much mention of training, but does say that in companies with a DPO, one of the DPO’s responsibilities is to ensure that staff is aware of and trained in GDPR. Regarding GDPR in the UK, twhich is under the ICO’s authority, organisations must demonstrate that they are taking necessary steps to comply with the regulation.

European GDPR training requirements

GDPR might be heavy in regulations, but it’s rather light in training requirements. Only three out of 99 articles in GDPR even mention training.

Article 39 of GDPR specifies the tasks of the data protection officer. Not every organisation must appoint a DPO, but for those that do, the DPO must have at least the responsibility:

to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

Article 47 of GDPR expands on the tasks of the data protection officer in reference to binding corporate rules which allow for data transfers between a group of companies and states:

the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;

The only other mention of training in GDPR is Article 70 which discusses the tasks of the European Data Protection Board, a body of the EU similar to the European Commission and responsible for the application and upkeep of GDPR. One of the tasks of the board is to:

promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international organisations;

However, this is in reference to training programmes between supervisory authorities – the national bodies in each country responsible for data protection law – in the UK this is the ICO. GDPR only specifies training of individual staff members of a company in relation to the tasks of a DPO.

This does not mean, however, that a company can avoid training their staff if they decide not to appoint a DPO. It only means GDPR is a high-level explanation of European data protection law, and outwith the specified tasks of a data protection officer, it does not lay down how the regulation must be applied on a business level, because the next step down from GDPR is how each country interprets the Regulation.

UK GDPR training requirements

The Information Commissioner’s Office is the supervisory authority in the United Kingdom. This means it is the national data protection body tasked under EU and UK law with applying data protection law and setting regulations and standards.

The ICO discusses training in a number of places, and essentially makes staff training mandatory.

The ICO requires that an organisation be GDPR compliant. In addition, all organisations must ensure and be able to demonstrate that they are taking the necessary measures to comply with the law. One of the ways to do so is implementing staff training. At the very least, this would mean some kind of awareness training of staff to ensure they are aware of the rules.

In the ICO’s guide to GDPR for organisations, it further specifies when training is required.

Dealing with data protection rights, that is the right of access, erasure, to restrict processing, data portability and also to object to processing is required by data protection law. The ICO states:
you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.