Data protection training

Data Protection Training for GDPR – Getting it Right First Time – Part 2

data protection training
Effective data protection training will continue to be essential to ensure compliance with data protection legislation.

Training of staff is going to be a vital investment to ensure compliance with the GDPR for many organisations, although it can also be a significant cost.  It is therefore essential to make sure your organisation has a training solution that is right for them.

Following on from our first blog on data protection training, this focuses on helping to ensure you get value for money.

How Do I Chose the Best Training Option for my Organisation?

Successful data protection training programmes rely on accurately analysing and identifying the training needs of your organisation.  These can be complex when implementing programmes such as those for compliance with GDPR as it can potentially involve large numbers of staff who are going to be affected by the legislation in many different ways.  The points below provide an overview of the points you may wish to consider when choosing the training solution that is going to best for your organisation.

What data protection tasks require completion? 

It is vital to consider this in stages, starting with preparations for the implementation of the GDPR, followed by maintenance and ongoing compliance.  Are you going to require staff to develop a compliance programme, and interpret and apply the legislation within the context of the organisation?  If so, any members of staff tasked with this are likely to require a considerably higher level of competence than a member of staff tasked with basic maintenance tasks once the legislation is in place.  Similarly, if ongoing compliance tasks are likely to have a high degree of complexity or involving processing Special Categories of data, this should also be taken into consideration.

What is the current skills gap?   

This is a fundamental consideration when considering what data protection training and support is required as you need to understand what gaps in competence require managing by a training programme.  Do staff already have a good working knowledge of the DPA 1998?  If so, the training may simply address the differences between existing and new legislation.  If staff have very little knowledge, more detailed training to help them understand why compliance is important may be beneficial.

You should also think about the processing activities staff will undertake.  Having a basic knowledge of data protection legislation may be appropriate for someone undertaking simple, basic and routine tasks involving personal data.  However, it would not be an appropriate level for someone undertaking more difficult or complex processing operations, for example staff in the HR department.

To what extent will staff need to apply their knowledge?

Are business processes routine, simple and supported by tools such as IT software that limit errors?  Staff engaged in this type of processing are likely to require a lower level of competence than staff involved in complex, bespoke and highly manual processing of personal information.

It is essential to consider risk when identifying appropriate training for staff.
A successful training programme should manage key organisational risks.

What are the risks associated with processing activities?

This should consider the frequency, complexity, and volume of personal information together whether it is inherently higher risk, for example, the information includes Special Categories of personal data or detailed financial information.  It may also be worthwhile to conduct a data protection impact assessment for some of the highest risk processes if this hasn’t been completed previously as there may be alternative solutions to training.  For example, there may be options to automate highly complex, high risk processing through systems development rather than developing data protection training for a manual process.

What ongoing support will staff have available to them in the workplace?

Once staff have undertaken training, what support will be available to them to help integrate data protection competencies into their role and make sure staff understand how to apply their knowledge in a relevant context?

How are you going to maintain levels of competence?

It is essential to maintain the levels of competence required for compliance and this is likely to require a comprehensive monitoring programme together with refresher training.  The required frequency is likely to depend upon roles as well as risks associated with processing operations they undertake.

Tkm Can Help

Tkm offers a range of training solutions and can also help with conducting a training needs analysis.  To discuss the options available for your organisation, including accredited foundation and practitioner qualifications, please contact us.

 

data protection training

Data Protection Training for GDPR – Getting it Right First Time – Part 1

data protection training
Effective data protection training will continue to be essential to ensure compliance with data protection legislation.

Data protection training is going to be an essential part of preparing for compliance with the General Data Protection Regulation (GDPR).   Time is already becoming limited to develop and implement a comprehensive training programme to enable compliance with the GDPR.  Furthermore, some evidence suggests that there will be a significant skills shortage and therefore the competencies required to comply with the legislation should be identified as soon as possible.  Tkm can help with every stage of training planning and delivery with further information provided at the end of the blog.

