The GDPR and the Data Protection Act 2018 (DPA 2018) can be confusing. Contrary to popular belief, the GDPR and DPA 2018 are not the same and they need to be read in conjunction with each other. The GDPR relates to the whole of the EU, but it allows member states to make their own decisions in relation to some aspects. For example, the legislation regarding law enforcement and the security services. These differences need to have a legal footing and are contained with the DPA 2018. In addition, there are exemptions to compliance with the GDPR and these are also set out in the DPA 2018.
As an organisation, it doesn’t matter how comprehensive your policies and procedures are regarding data protection or whether they comply with GDPR and the DPA 2018, if your staff have not been properly trained. You need to ensure that your staff understand their obligations and are suitably trained. If they do not know what the law says or how it applies to your organisation when processing personal data, how do you expect them to comply with the legislation?
It is important for all organisations to ensure that staff receive data protection training from their induction into the workplace. Subsequent refresher training should also be provided on a regular basis. Depending on the nature of the role being undertaken the frequency of this training can vary but as the GDPR and DPA 2018 are new, all staff should receive basic training irrespective of their previous training regimes.
Specific training should also be provided to those involved in areas such as Subject Access Requests, marketing and the handling of special category data, as there are additional requirements that need to be fully understood.
To comply with the accountability principle, organisations should be able to demonstrate the contents of the training, that the learning is tested and that appropriate feedback was provided to individuals.