Should all staff be trained in GDPR?

Share Post:

Should all staff be trained in GDPR- PropelFWD
Table of Contents
    Add a header to begin generating the table of contents

    The Principle seven of the General data protection regulation (GDPR) is;

    7. Accountability

    “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

    Article 5.2 GDPR

    There are two key points in the accountability principle and these are that you must be responsible and comply with the GDPR and you are required to demonstrate how you comply.

    To demonstrate your compliance you will need to:

    1. keep evidence of how you comply with the GDPR
    2. ensure your Privacy Policy is GDPR compliant
    3. train staff in data protection awareness
    4. have a data protection policy in place if applicable
    5. use data protection by design approach- implementing the best data protection methods throughout your processing operations
    6. implement the appropriate security measures
    7. record and report any personal data breaches if they occur
    8. appoint a data protection officer if required

    What is GDPR 39?

    Article 39 GDPR outlines the tasks of the Data Protection Officer, part of which is data protection awareness-raising and training of staff involved in processing operations, and the related audits. This places the responsibility for training staff on data protection awareness at the doorstep of the DPO.

    A good data protection compliance programme is no good without data protection training. Putting in place policies and procedures is no good if your staff are not aware of them and do not know what they mean or what to do in the event of a data breach or subject access request.

    I have read and said countless times during training courses, your staff are the front line of defence against a data protection breach.

    Being accountable to the law says you have to ‘Demonstrate’ compliance. Training your staff is demonstrating compliance and is the first step toward a good data governance structure in your organisation.

    Who needs GDPR training?

    This is a simple question to answer – EVERYBODY IN YOUR ORGANISATION. That sounds very easy to do, well it is. Start with any members of staff who handles personal data on a regular basis as part of their role. Any members of staff who are customer-facing should also receive such training.

    Staff training should be part of the organisation’s training strategy and a commitment to training employees in line with the information commissioner’s office guidance.

    Introduce a training program that covers the basics of the data protection principles, data subject rights, protecting personal data and the responsibilities of data protection. There are different methods of training available to you.

    Online GDPR training courses.

    These online training courses are the most popular. Propelfwd can customise these to the business, brand them and put business sector relevant examples into the course that will give ownership of the course to your staff.

    The initial course will take approximately one hour to complete but can be taken in small time slots.

    Once completed successfully, the candidate receives a CPD certificate of achievement.

    What you get to show accountability is a full training lof of your staff, when they took the course, what score they achieved on the knowledge check and when they are due a refresher training. You can also show a consistent training program across all your staff, what content is offered and how it is provided if you are audited by a Regulator.

    Propelfwd monitors all training on your behalf and assists your staff if they have any questions during the course. No other consultancy service in the Channel Islands provides this level of service.

    In-Person Training

    This type of training is good in certain circumstances. It gives you the opportunity to get your team together and train everyone at once, getting it over with. What it does not do is provide you with the reassurance of each member’s understanding of the content of the delivered material, unless you had provided a written knowledge check.

    You also lose the time your staff should be doing their normal duties. An in-person data protection course will take an hour to an hour and a half to deliver. Depending on the person delivering the material will totally depend on the amount of knowledge retention gained by your team. It is a hard subject to get across in a classroom environment, in an hour.

    How often is GDPR training required?

    his is an annual requirement that shows commitment by the data controller to comply with the data protection law. The initial course will be more in-depth, followed by an annual refresher GDPR training course.

    GDPR awareness training and GDPR refresher training build the organisation’s training programme and accountability framework.


    Data protection training is a vital part of any data protection compliance project. To be compliant with the data protection Act, GDPT or any other legislation you have to comply with, you must train your staff. Without staff training, compliance will not work.

    The team at Proplefwd are experts at putting together online training courses, branded to your company, that gives real ownership to your employees. The courses are monitored by the team at Propelfwd, who keeps a full record on your behalf.

    The team are available to assist your staff with questions when they are doing the course, with the aim of getting everyone through it.

    This effective training is an excellent method to show accountability, compliance and commitment o the data protection law.

    Contact us today to make sure your staff are compliant with data protection regulations.

    Scroll to Top