6 criteria your GDPR training needs to meet to keep the ICO happy
With the anniversary of GDPR looming, so too are many GDPR training certificates expiring. Do you need to do more training, different training or are you able to draw a line under the dreaded GDPR and never think about it again?
Unfortunately GDPR is here to stay and the ever-increasing threat of data breaches and Information Commissioner’s Office (ICO) audits means compliance can never be far from your mind. Last year facing a hard deadline, chambers and barristers, like other businesses in the UK, were searching for easy, cost-effective ways to be ‘GDPR compliant’ in time for 25th May. But was it enough?
There are many elements to GDPR compliance but in my experience, training is by far the easiest and fastest way to genuinely reduce risk in your chambers or practice and to prove to the ICO when you have a data breach (and you will) that you take the protection of your client information seriously. Be in no doubt, training will be your best defence.
Does it matter what type of training you do?
In a word, yes. Not all training is equal in the eyes of the ICO as Leave EU found out recently, having been issued two fines and now facing a further ICO audit specifically looking at the types of training made available for staff.
Ironically the House of Commons were heavily criticised by MP’s for the provision by a third party of what they call ‘ludicrous’ GDPR training which, at the ICO’s behest, had to be updated, tailored to suit the jobs MP’s typically carry out and redone by all those that had already completed it. Truly a case of buy cheap, buy twice.
What type of training will meet the requirements of the ICO?
First let’s be clear, GDPR training is not a nice-to-have, it is a mandatory requirement of GDPR compliance. But how do you know if you’ve chosen the right type? Unfortunately the ICO haven’t set out straightforward guidelines for us to follow, however from our experience with data breach investigations, ICO decisions and audits we have been able to put together a list of core things that we now know are important to the ICO and that you should bear in mind when choosing training.
1. Training MUST be Relevant
The ICO state that it is essential that GDPR training is pitched at an ‘appropriate’ level. Bespoke data protection training should be provided or undertaken depending on the job you have. A barrister, as a business owner and therefore with total responsibility for GDPR within their own practice, should not undertake generic online training designed for an employee in a large corporation. It won’t give the barrister any actual helpful information on what their risks and responsibilities are, it is likely to be a waste of their precious time, and it will not stand up to scrutiny before the ICO. When considering what is ‘appropriate’ make sure all training content actually matches the responsibilities and work environment of the learner.
2. Training must be Refreshed Annually
This is pretty basic, and in line with most other compliance regulation. Put a date in your diary when your training expires and make sure you update it in 12 months. You’ll be surprised at how much you have forgotten in the interim.
3. Tests are Good
The ICO have advised that appropriate training will include assessments with minimum pass marks. Does your training have this? Do not assume a lecture from a friendly member of chambers talking about data protection legislation constitutes appropriate training. Make sure there is a standardised test or assessment included in any training you choose. This will also help you identify staff or members who are struggling with the topic and may need extra support or guidance.
4. Evidence is Needed
The ICO will look for evidence of training, usually in the form of certificate of completion, or of passing a test. Ensure you have these for all staff and that each barrister has one too. Keep a record of these centrally so you have them to hand in the case of a data breach investigation.
5. Compliance Reporting is Essential
The ICO state that accurate reporting on GDPR training levels will be critical to future GDPR proofing. Chambers must make sure that GDPR training compliance reports are available and provided to the senior management team, Head of Chambers and Management Committee so they are aware of staff and barrister training compliance levels and can take appropriate action where failures exist. You are also likely to be asked for this training report during a data breach investigation or ICO audit.
6. Certifications demonstrate Excellence
The ICO state that during their audits they will seek evidence of recognised and relevant external accreditations. If your staff or barristers can achieve accreditations, not only will this assist in front of the ICO but it can be used to demonstrate to clients and instructing solicitors your commitment to GDPR and to keeping their information safe.
One last thing for barristers to consider. Think carefully before allowing well-meaning colleagues or staff to make decisions in relation to how you meet your GDPR compliance obligations. Any sanctions, prosecutions or civil actions will ultimately be your responsibility and you should be comfortable you have made careful, informed decisions in relation to choosing how best to protect your practice.
All in all, a lot to think about when reviewing your annual GDPR training. However, this is an investment worth making as in my experience, putting in place ‘appropriate training’ is the closest thing you can get to a get out of jail free card in GDPR.
Briefed is the exclusive GDPR Training Partner for the Bar Council of England and Wales.
Speak to us today about our barristers and chambers GDPR training and certifications - firstname.lastname@example.org or 02890 446780