Training is one of the most important stages for becoming General Data Protection Regulation (GDPR)-compliant. There is little point in having policies in place and going through all of your risk assessments if you don't tell staff what they need to do, and why.
The aim of training should be that every staff member (not just teachers) has a basic understanding of what GDPR is, how it effects them, how to recognise when a data breach has occurred and what to do if one has taken place.
Watch: How to approach GDPR training
Everyone needs training
GDPR is something that will affect all staff. As such, all staff will require training.
What’s more, training will need to be logged. That includes noting who has received training, when they were trained and what their training involved.
Below are some tips on how to structure your staff training.
1. Make it accessible
It is crucial to convey the importance of being GDPR-compliant, without making it sound as if you are introducing a huge upheaval to their daily working lives.
Russell Holland, barrister and education specialist at Michelmores, recommends that schools should approach GDPR in the same way as safeguarding.
"Conceptually, it is not that different to safeguarding," says Holland. “You have a legal duty to safeguard. When staff are inducted, they have to say they have read the school’s safeguarding policy and they need to know, if there is a problem, who they go to. So GDPR is similar."
2. Make it simple
With teachers already having so much on their plate, GDPR training should be made easy to digest. That means those delivering training should break down GDPR into easy-to-consume nuggets of information and use plenty of examples of how it will operate as part of a teacher's day-to-day working routine.
It also means limiting technical information that they do not need to know and ensuring any advice enables teachers to focus on what they are there to do: teach.
Helena Wootton, data protection expert and partner at Browne Jacobson, says: “Ultimately, the school is there to deliver education; this shouldn’t be a distraction, it should be common sense."
3. Get the basics right first
Toks Oladuti, director of information systems for an independent girls’ schools trust, advises schools to begin with the basics and only move on to the detail of compliance once the basics have been given time to be absorbed.
He says training should be run over multiple sessions, with the first focusing on helping people "understand the core concepts".
"We did an initial awareness campaign, so we just let people know that data-protection changes were coming along and roughly what the changes were," says Oladuti.
"It’s also about raising awareness of terminology, so: what did we mean by processing? What actually is personal data?”
4. Tackle data mapping
The next phase of training should focus on data mapping to find out which data the school processes and why, says Oladuti. So stage one of this phase should be explaining this process.
He explains that staff then need to fully understand the rules on data processing and what constitutes data, so that a school can properly grasp where data is being held. So the second training session should go into detail on terminology and process.
Following this, a data-mapping questionnaire can be sent out and you can be confident of a more accurate response than you would have had without the training.
Oladuti says: "It should ask: what personal data do you process, how do you process it and why do you need it?"
The third session of the phase should be a workshop exercise in which you go through the questionnaire with individual departments to ensure they have fully understood what has been asked of them.
"This is just to really delve into what they are processing," says Oladuti.
5. Reporting data breaches
All of us make mistakes and, after 25 May, mistakes will undoubtably arise whereby, for example, a member of staff has included a piece of personal data in an email when they shouldn't have.
It is important to remember that GDPR is not only about preventing data breaches, but also about how you react to them. So if a member of staff has committed a breach, they should understand not to cover it up, but to report it to the relevant member of staff.
By the end of the training process, staff should be able to recognise a breach and know the school's policy on what to do in the event of one. Making this understood before 25 May will be essential to ensure you don't encounter the wrath of the Information Commissioner’s Office (ICO).
6. Understanding the why
Across all of these phases, the focus should not just be about what a staff member should do, but also why they should do it.
Oladuti explains: "I think that the actual knowledge of why is probably more important than the actual dos and don’ts, because as soon as they get the why and they understand the essence of data protection, it means, moving forward, they’re always questioning."
7. Further questions
As has been mentioned above, GDPR should be approached in the same way as safeguarding. For example, the school should create a clear policy, which all staff and new starters have to learn, and staff should receive ongoing training to ensure the school is remaining compliant.
It is likely that staff will need training every six months for the first year after 25 May, with that then being decreased to annually.
However, training is not just about ticking a box: staff must understand their obligations. If staff are struggling with the new data-protection changes, it goes without saying that they may need training more than once every six months.
As part of GDPR, a school's data-protection officer (DPO) is to be a data-protection expert, so the individual who takes on the role will need more regular training, if you are keeping the role in-house.
What's more, as the new data rules are put into practice, there will likely be changes in how it should be put to use from the ICO. Your DPO should be keeping abreast of any guidance from the ICO and relaying it to staff if need be.