How Much to Train Staff on GDPR?

Published on Jan 27, 2022

Since the EU General Data Protection Regulation (GDPR) came into force in May 2018, independent supervisory bodies in the UK and EU have issued over 800 monetary penalties for breaching the regulations. Some of these fines involve eye-watering amounts. In July 2021, Amazon was fined €746 million by the Luxembourg data protection authority, known as the Commission Nationale pour la Protection des Données (CNPD). A few months later, the Irish Data Protection Commission awarded a €225 million GDPR penalty to Meta's WhatsApp over a lack of transparency. Both of these cases are currently under appeal. In the UK, the Information Commissioner's Office fined British Airways £20 million over inadequate data security measures, which failed to prevent a data breach in 2018 and compromised its customers' personal details.

While it's always the high profile penalties that make the headlines, 412 GDPR enforcement notices were issued in 2021, with the total amount of fines reaching €1.1 billion for the first time. The trend is set to continue along the same upward trajectory in 2022, with data protection authorities in the UK and across Europe stepping up their enforcement activities.

The reality is that most monetary penalties can be avoided where an appropriate data protection training programme is implemented. Furthermore, as the public expresses a clear interest in protecting their privacy and wants more control over how their data is used, many organisations are asking the question, "how much privacy and data protection training do my employees need"?

The current figures regarding privacy training spend

According to the IAPP-EY Annual Privacy Governance Report 2021:

  • Only 51% of international corporations rate themselves fully or very compliant with the GDPR. This figure rises to 63% of businesses with headquarters in Europe or the UK.
  • 45% of privacy professionals at the director level or higher expect to employ more privacy personnel within the next six months, and almost three quarters (74%) plan to recruit for one or two positions.
  • Since 2019 the average privacy budget for organisations has increased from $622k (£457k) to $873k (£642k).
  • Organisations surveyed allocated 6% of their budget for employee privacy awareness training and a further 5% on the professional development of privacy compliance teams.
  • Over half (60%) expect their privacy budgets to increase over the next 12 months, and 38% of that increase will be spent on privacy training.

One reason the increase in privacy training will be needed over the next 12 months is the dramatic shift to homeworking and the risks to data protection this workplace transformation brings.

How Remote Working Has Increased The Importance of GDPR Training

Businesses were forced to adapt quickly to the COVID-19 pandemic, which meant remote working became the norm for millions of people. Despite this dramatic change, both employers and employees saw many advantages to working from home.

However, details from the IBM 2021 Cost of a Data Breach Report indicate the rapid shift to remote operations came at the expense of privacy and security considerations, which have lagged behind, leading to more expensive data breaches.

Today, the endpoint devices connected to a network (smartphones, computers, printers, surveillance cameras, etc.) are no longer exclusively inside the organisation; they are also in employee's home, which is almost always less secure than an office environment. According to the Ponemon Institute 2022 Cost of Insider Threats Global Report , a 44% increase in the total number of incidents is related to the shift to home-working, with negligence and human error indicated as the leading cause. Looking at statistics like these, it is clear data protection training is more important than ever.

The ICO has provided a security checklist for organisations with employees working from home. While these provide the practical requirements for mitigating risks associated with GDPR compliance, only an ongoing, robust data protection training programme aimed at all employees will ensure GDPR compliance becomes part of your organisation's culture both in and out of the office.

Employee privacy awareness training

As we discussed previously, workplace training is essential when developing a culture of privacy within a group. However, the success of any cultural awareness programme is heavily dependent on GDPR compliance being viewed as a core value that senior management is fully invested in. Furthermore, organisations need to implement a robust governance structure led by a Data Protection Officer (DPO) or lead.

With the foundations in place, all employees involved in the processing of personal data should receive regular awareness training. This should be carried out annually, at a minimum, and clearly outline internal policy guidelines, ethical standards, and meet the legal obligations of the GDPR. Training can take place online or be delivered in person by an instructor, but it should always include a test and a record of completion.

Members of staff who regularly handle customer and employee data will also require additional role-based training. Some of these individuals may also be suitable for roles as privacy champions or privacy technologists.

The professional development of privacy compliance teams

No individual or organisation has an unlimited training budget. That’s why it’s imperative to choose wisely when selecting a professional qualification and training provider. But how do you know if you are investing in the right GDPR Certification?

First of all, always choose industry qualifications from recognised independent examination providers. Most well-respected professional certifications are developed by organisations that go to great lengths to ensure their independence. This means that the method of certification is separate from the education and training process.

In terms of the content, a 2019 research paper analysed the needs and scope of GDPR training and led to the authors developing the following checklist for what good data protection training looks like.

An example of the content contained in a high-quality training programme includes:

  • An introduction to the GDPR regime.
  • The purposes and legal grounds for processing data.
  • The rights of a data subject.
  • The responsibilities of data controllers and processors.
  • The role of a Data Protection Officer.
  • The roles of the supervising authority (in the UK this refers to the ICO).
  • Data protection in practice (including technical and organisational measures).
  • Risk management in the GDPR context.
  • Data Protection Impact Assessments.
  • Data protection communication.
  • International transfers for personal data.
  • GDPR-related laws and special provisions.

Training should also be customisable, focused on long-term applicability, regularly updated, interactive, and delivered by a subject matter expert. It should also fully prepare attendees to sit accreditation exams.

In summary

The IAPP-EY Annual Privacy Governance Report 2021 shows that a majority of organisations are planning to increase their privacy personnel over the next 12 months. Furthermore, over a third plan to spend more money on privacy training. Increased training will help mitigate the risks of external and internal data breaches, the latter is now more of an increased risk due to the shift to remote working.

By carefully choosing your GDPR training provider, you can have confidence that your investment in data protection and privacy training will increase customer trust and strengthen your brand.

To find out more about data protection and privacy management training, email or call our team on 0370 04 27701 today.

Click your chosen course below to see our next available courses dates