What is the General Data Protection Regulation (GDPR)?

Before we get into the details of what GDPR training is, let’s remember what GDPR means: General Data Protection Regulation (GDPR) is a set of laws established by the European Union with the main purpose of protecting citizens’ personal data from misuse by organisations, by imposing regulations and orders on organisations retroactively collecting or targeting people’s data in the European Union. The Regulation entered into force on 25 May 2018. Heavy fines are imposed on companies and organisations that misuse the personal data of European individuals.

The main objective of establishing the General Data Protection Regulation (GDPR) is to protect personal data at different levels. GDPR protects personal data across all platforms, whether online or offline. GDPR applies to both manual and automated processing.

What happens if GDPR laws are broken?

GDPR imposes significant fines and penalties if the regulations are breached. Fines must be dissuasive and at the same time proportionate to the size of the infringement. In the case of major infringements, the fine is up to €20 million or 4% of the company’s turnover for the previous year. In the case of small infringements, the fine is up to €10 million or 2% of the turnover of the previous tax year. A commitment is also made by the company penalised not to repeat the violation and fines will be increased in case of repetition.

For the above reasons, business owners should prioritize GDPR trainings, GDPR trainings on data protection to avoid these harsh penalties.

Why is GDPR training important?

Once the GDPR has been implemented, authorities regularly ensure that all GDPR policies are implemented and in the event of any breach of the GDPR provisions, a series of strict measures are initiated, resulting in fines. These sanctions will be imposed on the employer in case of a breach of the GDPR by an employee, even inadvertently. Training employees and learning how to implement GDPR helps you avoid such penalties. Studies have shown that around 26% of data breach incidents are caused by the mistakes of ordinary employees, so you may be subject to GDPR penalties because an employee clicked on a link or shared a file by mistake.

See an updated list of fines imposed by ANSPDCP – the National Authority for the Supervision of Personal Data Processing in Romania in our article GDPR Fines in Romania.

Is GDPR training mandatory?

GDPR states in its laws that all employees must understand and implement GDPR accurately. This may not be an absolute obligation, but it certainly means that all employees must practice the application of the GDPR provisions well. Regardless of whether training is mandatory in GDPR regulations and laws or not, GDPR training, i.e. training employees on data protection is beneficial for any business and has several benefits that we will mention in this article.

Who should attend a GDPR training?

We advise you to train all employees to avoid any serious consequences, but the utmost attention should be paid employees who handle personal data. The term personal data includes a lot of data (a lot more than comes to mind right now), not just a customer’s name, email address or private residence address. If you are a company that provides electronic services, data such as the IP address of the customer’s computer or the times the customer uses your service. are considered personal data. Any employee handling such data must undergo GDPR training. And I expect the percentage of employees handling all this data to reach 95% in any company, so it’s likely that most employees will need to take GDPR training or attend GDPR trainings.

Find out what personal data is, what categories of personal data exist and what else you need to know to be GDPR compliant.

GDPR training requirements

Only 3 articles in the GDPR mention GDPR training requirements. We will list only one of them, because it is the most obvious, namely Article 39. Article 39 provides that the Data Protection Officer must raise awareness and provide training to staff involved in the processing of personal data.

When we look at the duties of a data protection officer, we do not find that the GDPR mentions a specific type of training an employee must undergo. Article 39 provides that “monitor compliance with this Regulation, other Union or Member State provisions on data protection and the controller’s or processor’s policies on the allocation of personal data, including the allocation of responsibilities, awareness-raising and training of staff involved in processing operations, and related audits;”.

The term “training” or “instruction” itself does not appear much in the GDPR text.

Important! Technical tools can help, but they are not enough on their own.

A strong security system is one of the most important elements in protecting your customers’ data from hackers, and elements such as a strong firewall and antivirus can be very effective against cyber attacks. However, these tools alone are not enough, as the strong security system does not prevent an employee from sharing information with the wrong person, for example. There are some things that don’t need to happen for employees to have a high level of technical skills. Therefore, technical tools are important, but their importance is complemented by a skilled team that knows what it has to do.

Need help implementing GDPR?
Use our online GDPR consulting services.

  • We assess your risks in every detail

  • We assist you step by step in implementation

  • We train your employees who process data

  • We provide you with standardised procedures and documents

Benefits of a GDPR training

  • Documentation of training records. When a GDPR training, an employee training on data protection, takes place, reports of this training will be recorded, which will help you prove that you are doing what is necessary to apply the GDPR laws. Also, if someone’s rights are violated, these records will help you prove that you are in compliance with the GDPR, which will help you avoid financial penalties.
  • GDPR training reduces human error. Studies have shown that 90% of GDPR breaches are due to human error. GDPR training will reduce errors by teaching employees how most errors occur and how they can be avoided.
  • Training helps staff understand the rights of data subjects. Article 15 of the GDPR states that the data subject has the right to control all his or her data, e.g. a natural person has the right to specify and know the purpose for which the data is collected, the natural person has the right to specify the parties with whom the data will be shared, the natural person also has the right to order the company to delete his or her data completely. A GDPR training helps staff to understand these rights and helps them in terms of how they deal with people.
  • GDPR training increases trust between the company and its customers. Privacy is something customers are always looking for in any company, so GDPR training not only benefits the company by avoiding fines for breaches, but also by creating a strong relationship of trust between customers and the company. GDPR training makes customers feel that you are making sure GDPR is enforced, thus making them feel safe.

