Published on Feb 25, 2021
Since the GDPR was introduced in May 2018, the majority of people who deal with personal data have had some form of general GDPR training. Most in-house training covers the changes brought in by the new regulations, the GDPR principles, how to ensure compliance, and the consequences of a breach occurring. However, as the GDPR embedded itself into data compliance culture over the past two and a half years, many organisations have neglected ongoing training. For all sectors, including manufacturing, professional services, finance, construction, and agriculture (to name but a few) ongoing data protection training is not only essential to avoid regulatory sanctions but also to secure the competitive advantage which comes with gaining and retaining client trust concerning the handling of personal data.
While limited in scope, research published by the Direct Marketing Association (DMA) in November 2019 highlights that GDPR training is not being delivered frequently enough or with the necessary relevance for specific roles. The survey revealed 21% felt they had not received enough GDPR training, with 14% were unsure that they had. A further 25% actively asked for more training opportunities, and 18% felt the training could be more targeted towards their roles. Another 15% said training courses should be more practical, and 12% wanted to see case studies.
The consequences of data breaches have been illustrated by some high-profile cases. In October 2020, the German regulator fined H&M retailers over €35.2 million for wrongful monitoring of its employees. In the same month, British Airways was hit with a £20 million fine for failing to protect the personal and financial details of more than 400,000 of its customers. This was considerably lower than the initial £183.39 million fine that the ICO declared it intended to deliver. Likewise, Marriot International Inc escaped a colossal £99.2 million fine and instead was ordered to pay £18.4 million. However, although the fines were less than anticipated, all the aforementioned companies would have incurred significant legal costs, not to mention the damaging media exposure generated by the breach and subsequent investigation.
The ICO made clear when delivering its penalty to Marriot International Inc that proper training and resourcing to protect against sophisticated data attacks was imperative.
The potential non-financial damage a high-profile data breach can cause, such as a fall in share price, lost consumer confidence, and loss of tendering opportunities should be enough to illustrate how vital data protection training is. But there is another, positive argument that is often neglected – strong GDPR compliance relates directly to a company’s revenue and profit.
For many companies, especially those in the service industry, data is a valuable asset. For example, supermarket loyalty cards are used to build up a demographic profile of their customers, ascertain their loyalty to a particular brand, and analyse what they buy and how much they spend. All this is done by collecting personal information from data subjects.
People are now well aware of how Big Tech tracks them across the Internet, collecting streams of data to target advertisements. Despite the Cambridge Analytica scandal and the large GDPR fines handed out to Google (£44 million) and the news that Facebook has been reported as setting aside €302 million to cover “regulatory compliance matters”, research shows that people in 2019 were more willing to exchange personal data for personalised products and services than they were in 2015 when most people had little idea that data protection and privacy was a concern.
Because data is so valuable and people are more than willing to provide it, businesses must protect their reputation for robust GDPR compliance and ensure their staff receives relevant ongoing GDPR training including data security. Losing public trust regarding the principles of data protection is remarkably simple to do and something no company can afford if they want to compete in the modern economy.
Although the GDPR makes several references to training and education, it does not list it as a core requirement. Article 38(2) outlines how the Controller must provide the data protection officer (DPO) with resources "to maintain his or her expert knowledge." Furthermore, Article 39(b) lists "awareness-raising and training of staff involved in processing operations" as a DPO task.
The ICO also highlights the importance of "embedding systematic and demonstrable compliance across your organisation" to satisfy Article 5(2) (the accountability principle).
These references show that organisations holding and processing personal data are expected to ensure their staff has the knowledge and resources to meet GDPR compliance. It should also be noted that if the ICO is notified of a breach, one of the first matters they will investigate is the frequency, competency, and relevancy of the training provided.
It is vital that GDPR training is not considered a ‘tick-box’ compliance matter. To protect your organisation, training must:
Businesses should be actively providing training in the form of:
GDPR training is essential for the following teams:
Organisations that commit to a training program that encompasses multiple learning mechanisms and is bespoke to not only departments but individual employees’ roles gain a crucial competitive advantage in terms of consumer trust and engagement.
In a digital economy, GDPR and privacy training should be viewed as an investment rather than a cost. Data protection regulatory compliance ensures current and future consumers trust an organisation with their personal information, resulting in them being more willing to share it. In turn, businesses will have access to the product preferences and customer knowledge needed to target product/service innovation and marketing campaigns.
 From 1 January 2020 when the EU UK Brexit transition period ended, Britain has its own GDPR referred to as the UK GDPR. The European Union’s GDPR is referred to as the EU GDPR by UK regulators etc. Due to the similarities in both regulations, this article will simply refer to the ‘GDPR’.
COVID-19: FLEXIBLE, LIVE ONLINE BCS & IAPP TRAINING NOW AVAILABLE - PLEASE CONTACT FOR DETAILS