Training for staff is not a new requirement to comply with data protection laws.  The ICO considers training as an “appropriate organisational measure” under Principle 7 of the Data Protection Act 1998 (DPA 1998), and it is likely that the GDPR will reinforce and strengthen this requirement.

As discussed in a previous blog, the Data Protection Article 29 Working Party’s guidance on the role of Data Protection Officer (DPO) discusses competencies being commensurate with the risks associated with processing.  This is likely to be a useful approach when determining all training needs of your organisation and not just those of the DPO.

It is important to ensure that your training programme delivers the best value for money.  In this context, for most organisations, this means that any investment in training facilitates sustainable, long term compliance with the GDPR.  Data protection training should also deliver against relevant corporate objectives.

The success of training programmes is generally determined by the extent to which training needs are accurately identified.  Once identified, the next step is to develop or acquire a solution that has the best fit with those needs.  This blog covers the options available and key points to consider when deciding what training would offer best value for money to your organisation.

Tkm can help with data protection training solutions
Organisations need to start their preparations for the GDPR including data protection training programmes.

What Data Protection Training Solutions are Available?

There are a number of different options to consider when looking for the best training solution for your organisation.  These depend upon the format and content of the training, as well as the method of delivery.

Format and Content of Training

Accredited Data Protection Qualifications

There are accredited data protection qualifications although it is important to check which body is accrediting the training.  It should be an organisation that is recognised as a provider of qualifications, which you should be able to check through the accreditors’ websites.  Qualifications generally provide an assurance of consistency of what is going to be covered, with those completing them reaching a demonstrable level of competence.  Some providers also offer flexible learning options.  It is not always possible to customise accredited qualifications, particularly for intensive courses, therefore those attending need to be capable of applying the relevant knowledge to their own working environments on completion.

Customised Training

Customised training does not usually have accreditation although can often significantly aid implementation and integration of learning points into business processes.  Training providers will often develop customised training in consultation with their clients.  There is therefore likely to be an opportunity to influence the content to match your organisation’s specific training requirements.  You may find that some training providers can offer a qualification that is customised to meet the needs of your organisation.

Method of Training Delivery

In house Training

The availability of this option is likely to be determined by available budget.  In house can be cost prohibitive for smaller organisations although worth considering and investigating for organisations of any size.  The main advantage of in house training is that there can usually be more of a focus on the organisation, for example during discussions on application, particularly around sensitive business areas.  These types of topic may not be discussed at a course with general attendance.  There is also typically more flexibility about how and when the training is provided.

Course Attendance

Data protection training
There are a number of options for data protection training.

There are a number of different types of attended training, seminars and conferences available that focus on GDPR.  Whichever option you choose, you need to be confident it will be of benefit to attend.  Part 2 of our blog will look at this in more detail.  In the meantime, some key points to consider are:

  • Is the training accredited by a recognised qualifications body?  This is likely to be particularly important if you are looking for attendance to demonstrate competence.
  • Is the event going to focus on areas that are important to your organisation? The GDPR contains a number of new legal requirements and they may not all be relevant to your organisation.
  • Which staff will be attending?  Senior managers are more likely to require events that focus on implications of the legislation.   Those responsible for practical implementation may need more detail that they can apply in their own working environment.
  • Consider knowledge and competencies.  There are some excellent seminars and conferences being publicised.   However, it is unlikely to represent value for money to attend an event that covers the theoretical side of the legislation if those attending have no competencies in interpretation and application. There are also some great events on relevant topics such as information security.   These are unlikely to be benefit to those attending if they don’t have at least a background knowledge of the topic being covered.

Tkm Can Help Plan, Prepare and Delivery Your Training

Tkm is highly experienced and has developed and delivered data protection training programmes for a wide range of clients.  Able to deliver both accredited qualifications and customised training, Tkm can help from the beginning of the planning process.  Services include training needs analysis as well as all aspects of data protection training programme development and delivery.  Tkm can help to ensure your organisation get best value for money for your investment in training staff.  New, accredited qualifications in data protection are planned for later in 2017.  Further details will be added to our data protection training page.

Please contact us to discuss your training requirements.