Are Your Staff GDPR Aware?

The General Data Protection Regulation came into effect in May 2018 and making sure your staff are appropriately trained is essential. The UK Information Commissioner Elizabeth Denham talked about creating a culture of data protection which “pervades the whole organisation.” This is expected under GDPR.

Staff training is an essential part of data protection compliance. It not only reduces the risk of breaches, but also demonstrates compliance with the Regulation and it should be the top priority for organisations on their GDPR Checklist. For example, if an organisation was to experience a data breach and they had documented their staff training, this would be used as evidence to prove that they had taken the appropriate steps to prevent a data breach and were taking the regulation seriously.

Of course, all staff members are not required to have a detailed knowledge of the full legislation like a data protection officer would, but a good start would be to ensure all staff are aware of GDPR and the issues of data protection.

Article 39 of the GDPR outlines that staff awareness training is required.

Yet, although staff need to have a broad understanding of the legislation, it is important to note that each company will have different requirements. For example, the use of passwords; ensuring passwords used at work are different from those used in private – or policy regarding the destruction of data when it is no longer needed.

It is important that once training has taken place that staff feel empowered and comfortable with reporting anything that they feel compromises data protection, privacy and security of customers, clients, supporters and employees. Systems should be in place to encourage staff to bring up any potential issues with those in charge of compliance.  They should also be able to report anything without fear of any personal repercussions.

One of the changes from the previous Data Protection Act is Data Subject Access Requests. Staff are fundamental in ensuring these requests are completed in time. They should be trained on how to spot DSARs as they could come via email, in telephone conversation, letter, the website perhaps and they may not clearly be stated as one. Staff should then understand what to do with them, which requires a process to be put in place.

Staff awareness programmes should be an ongoing process that begins at induction and is reinforced regularly throughout the year and whenever staff-related data protection incidents occur.

If you do nothing else, at least train your staff. If you have well informed work-force, it will reduce your risks.


Sampson Hall has a proven track record of working successfully throughout an organisation and can advise and bring together all the functions of the business in order to ensure overall GDPR compliance.

Our offer includes:

Board briefings

Staff awareness sessions

Gap analysis

Data mapping and data flow

Data protection impact assessments

Annual GDPR audits

Data protection officer services

We offer a free strategic GDPR audit, please get in touch for further information.

Tom Ziemski (Data Protection Officer):

Share this post