7 tips to help you implement a GDPR staff awareness training programme

Staff awareness training is an essential part of the GDPR (General Data Protection Regulation), but do you know how it works in practice?

Here are seven things you can do to make your awareness programme a success.

1. Consider your requirements

There isn’t a ‘one-size-fits-all’ approach for staff awareness training. Every organisation needs to tailor its programme according to several factors, the most obvious of which is size.

The fewer employees you have, the more hands-on you can be and the more time you have to make sure everybody understands what they’re doing.

The flipside is that fewer employees generally means fewer resources, making training options more expensive per person than they are for larger organisations.

You will also need to plan your training courses more carefully, as small organisations can’t afford to have a dozen or more people out on training at the same time.

2. Set metrics for success

It’s no good implementing a staff awareness programme if you don’t know whether it’s working. That’s why you need to set measurable goals.

For example, you might say that over the course of the year you want a certain percentage drop in security incidents caused by human error, or set a target of zero successful phishing scams.

Ideally, these numbers will have some correlation to your existing information security levels, but you might not be tracking this data yet. This is particularly likely if this is the first time you’ve seriously considered staff awareness.

Fortunately, there’s a simple solution in setting short-term goals. Take a look at what sort of threats you face on, say, a monthly basis and you can create longer-term goals based on that.

Learn about your GDPR compliance requirements

The toughest part of your staff awareness programme is educating your staff on the GDPR. It contains strict rules on awareness training, and those that fail to comply face large fines.

You can find out what your staff need to know by downloading General Data Protection Regulation – A compliance guide.

This free guide provides an overview of GDPR and its compliance requirements, which will help you implement compliance practices which you can teach to your employees.

3. Be thorough

There’s a lot more to staff training than sitting your employees down and lecturing them about information security risks.

Rather, it should be a detailed, ongoing process in which you show employees how risks can arise and explain how your policies and processes tackle them.

IT Governance offers a range of resources to help you educate staff, including books, posters and bespoke training courses.

4. Engage your staff

As with the last point, staff training shouldn’t simply be an exercise that employees sit through, with the organisation expecting everybody to remember every point that was made. It should be an ongoing process that forms part of your organisation’s culture.

Engaging staff in a variety of ways is essential to that process, and people learn in different ways. For example, some prefer listening, whereas others prefer information to be written down or represented visually.

Organisations should use as many of these approaches as possible. E-learning courses are great for interactive study, posters provide visual guides, and email updates on policies are both useful and easily accessible.

5. Focus on behaviour, not knowledge

It’s one thing for employees to ace an exam, but it’s something else entirely to have them demonstrate their knowledge in the real world.

The clearest example of this is phishing: most people can spot scam emails in test settings, but when they’re at their office on a busy workday, they’re liable to open a malicious link or attachment without questioning its validity.

To bridge the gap between knowledge and practice, organisations should contextualise what they’re teaching and create roleplays or case studies that are as realistic as possible.

For example, you can test your staff’s ability to spot phishing emails with a simulated attack.

6. Time it correctly

Staff awareness takes time to get right. There’s little to be gained from rolling out a programme as soon as possible, because you’ll end up with flawed exercises that don’t achieve maximum results.

You’d be better off focusing on one thing at a time, deploying it when it’s ready, and refining your programme based on its success.

7. Be patient

As we’ve said before, you shouldn’t expect drastic, lasting changes overnight. That’s because you’re trying to fix your employees’ bad habits, which takes time.

The key is to trust the process, continuing to provide training and other practices even if the short-term improvements are minimal.

Staff will gradually become accustomed to the new way of thinking, and will be more adept at following your guidance.

Deliver cost-effective GDPR training to your staff

Get started with GDPR training with the help of IT Governance. Our GDPR Staff Awareness E-learning Course enables you to deliver data protection training to your staff in a quick and affordable way.

The course aims to provide non-technical staff with a complete foundation on the principles, roles, responsibilities and processes under the GDPR, reducing your organisation’s risk of non-compliance.

A version of this blog was originally published on 7 December 2018.


  1. Mike 26th June 2019
    • Jessica Belton 27th June 2019

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.