Data privacy awareness training is stipulated in articles 39, 47 and 70 in GDPR and in recitals in the newer (post brexit) GDPR-UK regulation. California legislation also requires it It’s CCPA/CPRA acts of 2020/21 while HIPAA includes training requirements under 45 CFR § 164.530(b)(1) of the privacy rule. Basically it’s expected that staff involved in any customer or health personal data processing activities will be trained at a minimum on a yearly basis on compliance obligations and privacy risks.
In addition to the regulations, privacy training is also required as a matter of common practice in the following cases;
- After a suspected / confirmed data privacy breach
- Onboarding of new hires (HR Process)
- For staff supporting high risk personal data processing operations
- For data protection officers, privacy managers, compliance staff
- To meet audit objectives & regulatory requests for proof of training
- For ISO27k / SOC2 certification as proof of compliance
The companies management is expected to ensure that awareness training is conducted regularly to meet compliance objectives.
If training is not conducted on a regular basis, regulators will take this into account when assessing fine severity in cases of a breach and of course there is a much greater chance of a costly breach based on lack of awareness.