Data privacy awareness training is stipulated in articles 39, 47 and 70 in GDPR and in recitals in the newer (post brexit) GDPR-UK regulation. It’s expected that staff involved in any customer processing activities will be trained at a minimum on a yearly basis on compliance obligations and privacy risks.
In addition to the regulations, privacy training is also recommended as a matter of common practice in the following cases;
- After a suspected / confirmed data privacy approach
- Onboarding of new hires (HR Process)
- In response to current threat levels (e.g. Ransomware)
- As a customer assurance measure
- To meet audit objectives & regulatory requests for proof of training
- For ISO27k / SOC2 certification as proof of compliance
Training is expected to be administered in all cases by a suitably experienced data privacy professional who can be a DPO or external party. The company board is expected to ensure that awareness training is conducted regularly.
If training is not conducted on a regular basis, regulators will take this into account when assessing fine severity in cases of a breach and there is a much greater chance of a costly breach based on lack of awareness.