Trilateral has worked with DPAs, academics and business to develop a set of freely available GDPR training materials which will be presented in this month’s project final conference in Brussels and Tirana. In this article, David Barnard-Wills, Research Manager at Trilateral Research, presents the DPAs’ approach to training in countries across the EU, the gaps in the current materials, and the STAR training modules.
Data Protection Authorities (DPAs) and Data Protection Officers (DPOs) are legally obliged to undertake training activities. In support of that obligation, the STAR project has developed ready-made, easy-to-customise and easy-to-run training materials, easily adaptable to specific training situations. The STAR training materials are based upon research into existing GDPR training practices as well as gathering information about training needs and requirements identified by practitioners and other stakeholders. They can be downloaded from the project’s website. We’re holding a launch event for DPOs organised by the Brussels Privacy Hub on 17 October 2019 and a side event for DPAs at the 41stInternational Conference of Data Protection and Privacy Commissioners (ICDPPC) in Tirana on 22 October 2019.
STAR (the acronym stands for Supporting Training Activities on the data protection Reform) is a collaboration between the Research Group on Law, Science Technology and Society (LSTS) at Vrije Universiteit Brussels, the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH – the Hungarian data protection authority) and Trilateral Research. It is co-funded by the European Union under the Rights, Equality and Citizenship Programme 2014-2020 (REC-RDAT-TRAI-AG-2016) under Grant Agreement No. 769138.
Our previous research projects had found that EU DPAs were at different places in the process of institutional change that emerged from the GDPR. STAR’s approach was to first understand the existing training activities that EU DPAs were conducting – and particularly the strategies behind the delivery (or lack of) of GDPR training to their staff, to DPOs, and to members of the public. To this end, we interviewed senior representatives from 17 authorities, with a wide geographic spread and including both large and small authorities in terms of resources and staffing. We also interviewed DPOs from across the EU and across different industries and economic sectors. In addition, we reviewed DPA websites in order to identify any training material they were publishing and collected together a range of other freely available GDPR resources. Whilst we were generally not able to access paid-for training material, such as that offered by law firms and specialised training consultancies, we gained a good sense of what was available in the public domain.
DPAs’ approach to training varies across the EU
In general, most DPAs were running training, dissemination, or awareness-raising activities, particularly in the run-up to the applicability deadline of the GDPR in May 2018. However, the approach to training is highly variable across the EU. Some authorities prioritised their own internal staff training and not all DPAs saw the provision of external training as a duty, arguing that need was addressed, or should be addressed, by private-sector services.
Approaches to external training were diverse. We also observed no direct correlation between the size of the authority and its engagement in external training. Some smaller DPAs do provide training, though their limited resources influences the scale of the training they are able to provide. To overcome these limitations, smaller DPAs are generally keen to take advantage of external, third-party dissemination events to maximise outreach, including giving presentations to specialised audiences in industry sector associations’ meetings and taking part in national and international conferences. Such training activities are sometimes organised and planned as part of a strategy, but for many authorities, they are developed on an ad-hoc basis responding to specific requests for training, for example, by public authorities.
Nearly all of the interviewed DPAs focused their training on the general structure of the GDPR and address audiences with little or no experience in data protection. Such training aims to support further self-study or training with the DPA or other training providers. Beyond this, most of the DPAs heavily focus on the innovations of the GDPR compared to the old legislation (national implementations of Directive 95/46/EC and others). This includes teaching the new concepts and tools introduced with the GDPR (e.g., the data protection impact assessment (DPIA), sanctions, territorial scope, etc.), the new obligations for data controllers and data processors (e.g., risk-based approach and accountability, data breach notification, etc.), as well as the new rights of the data subjects (e.g., data portability). In these cases, they assume their audience is at least acquainted with previous data protection law and is concerned with transitioning from the old regime to the new.
One of the most relevant differences between DPAs and other trainers is the approach to the operational dimension of GDPR compliance. While DPAs seem to adopt a more theoretical approach for conveying GDPR knowledge, such as the reading, explanation and critical interpretation of the GDPR text, DPO trainers tend to focus on the practical aspects of the new legislation. For example, how to conduct an adequate DPIA, the impact of the GPDR on contracts with suppliers and clients, how to update the documentation on data transfers, how to record processing activities (data registers), the function of binding corporate rules, and the practical obligations for the newly-appointed DPOs. This difference is reflected in the topics that interviewees suggested should be covered in training materials. DPAs prioritised the legal bases of the GDPR, as well as the role of the regulator, and the rights of data subjects, whilst non-DPA trainers prioritised operational matters such as technical and institutional measure for protecting personal data.
