Training of staff is going to be a vital investment to ensure compliance with the GDPR for many organisations, although it can also be a significant cost. It is therefore essential to make sure your organisation has a training solution that is right for them.
Following on from our first blog on data protection training, this focuses on helping to ensure you get value for money.
How Do I Chose the Best Training Option for my Organisation?
Successful data protection training programmes rely on accurately analysing and identifying the training needs of your organisation. These can be complex when implementing programmes such as those for compliance with GDPR as it can potentially involve large numbers of staff who are going to be affected by the legislation in many different ways. The points below provide an overview of the points you may wish to consider when choosing the training solution that is going to best for your organisation.
What data protection tasks require completion?
It is vital to consider this in stages, starting with preparations for the implementation of the GDPR, followed by maintenance and ongoing compliance. Are you going to require staff to develop a compliance programme, and interpret and apply the legislation within the context of the organisation? If so, any members of staff tasked with this are likely to require a considerably higher level of competence than a member of staff tasked with basic maintenance tasks once the legislation is in place. Similarly, if ongoing compliance tasks are likely to have a high degree of complexity or involving processing Special Categories of data, this should also be taken into consideration.
What is the current skills gap?
This is a fundamental consideration when considering what data protection training and support is required as you need to understand what gaps in competence require managing by a training programme. Do staff already have a good working knowledge of the DPA 1998? If so, the training may simply address the differences between existing and new legislation. If staff have very little knowledge, more detailed training to help them understand why compliance is important may be beneficial.
You should also think about the processing activities staff will undertake. Having a basic knowledge of data protection legislation may be appropriate for someone undertaking simple, basic and routine tasks involving personal data. However, it would not be an appropriate level for someone undertaking more difficult or complex processing operations, for example staff in the HR department.
To what extent will staff need to apply their knowledge?
Are business processes routine, simple and supported by tools such as IT software that limit errors? Staff engaged in this type of processing are likely to require a lower level of competence than staff involved in complex, bespoke and highly manual processing of personal information.
What are the risks associated with processing activities?
This should consider the frequency, complexity, and volume of personal information together whether it is inherently higher risk, for example, the information includes Special Categories of personal data or detailed financial information. It may also be worthwhile to conduct a data protection impact assessment for some of the highest risk processes if this hasn’t been completed previously as there may be alternative solutions to training. For example, there may be options to automate highly complex, high risk processing through systems development rather than developing data protection training for a manual process.
What ongoing support will staff have available to them in the workplace?
Once staff have undertaken training, what support will be available to them to help integrate data protection competencies into their role and make sure staff understand how to apply their knowledge in a relevant context?
How are you going to maintain levels of competence?
It is essential to maintain the levels of competence required for compliance and this is likely to require a comprehensive monitoring programme together with refresher training. The required frequency is likely to depend upon roles as well as risks associated with processing operations they undertake.
Tkm Can Help
Tkm offers a range of training solutions and can also help with conducting a training needs analysis. To discuss the options available for your organisation, including accredited foundation and practitioner qualifications, please contact us.