open menu

GDPR training

How to train your staff

Since sharing our mini General Data Protection Regulation (GDPR) guide we’ve teamed up with Advanced Engagement to explore the potential need for GDPR training within businesses.

Advanced Engagement provides security awareness training programmes to companies within the private and public sectors. With GDPR coming into force on 25 May 2018, staff training could be an important factor in terms of putting the changes into practice. Graham Watson, Managing Director at Advanced Engagement, considers what businesses need to know:

“The GDPR documentation is extremely wordy so, without pulling out the specific legalese, there are a number of references to training and awareness which can be summarised as:

  • All organisations that are data controllers or processors need to be made aware of their obligations, including micro, small and medium-sized enterprises
  • The Data Protection Officer in each organisation is responsible for awareness raising and staff training
  • Corporate rules must include data protection training for personnel with permanent or regular access to personal data
  • The Board must ensure consistent application of the regulation, including common training programmes.

So, how can you apply meet these requirements in the most pragmatic and cost-effective manner?”

Graham explains why training is important, how to avoid the pitfalls and how to ensure the right knowledge is shared, and at the right level, in a staff training programme.

“Why training is important

Processes and procedures, especially new ones brought about by GDPR, are prone to human error. In fact, most data breaches happen because someone has mistakenly shared information incorrectly or left it in the wrong place. These trends are explored in more detail on the Information Commissioner’s Office website.

Avoiding training pitfalls

It’s important to train people at the correct level to reduce the risk of disengaging staff for the rest of any security awareness programme you may be running. There may be a small number of people within any business that needs to understand GDPR in any depth and topics such as consent, legitimate interest and data portability should be the primary focus. For everyone else, the basics of data security are likely most appropriate.

Providing effective staff training

We believe that engaging training that supports staff in specific situations is more important than teaching people to be GDPR experts. Delivering training that is factually correct is important, but if it doesn’t give staff a clear idea of what they should be doing and when it’s wasted effort.

Training that’s been reduced to core messages, and that’s been designed to engage and train for behaviours rather than facts, is most effective for those who aren’t involved in the design of privacy impacted systems and processes.”

For further information or to discuss your potential training needs please contact Advanced Engagement.