9 Things to Consider When Choosing a GDPR Training Course for Employees
In our recent article “GDPR Training for Employees” we provided a high-level overview into the fundamentals of GDPR training, such as why your organisation needs to provide it.
So now that you understand why you need training in order to comply with data protection legislation, the next question you’ll probably have is around the practicalities, such as how do you know which training provider to choose? Which course is right for either yourself, your employees or your colleagues based on the needs of your roles? Should you choose online or in-person training? How much do various GDPR and data protection courses cost, and does more expensive mean better?
Ultimately, training should be an investment that delivers value (and yet, we’ve all been on training courses which leave you feeling like it was a waste of time), so how do you choose a course that you can be confident will leave you (or your team) feeling energised and confident in their newly gained knowledge?
Well, fear not. In this month’s article, we dive into some of the nitty gritty things to consider when choosing a GDPR training course for employees.
1) Firstly, Identify Who Within Your Organisation Needs GDPR Training
Everyone who handles personal data in your company requires some form of GDPR training, but what might these scenarios look like? Three common scenarios to regularly review would be:
- Have you taken on any new members of staff?
- Have any members of staff recently received a promotion, or changed to a role which provides them with greater access to protected data, or has different data responsibilities, and therefore requires additional training?
- Are any staff members due refresher training?
A new starter, for example, who has just joined the company, needs to be brought up to speed on GDPR training. Even if they have had training while working for another company, you can’t be sure of the quality and effectiveness of that training, so it’s best to give this new employee training so you know their level of knowledge on GDPR, helping you avoid issues in the future.
If an employee hasn’t had training for a couple of years, they may need a GDPR refresher course to remain compliant. People forget things and rules change, so it’s important to ensure your employees have up to date training. The ICO, the organisation responsible for implementing the GDPR in the UK, says so themselves: “Training must be relevant, accurate and up to date”.
Another scenario to consider is when an employee receives a promotion or changes their role to one which has different GDPR requirements such as having increased access to protected data. This may mean they need new, specific training for their new role.
Perhaps you even have entire departments who haven’t had GDPR training for a couple of years. In this scenario, you may find that a bespoke, team training session can be the most effective solution to ensure the whole team is trained to the relevant standard, helping to be certain that everyone has the same understanding. We’ll cover some of the other benefits of bespoke, group training sessions later in this article.
2) What Aspects of GDPR Do Employees Need Training In?
Different roles within your organisation will have different GDPR responsibilities, and will therefore have different GDPR training requirements.
For example, those with basic, less sensitive GDPR responsibilities will only require training on the basics of data protection. The same for anyone who is new to GDPR and requires a beginners course.
Those in roles that handle personal data more regularly, and perhaps in a more sensitive capacity, will require much more in depth training, most likely training specific to their role.
Certain jobs and industries handle data differently to others. For example, those in the sales and marketing business may run into GDPR-related issues with sales prospecting, social media, adverts and cookies, that other industries won’t have to deal with, and therefore will require specific sales and marketing GDPR training.
Another great example is Human Resources (HR) professionals. Those in HR will require a whole host of GDPR training due to the nature of their role, handling employee personal data regularly. From recruitment, to remote employee data, to staff rights, HR professionals require specific and in-depth HR-related data protection training.
Furthermore, you may have internal data handling and data management processes specific to your company that you require staff to be aware of, which non-customised GDPR training obviously wouldn’t cover. Thankfully, Databasix can provide custom training tailored to the needs of your organisation.
As you can see, it’s important to choose the appropriate training for your employees’ roles, as levels of data handling vary massively, and not providing a high enough level of GDPR training could result in your employee, and thus you, falling foul of the GDPR.
3) Individual vs Group GDPR Training
Consider whether you require group or individual training. It can sometimes be faster and easier to arrange GDPR training for an individual or a small group. However, training larger groups can turn out to be cheaper per person. Providing a larger group with training at the same time can also help ensure consistency and a stronger team understanding of the rules, as you know that everyone has been provided with the same information in the same way. In addition, the internal knowledge pool becomes stronger, which means, long after training has finished, if anyone needs reminding of a certain aspect (but doesn’t yet require refresher training) there will be a team of people they can ask for a reminder.
Another consideration may be how busy your company and employees are at certain times of the year, and waiting for a less busy time (as long as you don’t risk non-compliance of the GDPR in the meantime). Depending on your industry, there may be peak times and lull times that affect the availability of your employees. Waiting for a lull in which employees are more readily available may mean you are able to spare more employees to attend the training, thus saving money due to the larger group size.
Speaking of costs…
4) What’s Your Training Budget?
Of course, your budget will have an impact on which course you choose, and potentially, your GDPR training provider.
If you can afford it, try not to opt for training providers on the cheaper side as, when it comes to GDPR training, it’s a case of buy cheap, buy twice. A great, and rather ironic, example of this is when the House of Commons trained MPs in GDPR through a third party, which many found lacking and not at all tailored to the jobs of MPs. They all had to redo their training as a result of this.
Furthermore, not all GDPR training is created equal, and failing to train your staff properly could result in penalties or fines from the ICO (as well as, more importantly, data protection risks). Perhaps it’s less a case of can you afford to avoid the cheap options, and more a case of can you afford not to?