Types of GDPR training

GDPR training and employee data protection training courses are manifold and vary depending on the type of service the company provides and the role of the employee receiving the training. It is important to choose the right course, the right type of training for you, and this depends on the role you have at work and the nature of your job. For example, the training required for a customer service employee is different from the training required for an IT engineer.

  • Team GDPR training. This type of training is more effective than individual training as it ensures that all staff acquire the same level of knowledge and understanding of GDPR. When all people have the same level of knowledge, if someone forgets some details about a certain subject, his colleague will be ready to help him. Team GDPR training is recommended if the individuals to be trained have not received GDPR training before or have been in training for a significant period of time.
  • Individual GDPR training. This type of training is recommended for people who want to acquire personal skills and who are in positions that require a high level of experience and knowledge of GDPR legislation.
  • GDPR training online. Online GDPR training is an option that suits many people as it offers a lot of flexibility. An online GDPR training is suitable for people who live far away from training centres as they will save time and transport costs, also this type of training is suitable for people who cannot keep to the training schedule as they can attend recorded lessons at any time of the day.
  • GDPR training in person. In-Person GDPR training is training where an individual receives face-to-face training from a GDPR consultant or GDPR coach. The guide can meet in a group or individually at certain times.

Tip: Refresh your GDPR training!

The idea of training staff and then forgetting about it is not a good idea. GDPR requires regular testing to ensure that the company is accurately implementing GDPR laws. One of these tests is to ensure how well staff understand the laws, so if you find misunderstanding procedures on the part of staff, you may need to carry out GDPR re-education, a re-training of employees on data protection.

What is also important to remember about GDPR training is that not all groups need the same level of training.

Of course, all employees should have basic knowledge of GDPR, but there are some employees working in sensitive jobs who should have more and more precise knowledge of GDPR, so they should receive more training than others. These include people working in the IT department. These people deal with data on an almost daily basis as they are responsible for storing and organising data etc. Also, the people who should be more knowledgeable about GDPR are those working in the HR department, as they are responsible for making management decisions for the company.

What should a GDPR training contain?

GDPR training has many elements that we cannot cover in full in this article, but we will briefly mention the basics that should be included in any GDPR training.

– General elements Personal data protection (definitions, terminology) Employees need to know what exactly personal data is, what we mean by personal data and other terms used in the regulation.

– GDPR Principles – The principles that must be at the heart of all employees’ approach to processing personal data.

– Lawfulness of data processing – which are the legal grounds on which we process personal data

– Handling requests from data subjects. The GDPR training should present the rights that GDPR gives to data subjects and how employees respond to requests to exercise these rights. Below are some of these rights and how we handle requests:

  • Right of access. GDPR stipulates that people have the right to own a copy of their private data that you hold, so your employees. must provide a copy of this data, free of charge, if the data subject requests it. But if these requests are numerous, repetitive and stressful, employees may politely refuse or ask for the cost of the procedure. When handing over a copy of personal data to a citizen, you must verify their identity and make sure that they are the correct person by means of their identity card or passport and also make sure that you do not hand over their data to someone else.
  • Right of rectification. You must respect the individual’s wishes if they wish to update their registered data, but in the case of updating, you must obtain written permission before receiving the data from the citizen.
  • The right to be forgotten. Citizens also have the right to request that the data be completely deleted from the company’s records, all of the above procedures must be learned by staff in training.

When and on what legal basis do we grant a data access request, for example? What about a request for deletion? Can we follow it up under any conditions? Find out from the article: GDPR – rights of the data subject. When do we respond and when don’t we?

– GDPR regulations in the field of employment relations. You should warn your employees not to disclose personal data via phone calls without verifying the caller’s identity. The telephone number on which the call is made must be registered with the company as the citizen’s number and at least the national number must be signed to verify the caller’s identity.

Data protection and the right to privacy at work. You need to assure staff that they will keep clients’ secrets and not tell anyone, even if that person is a family member. These measures are important to avoid GDPR sanctions.

New employees. Of course, it is preferable to choose employees who have gone through GDPR training, but it should be stressed that staff should monitor and look after their new colleagues to ensure they fully understand GDPR.

– Data Protection Officer. Employees need to know when it is mandatory for a company to have a DPO, what are the characteristics of this function and what are the tasks of a data protection officer.

Notification of security breaches. During a GDPR training, you should tell employees to report any security incident as soon as it is discovered. If security breaches are not reported within 72 hours, fines and consequences will double.

Managing security breaches can be a real challenge for data controllers, so we recommend reading more about GDPR security breaches.

For the most part, the above topics are part of the structure of the GDPR training we cover in the GDPR Complete DPO Certification Course. In addition to these topics which are presented in detail in the course, information is also included on:

  • Personal data controller and processing register
  • Sanctions regime contained in the GDPR
  • Case law in the field of personal data protection
  • Mapping personal data

Do you need an external DPO?
Leave the GDPR challenges to GDPR Complete – team of professionals with legal expertise, IT security expertise and business management expertise

  • We exercise the function of DPO

  • Audit and Implement

  • We train staff

  • Communicate with the authority


Employees are the most important part of the company and any mistake that exposes the company to GDPR penalties is most likely due to employees, so it is imperative to train employees on GDPR legislation. The aggressive penalties that will be imposed on the company for GDPR violations make GDPR training a priority. You need to have two main things, the first is a very efficient technology system and the second is qualified staff who understand GDPR laws.

If you need help with your company’s GDPR compliance, either through GDPR consulting or outsourced DPO services, contact us at contact@gdprcomplet.ro and schedule a meeting with one of the GDPR experts on the GDPR Complete team.