How To Train Your Staff On The GDPR

Published on Apr 29, 2021

Raising Staff Awareness of GDPR | Training Programmes

Information Commissioner, Elizabeth Denham, who heads up the ICO has regularly emphasised the importance of general data protection regulation (both UK GDPR and EU GDPR) training, stating that she expected everyone in an organisation to understand the significance and reasons for compliance.

Data compliance training goes far beyond simply putting on a few presentations and getting staff to tick a box upon completion. The benefits of investing in a multi-faceted approach include:

  • Increasing customer and supplier trust in your data protection systems.

  • Developing safer products and services.

  • Attracting top talent in your market sector as a progressive and ethical organisation.

In contrast, the penalties for data breaches are high and not only in terms of fines. In the age of social media, where one tweet can ‘cancel’ a business, protecting your organisation’s reputation is essential.

Untrained employees are an avoidable risk

The biggest threat to your business is its people, especially given that we all carry the equivalent of a 1990s supercomputer in our pockets. A report by global research and consultancy firm Forrester predicts that 33% of data breaches will be caused by insider incidents in 2021, up from 25% last year. Another study found 60% of data breaches in the UK are the result of human error.

One of the most common types of data breaches is personal information being emailed to the wrong recipient. ICO figures based on the number of reports of personal data breaches received from (data) controllers during Q2 2020-21 show that there were 402 incidences of this type of human error occurring during the period. The education sector reported the most incidences of information being sent to the wrong recipient (84 incidents), followed by the health sector (73 incidents). Loss/theft of a device containing personal data resulted in 46 reported incidents. And the loss/theft of paperwork or data left in an unsecured location accounted for 141 reports. Furthermore, the ICO recorded 258 phishing incidents during the same period. These are just the reported cases. The actual numbers and the business costs associated with them will be much higher.

A robust GDPR training for employees and awareness programme, which includes regular refresher training will not only make your organisation more competitive, but will also protect staff, suppliers, and customers from the damage that can occur from a data breach. Although there is a financial investment required in developing and implementing effective privacy and GDPR training for employees, this will be outweighed by the risk mitigation that will be noted by investors, customers, and potential prospects who will want to see evidence of robust data protection policies and procedures.

Who needs GDPR and privacy training and awareness?

Outside of compliance teams who require extensive, ongoing GDPR and privacy training, it is important to establish how other staff members come into contact with privacy and data protection issues and develop bespoke training and awareness for each team and/or individual.

Every company handles personal data which is why being GDPR compliant is so important. Business owners should train all staff in data protection and privacy as both are organisation-wide issues. To do this successfully in-person and online training must be embedded in the culture of the company and carried out regularly. Furthermore, training content and methods need to be updated to keep up with changing regulations, technologies, and threats.

How can I create successful privacy and GDPR training courses?

Below are our top six tips for developing and delivering a best-in-class programme in GDPR training for employees:

  • Do your research – find out how privacy and data protection impact teams and individuals and separate them into groups to ensure the GDPR course is relevant to their roles. Look at the number of staff you have – small organisations can deliver training online or in a classroom; however, large corporates, charities, and public bodies will need to consider scalable e-Learning course solutions.

  • Set measurable goals – examine what type of data protection incidents are occurring and assess whether there is a drop in the number of breaches following training. If not, adjust the content, training requirements, and in-person or online course delivery until you see results.

  • Get management buy-in – culture change starts at the top. Senior management must be seen to be receiving GDPR training and implementing best-practices into their day-to-day operations.

  • Make training engaging – we have all attended boring training sessions that result in attendees switching off and retaining little of what is being communicated. Make the training practical and relevant to people’s jobs, include role-plays (but do not force your staff to join in), quizzes, games, etc. You can also get the message of how important data protection is across in unique ways, for example by putting posters up around the site/office, messages on mugs, T-shirts, and sending regular emails emphasising the main data compliance requirements.

  • Address behaviour rather than knowledge – setting a test at the end of a training bloc will allow you to see if knowledge has been maintained but will not necessarily result in behaviour and cultural change. Only by making training personal, relevant, and ongoing will cultural change be achieved.

  • Be patient – changing an organisation’s culture takes time and effort. Consider a phased rollout, cover any urgent requirements first, then reflect and refine the programme over time.

In summary

Like health and safety and financial regulation compliance, GDPR compliance needs to be understood and actioned by everyone in an organisation. This is achieved by developing training programmes that consider how data protection and privacy impact an individual’s role and creating learning that is relevant to them personally.

To find out more about data protection and privacy law training, please email us at or call 0370 04 27701.

Click your chosen course below to see our next available courses dates