A full version of this article first appeared in Privacy Laws & Business.
What’s the single most important ingredient for a successful compliance programme? The one crucial element without which you are guaranteed to fail? The thing that nobody will want to do but is critical for everybody to undertake? The answer? Training.
You can have the best written policies in the world but if people do not understand why it is important to follow them, they will not work. Training is the answer. Not just any old training though. You need to have an engaging, relevant and regularly updated training programme, interesting to participate in, relevant to people’s roles and motivating to ensure people do the right thing. This is not something that is easy to come by.
What does the GDPR say?
The importance of training as a key component in ensuring compliance is recognised in the GDPR. Under Article 39 DPOs are tasked with training staff involved with processing operations. Under Article 47, one of the key requirements for Binding Corporate Rules is the provision of “appropriate training” to staff (including contractors and temporary staff) who have access to personal data, and monitoring of such training by the data protection officer or other person responsible for data protection compliance. Article 24 requires organisations to implement “appropriate technical and organisational measures” to ensure compliance with GDPR, including implementing policies where appropriate.
So, training is not just a practical requirement to enable implementation of your data protection compliance programme. It is also a legal requirement under GDPR.
What does good training look like?
As with most aspects of data protection compliance, there is no one-size-fits-all answer to training requirements. To get the most out of training, you need to consider both the content and the best means of delivery. In the sections below we consider the pros and cons of different types of training, what we have seen work well and provide some suggestions for a good training programme.
E-learning is a great way to reach a wide group of people and to provide an overview of general requirements. E-learning platforms can also be used to track the completion of training, to test knowledge and to send out automatic reminders to members of staff who have not yet completed the training and refresher training can also be scheduled and tracked.
The downside of off-the-shelf e-learning packages is that, by their very nature, they are generic. This means that they are not tailored to your organisation and so can seem irrelevant or, in the worst cases, dull.
The best e-learning packages will be tailored to your organisation. If you are writing your own training (or getting somebody to prepare it for you) you can ensure that you use the right tone of voice that fits with your organisation’s brand and you can tailor the content to the audience so that it is easy for them to understand and relevant to their roles.
In terms of content, it is most engaging to roll out bite-sized chunks of training over a number of weeks. If each module takes around 10 to 15 minutes to complete, you should be able to hold people’s attention and still get across important messages. If training is shorter it is also easier for people to fit into a spare slot between meetings or other work demands. Rolling the training out over a period of weeks also keeps awareness raised over a longer period and you can set mandatory modules for different teams, so that staff receive training that is relevant to their roles.
The content of each module will vary depending on the nature of your data processing activities and the way in which your teams are structured. A general introduction module which provides an overview of the key data protection principles should be mandatory for everybody and additional modules could include the following:
- Information security
- Data breach management
- Handling HR data and dealing with employee GDPR requests
- Handling customer GDPR requests
- Marketing rules and guidance
- Privacy by design and by default
- Carrying out data protection impact assessments
- Procurement issues and international transfers of data
While e-learning packages can provide a good grounding in basic concepts, it is always a good idea to back this up with face-to-face workshops. Workshops for specific teams can go into greater depth than e-learning tools and provide a forum for people to ask questions and to discuss how to tackle things in practice. This format is particularly useful for non-desk-based staff, although this can be challenging for the training team if your organisation has a wide geographic spread.
The key to a successful workshop is to include practical case studies for teams to work through. It is a good idea to speak to stakeholders ahead of workshops to get an idea of areas where teams need more guidance, and to identify issues that keep recurring so that these can be included in the workshops.
The downside of workshops is that they are labour-intensive to prepare and deliver. However, if you plan a series of workshops throughout the year and enlist data champions to assist with arranging and delivering the workshops, the burden can be lightened. Face-to-face workshops also allow people to work together with the data protection team, making it less daunting to raise questions or to report issues that arise in the future.
Webinars and videos
Where staff are based in multiple locations, webinars can be a good way to reach a number of teams at the same time. It is harder to include practical workshops in webinars and to make them engaging for participants. However, most webinar tools allow participants to raise questions electronically during the webinar, meaning that you can tackle queries as they arise. It is also a good idea to have more than one speaker, as a change of tone and a different point of view can help to keep people interested.
A number of e-learning providers are using games as a way to train people. This can be a great interactive way to keep people’s attention, although often the nature of the questions posed in games can mean that the training is not very wide-ranging. Having a mixture of e-learning followed by a quiz in the form of a game can be a good way of reinforcing learning.
Tying training to policies and procedures
Your staff’s time is valuable. To get the most out of training, it is crucial that they come away with greater knowledge of data protection obligations and that they know where to go to find out more. Therefore, no matter the type of training that is provided, it is always a good idea to signpost your policies and guidance so that staff can revisit those the training in their day-to-day roles.
It is also important to ensure that the training reflects how you want your policies and procedures to work in practice. It is no good training people to understand that personal data breaches have to be notified to regulators within 72 hours if you do not, at the same time, explain how your internal breach notification procedure works, the internal deadlines for notification (which will need to be considerably less than 72 hours) and who makes decisions about whether to notify regulators.
For those with particular responsibility for data protection compliance more in-depth training will be required. For people in these roles it is useful to consider an external certification. There is a wide variety of certifications available but those with the most value tend to include a mixture of face-to-face training, personal study based on text books or manuals and an exam at the end.
Finally, no matter the level of training provided, it is a good idea to provide incentives to complete the training. This could simply be the kudos of achieving a certificate, chocolates for all who attend a workshop or prizes available for the first ten people who successfully complete an e-learning module. Similarly, there should be negative consequences for those who fail to complete mandatory training, whether that be informal admonishment from supervisors or formal disciplinary action.
The perfect recipe
A good training programme will include a mixture of all the elements above. Different people learn in different ways, so providing a range of different training methods is vital. Training budgets are not endless, but investing in decent training will reduce your organisation’s risk profile, provide useful, transferable skills for your staff and should reduce the burden on your central data protection team (whether that be one poor soul or a whole army of data champions).