Is digital data protection training enough?

In July this year, the Information Commissioner’s Office fined Mermaids, a charity offering help and guidance to transgender children, £25,000 for a breach that left the personal data of 550 people searchable online. This information consisted of 780 pages of confidential emails which included names, email addresses, physical and mental health records, and notes on sexual orientation, spanning back to 2016.

In their official statement, the ICO concluded that there was “a lack of adequate training, including face-to-face training on data protection” and that the “on-going contraventions were not identified by anyone at Mermaids during the period of operation of the insecure email system, which demonstrates that the training was inadequate and / or ineffective”. This scathing review of the organisation’s data protection training regime, particularly their comment about ‘face-to-face training’, led us to wonder: is digital training enough?

ICO Guidance

Aside from its comments on Mermaids’  training practices, the ICO has made clear in its guidance that organisations must provide their staff with both national and sector specific training on data protection. It has suggested that all members of staff should complete basic training on several key areas, including handling data subject rights requests, data sharing, information security, records management, and personal data breaches. In its “Findings from ICO consensual data protection audits and follow-up audit of police forces” report, it highlights that there should be comprehensive “data protection training programmes” to ensure that all staff understand their obligations under the relevant legislation.

The ICO has also recommended that organisations have dedicated resources available to deliver training to staff. This training should also be regularly reviewed to ensure that it is up to date with the current rules and guidelines and should be approved by an organisation’s Data Protection Officer (DPO) or governance manager.

Since the ICO has been clear that training is essential for compliance, the question becomes which type of training is the most effective? Since the start of the pandemic, we have seen a shift to online spaces, including for training. But is digital training enough to ensure compliance with data protection laws? Short answer, probably not.

Problems with digital training

Although digital training seems like an easy and quick solution to training your staff, it has many problems compared to in person face-to-face training sessions. In the aforementioned report on police forces, the ICO found that several forces relied on e-learning courses to train their staff on information management. However, the regulator concluded that this training was not sufficiently detailed for the staff that process personal data regularly or those who have specific data handling or information management responsibilities. Furthermore, staff members who were designated ‘Information Asset Owners’ had not received any specific data protection training.

Digital training, or e-learning, is unlikely to have the specificity that the ICO has hinted it requires. Whilst an off-the-shelf digital training package may be able to provide basic information about data protection legislation and how to apply it, in reality, it will not be able to provide staff with the knowledge on how this applies in their particular role, nor will it educate them on the specific data protection procedures that your organisation has in place. 

In addition, digital training tends to involve minimal learner participation and often involves merely clicking ‘next’, watching an uninspiring video and answering multiple-choice questions until you have the right answer. With this setup, it is difficult for organisations to tell whether participants are truly engaging with the material and have really understood the rules and regulations and how to comply in their everyday roles.

Moreover, from a learner’s perspective, there is often little to no feedback available from digital training, and rarely any opportunity to ask questions or clarify understanding. In contrast, having a face-to-face session with an instructor allows for feedback and greater discussion, including answering questions, making corrections, and enabling more in-depth explanations into problem areas. Talking to someone should also guarantee clarity on the issue, this is extremely helpful with more complex subjects (like data protection!).

Ultimately, it is important to remember that staff data protection training should not be considered just a ‘tick box’ exercise. It is essential that staff not only attend training sessions, but engage with them and leave knowing their own data protection responsibilities and how to put them into action.

The consequences of inadequate training

Whilst digital training may seem like a ‘quick-fix’, there are some potentially serious consequences that come with having inadequate or ineffective training in place:

  • Data subject rights

Respecting the rights of data subjects is a fundamental part of data protection law and a big part of this is dealing with rights requests. Dealing with data subject rights requests effectively and in a timely manner relies heavily on staff being able to recognise a request and knowing who to escalate it to. If your customer-facing staff do not have this knowledge, it is almost impossible to deal with rights requests effectively, which can do real damage to your customer relationships and reputation.

  • Data retention

Data retention and proper records management relates to the fundamental GDPR principle of Storage Limitation. Data cannot be retained forever, meaning that organisation’s must have a retention schedule in place outlining for how long different documents are kept. Failing to appropriately train your staff on how to comply with your organisation’s retention schedule may mean that you are storing records for far longer than required, which creates additional risk for your organisation.

  • Third party data sharing

Inadequate training also puts your organisation at additional risk from data sharing. Sharing data with third parties is an essential part of business, but it is important to have the correct contractual agreements in place to safeguard the data, especially if this sharing is occurring across borders. If unaware, it is all too easy for staff to sign up to a third party platform and begin sharing data without the appropriate data sharing agreements in place.

  • Breaches

Not having adequate training can put you at serious risk of experiencing breaches. The vast majority of data breaches are caused by human error, not cyberhackers or phishing attacks like we often envision. Inadequate training can not only put you at a higher risk of experiencing a breach, but it also increases the likelihood that your staff will not deal with a breach properly when it occurs. This could get you into hot water with the ICO, especially if you have failed to report a reportable breach within the 72-hour timeframe.

  • Sector nuances

Data protection is not a one size fits all. Different sectors have different data protection obligations originating both from data protection legislation as well as sector-specific regulations. Staff must not only know how data protection laws apply to their industry, but also how sector-specific rules and regulations intersect with data protection laws; something that generic e-learning modules will be unable to achieve.

In summary, failing to provide adequate training for your staff puts you at a much higher risk of non-compliance with data protection laws; non-compliance which can lead to serious reputational damage and financial penalties that, ultimately, will impact your potential business growth.

Why in-person training should be considered

Online courses can often seem like the low cost option and the better deal. However, in the long term, inadequate training is likely to be far more costly to your organisation than quality, face-to-face training. Whether it be from the cost of mitigating data breaches, fines from the ICO, the reputational damage resulting from poor data management, or having to re-train your staff later down the line, you cannot cut corners with training your staff on how to handle personal data.


Dpo Centre, August 23, 2021