The General Data Protection Regulation came into effect 2 months ago and making sure staff are appropriately trained is essential. The UK Information Commissioner Elizabeth Denham talked about creating a culture of data protection which “pervades the whole organisation.” This is expected under GDPR.

Data protection experts have continuously emphasized that staff training as an essential part of GDPR compliance. Nicola McKilligan-Regan, a senior partner at Privacy Partnership has stressed that training should be the top priority for organisations on their GDPR Checklist. “If you do nothing else, train your staff. If you have an informed work-force it will reduce your risk.”


Not only does training staff reduce the risk of breaches, it also demonstrates compliance with GDPR. For example, if an organisation was to experience a data breach and they had documented your staff training, this would be used as evidence to prove that they had taken the appropriate steps to prevent a data breach and were taking the regulation seriously.

Of course, all staff members are not required to have a detailed knowledge of the full legislation like a compliance officer would, but a good start would be to ensure all staff are aware of GDPR and the issues of data protection. Under Article 39 of the GDPR, it outlines that staff awareness raising and training is required.

Yet, although staff need to have a broad understanding of the legislation, it is important to note that each company will have different requirements. For example, the use of passwords; ensuring passwords used at work are different from those used on private social media networks – or policy regarding the destruction of data when it is no longer used.

Reducing human error

It is important that once training has taken place that staff feel empowered and comfortable with reporting anything that they feel compromises data protection, privacy and security of customers, clients, supporters and employees. Systems should be in place to encourage staff to bring up any potential issues with those in charge of compliance.  They should also be able to report anything without fear of any personal repercussions.

To make sure staff understand and have the right knowledge of the legislation, it is advised that organisations have face to face methods as part of their training. Initial online training can be done, but it is also advised to at least have a follow up of face to face training. This will allow staff to ask any questions they have and to run through any specific scenarios to your own organisation.


One of the changes from the Data Protection Act is Subject Access Requests. Staff are fundamental in ensuring SARs are complete in time. They should be trained on how to spot a SARs as they could come via an email, telephone conversation, letter, the website etc. as they may not clearly be stated as one. They should then understand what to do with them, which requires a process to be put in place.


While the ICO has explained that they do not expect all organisations to be fully compliant by the deadline, organisations should currently be working towards this. This includes staff understanding what it means, their responsibilities and what they should do if they believe data is being compromised.

For more information on staff training, visit Data Protection Professionals