Of all the Big Questions (What is consciousness? Is there life after death? Will Arsenal ever win the Champions League?), I spend time on one question in particular: can compliance training ever truly be effective?
It's a timely question, given the UK ICO's latest enforcement action. Yesterday, the ICO issued a £25,000 fine to Mermaids, a charity that provides support to transgender children, for allowing 780 pages of confidential emails — including names, email addresses, mental and physical health information, and details of individuals' sexual orientation — to be viewable online for nearly three years. An article by the Sunday Times newspaper publicised the breach in 2019, which Mermaids subsequently notified to the ICO.
Whilst that perhaps seems unremarkable when compared to multi-million pound GDPR fines, concerns about facial recognition and ongoing data transfer compliance challenges, a couple of lines in the ICO's enforcement notice stood out to me:
- "...there was a lack of adequate training, including a lack of face-to-face training, on data protection" (emphasis added).
- "...the ongoing contraventions were not identified by anyone at Mermaids during the period of operation of the insecure email system, which demonstrates that the training was inadequate and / or ineffective" (emphasis added).
Let's unpick those statements.
Firstly, does the ICO expect that compliance training will only be effective if conducted in person? Whilst that approach may be feasible — and appropriate — for some businesses, there are also excellent computer-based training tools on the market. Secondly, does the ICO expect that compliance training will only be effective if an organisation remains on the windy side of the law? That feels like an unreasonable — and unrealistic — burden for training to carry.
Ideally, you'll be thinking about training as more than a box-ticking exercise. And, dare I say it, something that can actually be quite fun.* If nothing else, it's an area that the ICO will look at closely when assessing non-compliance.
* Yes, I'm aware that I need to get out more.
All Mermaids staff and volunteers received mandatory data protection training in December 2018, which is updated annually, however, the ongoing contraventions were not identified by anyone at Mermaids during the period of operation of the insecure email system, which demonstrates that the training was inadequate and / or ineffective.