GDPR countdown 4 - why training staff, not deploying IT, should be your next best action

David Reed, knowledge and strategy director, DataIQ

Where in your organisation is GDPR being enacted? Is it in the backroom where data audits and documentation are establishing the usefulness of customer data as an asset? Is it in customer-oriented functions, like marketing and sales, which are having to review their processes? Or is it on the frontline where customer-facing staff need to explain new privacy policies and prove informed consent by customers?

Typically, the answer is likely to be all three of these - GDPR has an organisation-wide impact that leaves few (if any) existing processes untouched. But while documenting how and where personal data is being processed is the most obvious starting point and implementing new regtech can look like an easy fix, there is another dimension which is more likely to lead to sustainable, compliant data management.

Training all staff to understand that GDPR is a cultural shift, not just a box-ticking exercise, is more likely to lead to appropriate behaviours than simply plugging in a new system or completing a variety of impact assessments. Ensuring that everybody along the supply chain who touches personal data understands and acknowledges their duties is more likely to create behaviours that build customer trust than almost anything else.

Ask yourself this: when you engage with a brand and receive an interaction that demonstrates respect for your data, explains why it needs to collect and use it, then provides you with access and tools to exercise your rights, don’t you feel more positively disposed not only to that company, but also towards the idea of permitting it to process your personal information?

There is one significant obstacle to creating processes that build trust - the need to train staff.

If you have that reaction, then shouldn’t you be building processes which trigger the same response among customers into your new GDPR-compliant culture? It may sound like a no-brainer, but there is one significant obstacle to making this happen - the need to train staff.

If UK plc has one perpetual challenge, it is around supporting employees with information, support, guidance and rewards for the right behaviours. When asked in the DataIQ GDPR Impact survey to rank the top three challenges they face within GDPR programmes, training staff to understand GDPR trailed third behind agreeing on an interpretation of the Regulation and identifying technology fixes.

Establishing a perspective on the new law that legal counsel will sign off on is an important first step (and certainly one that ought to have been taken by now). Identifying where new technology or adaptions of existing solutions are required is hardly a big cultural leap either - companies are constantly having to advance their IT to meet changing needs after all.

“Training is a blind spot for many companies."

So, why is training often the wallflower at the GDPR dance? Peter Galdies, technical director at DQM GRC, believes it reflects an ambivalence about the human factor in any culture that is harder to address than deploying a solution or getting counsel to approve a policy. “Training is a blind spot for many companies, either because they approach it in a way that is too generic, or because managers are fearful of engaging with the unpredictable variable that human resources represent,” he says.

“But our experience shows that employees are eager - indeed hungry - for well-constructed individual guidance that is delivered in a way that enables them to do their job better and achieve positive outcomes for customers,” adds Galdies.

“Getting your team educated about GDPR today not only mitigates the immediate risk to organisations, but also helps to install that vital behavioural shift into more privacy-centric thinking that will protect the organisation as it changes into future,” he adds.

Training may not look like the quick and easy fix for GDPR which many IT solutions are currently claiming to offer. It might not provide the top-level reassurance which getting legal approval can provide. But when it comes to the sustainable, deliverable and, above all, effective engagement between the brand and its customers, there really is no excuse for leaving it to chance.

For more information on GDPR training solutions, go here.

Related articles:

GDPR countdown 1 - changing the balance of favour

GDPR countdown 2 - a river that runs deep, so make sure your compliance isn’t shallow

GDPR countdown 3 - this time it doesn't have to be personal



This article is the fourth in a ten-week series by DataIQ in association with our GDPR partner, DQM GRC. For more information on the solutions it offers, visit

Knowledge and strategy director, DataIQ
David is developing the framework for soft skills and career development among data and analytics practitioners. He continues to be editor-in-chief and research director for DataIQ.