Many companies still haven’t allocated a GDPR staff awareness budget

Half of the respondents to IT Governance’s EU General Data Protection Regulation (GDPR) Report haven’t allocated a budget to provide GDPR staff awareness training. Only 28.7% said they have allocated such a budget, and 4.6% said they are not planning on providing their employees with training.

The report surveyed 250 of our clients, and is intended to provide practitioners and senior management with insights into how organisations are progressing with GDPR compliance, the challenges they face and the measures they are adopting.

You must provide training

If your organisation is affected by the GDPR, you and your staff are obliged to follow the Regulation’s requirements. Indeed, briefing and training your staff on their data protection responsibilities is in itself a requirement of the GDPR.

Even though many of the respondents to our survey said they hadn’t allocated a budget for staff training, the majority of respondents said they have provided training anyway or are planning to. The findings included:

  • 9.3% said they’ve provided training to all employees.
  • 17.6% said they’ve provided training to some employees.
  • 53.2% said they’re planning to provide training in the future.

Staff awareness training does not simply mean briefing your employees about the Regulation. It should include a thorough programme that makes sure all employees understand the company’s practices and procedures for processing personal data.

Overall GDPR budgets are too ambitious

More than half of our respondents said their budget to fully implement the GDPR is less than £5,000 (or equivalent). This means that compliance practitioners could have a significant amount of work to do and not a lot of money to do it with.

Based on the cost it takes to implement and certify to an ISO 27001-compliant information security management system (ISMS), this budget seems too ambitious. Last year’s ISO 27001 Global Report states that organisations typically spend between £5,000 and £20,000 on complying with ISO 27001.

Train your staff

To help your organisation comply with the Regulation, you should enrol your staff on our GDPR Staff Awareness E-learning Course.

Failure to comply with the GDPR can lead to much higher penalties than under current data protection laws. Any organisation found to be in breach of the Regulation could face fines of up to €20 million (about £17.8 million) or 4% of its annual global turnover – whichever is greater.

Our course defines the scope of the Regulation, introduces the principles for collecting and protecting personal information, and shows you how you can achieve compliance.

Those who are already involved in data protection or wish to enter the field might want to consider our specialised GDPR training courses. Depending on your level of expertise, you may be more suited to our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course or our Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course.