This is a question that is frequently posed to “Google”. There is no definitive answer – we offer our opinion and suggestions below.

Firstly, it is essential that all staff understand the importance of privacy, data protection and what they need to do, personally and as a member of the organisation, to keep information confidential. This will include understanding which legal basis for processing applies for each activity they undertake, the importance of consent/opt in/out and what to do if a data breach is suspected.

Where staff are involved in marketing, promotion and web site design they also need a robust understanding of the PECR (Privacy and Electronic Communications Regulations). Many are totally unaware of these regulations which may go some way to explaining why, at the time of writing, over 90% of fines issued by the ICO were for breaches of the PECR! Concrew Training offers training on the PECR.

Back to the main question of how often should data protection training, ie GDPR and PECR where applicable, be completed?

Assess Data Protection Risks

Risk Assess. The frequency, type and quality of the training is best established through risk assessment.

Those in high risk areas, for example those who work with sensitive personal data on a daily basis will need better quality training and on a more frequent basis than those who have little to no contact with personal data. Similarly where the organisation or sector has a history of breaches the risk is deemed higher and more frequent/better quality training is needed.

Additionally data protection audits can help inform the risk assessment. Audits may be as simple as walking round the premises two or three times on different days/times and seeing how many papers are left insecure, on desks, in open filling trays, in the rubbish bins and how many secure doors and cupboards are left unlocked – be prepared to be shocked.

It is also worth considering how the organisation’s policies and procedures are actually implemented. Many organisations spend significant amounts of time and money writing robust policies and procedures but when they reach operational management they are merely filed away, with at best a skim read prior. They are not trained out to staff, compliance isn’t enforced and consequently they cease to be effective.

This is especially true of data protection policies. Can you evidence that each member of staff has read and understood the policies and the date on which they last agreed this. If you cannot then the risk rating increases.

Finally it is important to consider job roles, data protection officers will need in depth training on GDPR and PECR, Concrew Training’s one-day courses are usually sufficient. Managers need a more robust understanding than staff but less than data protection officers, Concrew Training’s half day courses may be appropriate here.

Quality vs Quantity vs Effectiveness

It is not just the frequency of the training that is important – but also its effectiveness. That is to say, has the training delivering the safeguards expected? The Breaches that hit the headlines tend to involve large scale hacking, phishing and security yet the vast majority of breaches are the result of human error, an employee didn’t understand, forgot or just ignored company procedures.

For example: most schools require all staff to complete a raft of online eLearning courses every September. Data Protection, Prevent, Keeping Children Safe, Safeguarding, Health and Safety, etc. Often seen as a chore, staff skip through to the end, as fast as the system allows, and guess at the test questions until they “pass”. Staff are “trained” and the training is evidenced…. but have the staff learned anything? Has it been effective? In most cases, the most casual of audits will suggest not.

The effectiveness of learning has to be evaluated by audit/review of actual performance. The quality frequency and nature of the training being to be adjusted to ensure robust learning. Where issues and risks are identified performance management issues may be present too. Where line management regard for data protection is overly lax the effectiveness of the training is undermined.

Different people learn in different ways and different levels of understanding are required too. Concrew Training recommend a varied approach to data protection training, complemented by robust performance management coupled with ongoing development to ensure organisational needs are met.

Minimum data Protection training Frequency and approach

These are our suggested minimums.

All Staff – Induction Period and Annually There After

• Re-reading organisational policies and procedures
• Completing eLearning modules
• Watching video presentations by senior leaders/data protection officers
• Participating in live online training sessions – Concrew Training’s one hour live online sessions are ideal
• Audits of actual by line management

Managers – As above and Additionally Every Two Years

In addition to the above we would recommend the management and leadership team undertake more detailed, face to face, or live via video conferencing, refresher training within 12 months of starting every two years thereafter. Concrew Trainings short and full day courses are appropriate.

When new managers are appointed they should receive induction training from the DPO (data protection officer) and/or attend suitable third party training such as that mentioned above.

Data Protection Officers – Induction and Every two Years

Data protection officers should familiarise themselves with the organisations policies, procedures and approach to training when first appointed and attend high quality refresher training ASAP. They should then attend third party refresher/update training every 2 years or as new developments arise.

Higher risk environments will require increased training frequency