ICO Enforcement Action: The Importance of GDPR Training
ICO Enforcement Action: The Importance of GDPR Training
The ICO issued several enforcement actions last year which point to a common issue around data protection awareness and that organisations are not providing adequate data protection training to employees. This article overviews the enforcement action, underscoring the importance of regular, comprehensive data protection training for employees to avoid costly penalties and reputational damage.
Introduction
The Information Commissioner's Office (ICO) has the authority to take enforcement actions to ensure organisations comply with the Data Protection Act 2018 (UK GDPR). Between September 2023 and 2024, the ICO issued 28 reprimands, 21 enforcement notices, 19 monetary penalties, and 1 prosecution. Our review of ICO enforcement actions over the past year noted that 10% of these actions specifically addressed challenges relating to inadequate or incomplete data protection training for employees. In view of this, we have identified a common theme: a lack of awareness amongst employees regarding data protection principles and procedures, primarily due to incomplete or insufficient data protection training.
ICO enforcement action: Importance of data protection training
In November 2023, the ICO reprimanded a health board for inadequate security measures after an unauthorised individual accessed a medical communication framework tool containing the personal data of several patients. The investigation also found that only 42% of the organisation's employees had completed data protection training (which was refreshed only every three years). This irregular and low training participation was considered a contributing factor to the investigation, highlighting the organisation's weak data protection culture.
Similarly, in April 2024, a charity was reprimanded and received a monetary penalty for failing to implement adequate security measures. A coordinator compromised the personal data of over 200 individuals by mistakenly using the 'CC' function to send sensitive information to 264 email addresses. Following the investigation, the ICO found that the charity failed to provide adequate, bespoke training, leading to a lack of awareness of data protection requirements regarding special category data within the coordinator's team.
As a result, both organisations face reputational damage due to the publication of their lack of technical and organisational measures on the ICO website. This serves as a valuable lesson and encourages other organisations to adopt comprehensive, mandatory data protection training to prevent similar outcomes.
What can we do for you to ensure staff awareness of data protection obligations?
Under UK data protection law, organisations are required to provide employees with regular data protection training. This ensures that all employees are well-informed about regulatory requirements and are capable of identifying and minimising data breach risks as well as enabling organisations to equip their employees with the knowledge and skills needed to comply with data protection principles.
If you have any queries or would like further information on how BDO can support your organisation with your employee data protection training needs, please visit our data protection services section or contact Christopher Beveridge.