A limited number of DPAs determine the scope of their training activities based on requests from their trainees, which is, on the contrary, a common approach in the private sector. The relative lack of systematic feedback collected by DPAs from training sessions potentially leaves their training at some distance from potential users. However, a limited number of DPAs did report organising bespoke training for specific industries, such as the financial, health, and public education sectors.
What is currently missing from training material?
Our study of collected training materials found that, in general, their content is mostly relevant and up to date. However, a few of the collected general guides are so theoretical that corporate and organisational stakeholders will likely have to look elsewhere to find more operative, practical guidance on how to comply with the GDPR. Additionally, the collected material doesn’t really cover the full regulatory environment. While guidelines usually follow the structure of the GDPR and therefore cover all of its content, most of the remaining materials deal with single topics, such as DPIAs, DPOs, or the rights of data subjects, and therefore leave other GDPR innovations to other materials issued by the same DPA. This likely supports a user browsing for guidance or information on a specific topic, who already has a general grounding.
Unfortunately, we found a general lack of systematic approach in training on the full GDPR system: indeed, in none of the collected materials did we find reference to other data protection laws, such as Directive 2002/58/EC (ePrivacy Directive) or similar. Furthermore, few materials contained real life examples, case studies or scenarios.
Another missing element in a relevant number of collected materials, including from DPAs, is any mention of the training methodology. DPAs are producing lots of material based upon the relevant legislation, but this material can only rarely be considered training material with a pedagogic design. It appears the working model is that this training material is being produced by people who might deliver this as training, using their own experience, and then it is made public. Additionally, a lot of material did not meet accessibility guidelines related to disabilities.
While many materials address the topic of international data transfers, few of them approach data protection from a truly international perspective. Nearly all the materials address almost exclusively a certain Member State and are drafted in the language of that Member State. The interviews revealed, for example, that the materials issued by the UK Information Commissioner’s Office (ICO) were quite often taken into account by practitioners in other Member States. The ICO may or may not have issued them having foreign recipients in mind, and this may become a challenge if the UK data protection law diverges from EU one in the future. The same applies to other materials issued by countries whose language is spoken or understood abroad, and for regulators in countries with many multinationals, whose guidance becomes relevant across borders.
STAR training materials
STAR’s ambition has been to create new GDPR training materials to meet the training needs across sectors, and address some pressing challenges. Our training materials are a collaboration between academic experts, a data protection authority and a company with deep expertise in data protection. We are pleased to announce that the training materials produced by the project are now available, and we invite readers to try them.
STAR has produced 11 training modules, covering the topics of:
- An introduction to the GDPR
- Purposes and legal grounds for processing personal data
- The rights of the data subject and their exercise
- Responsibilities of data controllers and processors
- The role of the Data Protection Officer
- The role of the Data Protection Authority
- Data protection in practice (including technical and organisational measures)
- Risk management in the GDPR context
- Data Protection Impact assessments
- Data protection communication
- GDPR related laws and special provisions.
Each of the training modules contains guides on the teaching approaches to use, support for the trainer, links to additional supporting material and resources, and guidance to adapt the modules to different audiences. To support the training materials, we have produced accompanying forms such as attendance sheets and evaluation forms. We are finalising a training handbook, which contains detailed guidance on how to make the best use of the STAR training modules, as well as a checklist of criteria for assessing the quality and comprehensiveness of other GDPR training. The training materials address challenges in GDPR training, including correcting myths and misperceptions, and interacting with a variety of audiences.
STAR is publishing all these materials under a Creative Commons (BY) licence. This allows anybody to use and to customise these slides for their own industry sector, or for the specific legal system in their own countries or translate them into their own languages. If people want to share these with us, also under a creative commons licence, we can host them on the STAR website and keep building a common resource.
STAR also has a sister project – STAR II– which, instead of focusing on training practices, uses a similar approach to understand the efforts that EU DPAs have been making to support small and medium enterprises in their GDPR compliance, as well as the experiences and challenges faced by SMEs themselves. Within the framework of STAR II, an e-mail hotline specifically for SMEs is operated by NAIH until 15 March 2020 (kkvhotline@naih.hu). This project will run until the end of July 2020 and will produce guidance for DPAs on how to engage with SMEs and a handbook for SMEs to support them in GDPR compliance.
This article was first published in the PL&B International Report, October 2019, www.privacylaws.com.
For more information please contact our team.
