Do your staff need data protection training?

Around 80% of data security incidents are caused by staff error, so appropriate employee training is crucial to your data security policy.

Serious data breaches expose businesses to huge fines, as well as reputational costs.

But how can you implement an effective programme in your growing business?

What is the GDPR?

The General Data Protection Regulation (GDPR) is Europe’s cornerstone data protection law. Understanding the GDPR and how it is enforced is key for businesses around the world.
The Regulation introduced concepts such as ‘ data protection by design’, data portability, personal data breach notification and accountability (to mention just a few).

What about Brexit?

The UK has left the EU, meaning that from 1 January 2021 the GDPR no longer applies directly in the UK. However, the GDPR has been retained in UK law and will continue to be read alongside the Data Protection Act 2018, with technical amendments to ensure it can function in UK law. This new regime is known as ‘the UK GDPR’.

So in practice, UK organisations operating in the UK only must still comply with GDPR requirements, as the UK GDPR regime applies to them.

In addition, the GDPR:

  • Covers all the European Union member states;
  • Applies to all companies operating in the EU and those with EU citizens as customers; and
  • Has an extraterritorial effect, so organisations in non-EU countries may also need to comply.

So UK companies continuing to do business with the EU after Brexit still need to comply with the GDPR to avoid infringements.

Does the GDPR require employee training?

Basic training around the principles of the GDPR needs to be specific to the organisation concerned.

Businesses can help their employees comply with the GDPR and protect themselves against breaches by developing a comprehensive communication and training strategy. The GDPR requires companies to train staff on how to handle personal data.

The purpose of training is to maintain compliance with the GDPR. Your employees need to understand how, and where, the data flows throughout your business. They should know where the risks lie and what their individual responsibilities are. Through effective training you can encourage a culture of data protection.

Is the GDPR training a legal requirement?

The Information Commissioner’s Office (ICO), the UK’s data protection authority, explains that staff must be trained, and regularly.

The ICO states: “The GDPR requires you to ensure that anyone acting under your authority with access to personal data does not process that data unless you have instructed them to do so”.

Ensuring that your employees follow best practice in terms of protecting personal data is a mandatory legal requirement. It is not optional. Currently there are no ICO-approved GDPR certification schemes in operation, so organisations must use their own judgement in choosing or designing suitable data protection training.

Why is training important?

The GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements. So it’s vitally important you train your staff to minimise the risk of breaches of data protection law.

What should training include?

The GDPR and data protection should be part of the induction process for all new employees, and updated on a regular basis. We’d recommend at least annually. Staff awareness training shouldn’t just be a ‘tickbox exercise’. It should be an ongoing process that forms part of your company’s culture.

The GDPR sets out seven key principles:

  1. Lawfulness, fairness and transparency;
  2. Purpose limitation;
  3. Data minimisation;
  4. Accuracy;
  5. Storage limitation;
  6. Integrity and confidentiality (security); and
  7. Accountability.

You should train your staff on all aspects of the GDPR. So that includes:

  • Understanding consent and alternative lawful bases;
  • What you can and can’t do with data;
  • How long you can keep data;
  • What information to provide in a data access request; and
  • What to do in the event of a data breach.

Most staff will need to have a basic understanding of the principles, but some employees will need more training than others. There isn’t a ‘one-size-fits-all’ approach for staff awareness training.

Who needs training?

Certain members of staff will require a higher level of training. Training will be most effective when it is role-based, and focused on the specific requirements of an employee’s job. For example, your marketing team needs to understand the rules around consent, the IT team needs to know about encryption rules and keeping data safe.

Try to contextualise your training sessions, so that each employee remembers the training ‘in real life’. Recommended methods include case study simulations, e-learning courses for interactive classes, posters with visual guides, and easily accessible email updates on policies.

It’s crucial you maintain decent records of all training sessions given to staff i.e. time, date and any absences. You might need the documentation if your business is ever investigated.


Key takeaway: Data protection staff training isn’t optional. Under the GDPR, serious data breaches expose businesses to huge fines, as well as reputational costs. Don’t risk it. The right training programme could equip you staff to make informed decisions.

To discuss data protection training in your business, please contact Oran Kiazim, Antoine Piquet or Clara Clark Nevola in our DP & Privacy team or Stephanie Creed in our Employment team.

Cookie consent
We use analytics cookies to help us understand if our website is working well and to learn what content is most useful to visitors. We also use some cookies which are essential to make our website work. You can accept or reject our analytic cookies (including the collection of associated data) and change your mind at any time. Find out more in our Cookie Notice.