Outsourced DPO: Training made interesting!

By Phil Brining

Very interesting but here is tomorrow’s blog… not feeling as inspired this week!

The Outsourced DPO passes the bomb…

The Outsourced DPO has been out and about delivering training this week which has been rather fun and a refreshing change in that you can generally finish a day without acquiring any new actions!

The early part of the week was spent running 90-minute classroom sessions about the GDPR and how it affects the client’s operations – a social housing provider in Sussex, and mid-week it was a detailed look at managing processors, datasharing arrangements and disclosures in Surrey.

I rather like doing data protection training – sure it requires an awful lot of preparation but it’s good fun and I like injecting a bit of interaction into the proceedings to make data protection law a bit less daunting and dry. And so this week I have played “Breach or No Breach” complete with interactive flash cards which is turning out to be a good little game, “Pin the processor on Eaore’s behind” – processors on one cheek, data sharing on the other, and “Pass the Bomb” – a pretty good ice breaker to get the group in the zone and the session motoring repurposing parts of a game my children used to play when they were younger.

Of course providing training about the GDPR is necessary and useful, but I think the key to making a difference is to provide training in how to work within the policy framework set out by the client organisation and how to operate the procedures that they have implemented. Our ultimate goal in providing training is not just to impart knowledge – the long-term aim is to change behaviour and culture.

I often recount the tail of turning up at a client site early one morning and taking note of 20 white sacks of confidential waste – 60% or so of which were open –sitting by the front door in reception awaiting collection by the waste contractor and then noting that they were still in the same place when I left late in the afternoon. “Most of these bags are open Jamie”, I said to my host, “who’s responsibility is it to make sure the confidential waste bags are sealed?” “Well it’s mine Phil”, said Jamie, “only I have been with you most of the morning so I’ve not been able to deal with them.” I put my hand into one of the sacks (as you do) and pulled out several sheets of neatly typed A4 sheets documenting an HR meeting dealing with a staff complaint about a colleague. “But Jamie”, I said, “surely it is everyone’s responsibility? It could be their personal data which is left lying around like this.” What seemed obvious to me clearly hadn’t registered with the employees of this particular company.

So while we talk in training sessions about the principle of restricting access to information etal. – why is it that there is often a gap between nodding in the training session and applying the principle in the work-place?

Philip Brining

14 December 2018

Contact Us

Send us a Message

Data Protection Project
GDPR Gap Analysis/Audit/Review
Outsourced Privacy Officer/DPO
Support Desk
SAR Support
Cyber Maturity Assessment
NIS Regulations
Information Governance Documentation
DataWise System

We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

Data Protection People Limited – March 2021