On the other hand, there are some very expensive options out there that needn’t be. Consider exactly what your company and employees require, and search for competitive prices that also deliver quality training.
5) Online GDPR Training vs In-Person GDPR Training
You may have spotted this distinction when searching for a GDPR training provider: is the training online (aka remote) or in-person? There’s no right or wrong answer with this one, with both options having their benefits, and all employees learn differently. We’ll lay some of them out here to help you consider what is best for your company.
Online Training Benefits
- Can sometimes be less expensive overall as you don’t need to factor in travel costs
- No travel time required to and from location (especially useful for relatively short courses)
- Pre-recorded training offers more flexibility with times
- More employees are likely to be able to attend
In-Person Training Benefits
- Several employees in one location
- Some employees learn better in-person
- Can increase learner satisfaction and retention
- Potential networking opportunities
6) Live Training vs Pre-Prepared Training
Another important decision to make is do you opt for live training, or non-interactive, pre-prepared training (such as through static documents, books, tick lists, etc.).
Again, both have their pros and cons, and both are still able to deliver a well rounded piece of GDPR training to your employees. However, one or the other may be more advantageous to your company and employees.
In live training you have a more hands on, potentially more engaging, format of teaching, with employees perhaps more likely to listen and pay attention to a live trainer. Furthermore, you also have the opportunity to freely ask questions to the trainer. This is especially useful for ensuring employees have understood the concept or topic being taught, and the immediacy of it might encourage employees to ask questions more.
With non-interactive GDPR training you don’t have this advantage; there isn’t a live person to immediately ask a question to in order to better your understanding. However, some providers offer a service in which they will respond to questions from those on pre-prepared courses as quickly as possible to alleviate this disadvantage.
On the flip side, without this immediacy, pre-prepared training can be learnt whenever the employees want - it is on demand. This makes it easier to arrange this training, as opposed to live training with which every employee has to be available at that time.
Many pre-prepared courses unfortunately become stagnant and out of date over time, thus failing to meet the ICO’s stipulation that GDPR training must be “relevant, accurate and up to date”. To combat this, Databasix makes sure its GDPR training, both live and pre-prepared, is constantly renewed and refreshed, keeping in line with the current legislation and keeping up with rule changes. This helps to ensure the money spent on training is money spent well.
7) Is Your Chosen Training Provider a GDPR Specialist?
As discussed when talking about budget, it’s important to make sure you’re getting quality GDPR training, or risk falling foul of the GDPR, risking penalties or fines from the ICO, and potentially having to redo the training (incurring more costs).
GDPR legislation changes regularly. If the training course your team attends is based on out of date information, it makes the whole exercise pointless and, worse still, means you may not be compliant from the outset.
To give an example, as the industry is unregulated, anyone can put a bundle of GDPR related information together and call it a training course. You’ll see examples of this on various “gig” sites such as Fiverr, and even some recruitment sites now sell pre-bundled courses from unknown third parties.
Thankfully, at Databasix we’re specialists in GDPR and Data Protection training; it’s our bread and butter and we live and breathe it every day. As a result, you can be sure that our training courses always provide your team with the very latest information, guidance and insights to keep you compliant.
8) What Certification Does The Course Provide?
One way to identify if a course has the quality you need is to ensure your employee gets a certificate for the training - the training is more worthwhile if you have evidence of it.
The certificate will act as a form of proof to show the ICO that training has been carried out. In the case of a data breach, the ICO may investigate, and by being able to prove your employees are trained in line with the legislation, you can avoid or lessen the risk of a fine. A certificate can also show customers and clients that your employees are committed to protecting their personal data, thus giving them confidence in your company and putting them at ease. It will also likely serve as a record of when the GDPR training took place, helping you track when a refresher may be due.
Not all certificates are created equal. As touched on above, there’s nothing currently to prevent “Joe Bloggs” putting together a GDPR training course in his spare time, and selling it on a “gig” site such as Fiverr to earn a bit of extra money.
In contrast, a certificate from Databasix demonstrates to the ICO that your employees have been trained by a specialist GDPR training provider.
9) What Happens After GDPR Training?
GDPR training isn’t a ‘fire and forget’ activity. There may be actions you need to take after the GDPR training has been completed.
- Do you need to add it to the employee’s training log?
- Does anyone need to sign off on it internally?
- Does it need to get added to any appraisal notes?
Another important activity to consider following the completion of the GDPR training is booking in a refresher course for a couple years’ time. Time flies, legislation changes (often!), and it’s easy to forget and subsequently fall foul of the “training must be relevant, accurate and up to date” requirement of the ICO. Booking early may result in saving some money too!
More to Consider?
Being such an important piece of training, there’s a huge range of things to consider when deciding on your GDPR training provider. Get it right, and you have a cost effective, high quality training course, teaching your employees the ins and outs of GDPR and data protection in an engaging and informative way. Get it wrong, however, and you risk falling foul of the GDPR, and potentially having to redo the training (incurring more costs).
Thankfully, as you’ve discovered, with Databasix, you’re in safe hands, so why not explore the Databasix GDPR training courses, or feel free to get in touch if you have any questions, or would like to discuss our bespoke training courses.