Please see below for suggested actions and further reading based on your answers to the six questions. You can download this report as a Word document using the button on the top right corner of the page. If you have a problem downloading the report into a Word document please let us know.
Do you know what to include in your data protection training? - Report
Is someone responsible for delivering data protection training in your business? - Yes
That’s great. Having somebody responsible for training your staff is an important starting point in protecting the personal data you hold.
You need to support them in their role, for example by regularly reviewing and, where necessary, improving the support and resources available to them. You should also make sure they have access to regular refresher training.
If they move on, you need to choose someone to replace them, train the new person and let everyone know who to contact.
Does the responsible person understand key data protection requirements so they can ensure the training covers them? - Partially
During initial training, the responsible person should explain what the data protection principles are and how they relate to your business. For example:
When a new member of staff joins your business, part of their data protection training should include an explanation of when and how you delete or destroy personal data that you no longer need. This is because one of the seven data protection principles is ‘storage limitation’, which means not keeping people’s personal data for longer than necessary. It’s not possible for one person to take sole responsibility, because it’s likely that everyone in your business is handling personal data.
They should also explain key data protection terms staff may come across.
Does the responsible person know what else they should include in a training plan? - Partially
As well as explaining key data protection terms, training should cover at least:
- data sharing;
- information security;
- personal data breaches; and
- records management.
Our SME hub has lots of useful information about these areas.
You might provide training materials to support data protection learning, such as:
- handouts;
- reference guides; and
- posters.
These should be easy to find and available to everyone after their training.
You should give specific training for specialist roles. For example, someone responsible for dealing with personal data breaches needs more in-depth training in this area. Our How well could you respond to a personal data breach? checklist may be useful here.
It’s a good idea to check how well people have understood the training. You could use an assessment with a minimum pass score, for example.
At the end of the training, ask for feedback about what worked and what didn’t. You can use this to make improvements for the future.
Does the responsible person know when staff should receive their training? - Partially
The responsible person should have a training schedule in place for everyone in your business.
The schedule should set out when initial data protection training should take place, which should be within a month of someone joining your business and before they access any personal data.
It should also say when refresher training should happen to ensure they keep their knowledge up-to-date.
You should provide refresher training to all workers at regular intervals. Ideally you should provide it annually, but it shouldn’t exceed two years.
The responsible person or whoever is responsible for the training should deliver it according to the schedule, with contingency plans in place to make sure no one is forgotten. Remember to capture any new data protection responsibilities when people move roles.
Does the responsible person maintain a training log? - No
The responsible person should start a log now.
They should record the current training status of everyone in the business and include:
- when staff last received training;
- the type of training, eg initial, additional support or refresher;
- when they are due refresher training;
- scores from any data protection assessments (if applicable);
- areas for extra support and when this is complete; and
- any additional training they need due to workers’ changing roles.
The log needs to be a living document that accurately reflects the training you’re doing. It should remain up-to-date.
Do you regularly review the training? - No
You or another appropriate person in your business should review and approve the training regularly to make sure it’s accurate, up-to-date and so you can tailor it to specific people or roles.
Where you need to make changes, update training materials, hand-outs, and other reference guides as soon as possible. It’s a good idea to assign version numbers to help make sure everyone is using the right ones.
Sometimes changes happen in data protection law, for example to reflect the UK’s withdrawal from the EU, or when the ICO provides new guidance.
You can stay up-to-date with news from the ICO by subscribing to our newsletter.
You should tell all staff about the changes as soon as possible. If the changes are significant, let them know without delay.