Training That Actually Changes Behaviour, Why Effective Data Protection Training Goes Beyond Compliance

Data protection training is often treated as a compliance exercise, something that must be completed, recorded and repeated each year. However, as discussed during a recent episode of the Data Protection Made Easy podcast, training only delivers real value when it changes behaviour.

Hosted by Caine Glancy and Catarina Pereira dos Santos, the session explored why traditional training approaches often fail to influence day-to-day decision-making and what organisations can do to create lasting behavioural change.

Whilst completion rates and quiz scores may demonstrate that training has taken place, they do not always show whether employees understand how to apply data protection principles in real situations. The discussion highlighted the importance of moving beyond tick-box compliance and creating training that is practical, engaging and relevant to the people receiving it.

If your organisation is looking to strengthen its data protection culture, our Data Protection Training and Awareness Services, Data Protection Support Service and Outsourced DPO Service can help build awareness, confidence and compliance across your organisation.

Why most data protection training fails

One of the key themes from the discussion was the difference between providing information and creating behavioural change.

Whilst it is relatively straightforward to explain the requirements of the UK GDPR, helping people understand how those requirements apply to their daily responsibilities is often far more challenging.

Catarina explained that effective training cannot simply focus on theory and legal requirements alone, stating: “It needs to be practical. It needs to be a thing that’s practical and achievable for everyone.”

Employees deal with personal data every day through emails, customer interactions, records management, Subject Access Requests and information sharing. If training does not connect directly to these activities, it is unlikely to influence behaviour when it matters most.

Why behavioural change matters

Successful training should not be measured solely by attendance records or assessment results.

The real objective is to help staff recognise risks, make informed decisions and apply data protection requirements confidently in practice.

As discussed during the episode, organisations should consider whether employees are able to identify personal data breaches, understand when a Subject Access Request has been received and make appropriate decisions when handling personal data.

Catarina highlighted the challenge many organisations face when measuring success, commenting: “On the measuring of the training side of things, actually I’m a superstar. I’ve passed it, I’ve done it on a regular basis.”

Without these practical outcomes, even the highest completion rates may provide a false sense of confidence.

Moving beyond tick-box compliance

Training records may show that staff have attended sessions, completed e-learning modules and passed assessments, but this does not necessarily mean that knowledge has translated into action.

An employee may achieve a strong quiz score yet continue to make avoidable mistakes, such as sending information to the wrong recipient, failing to recognise a personal data breach or misunderstanding their responsibilities under data protection legislation.

This is why effective training must focus on practical understanding rather than simply demonstrating attendance.

As Catarina explained: “What actually changes the behaviour is not just the records.”

Organisations should aim to create learning experiences that help employees understand the risks most relevant to their role and provide them with the confidence to respond appropriately when those situations arise.

Practical training creates lasting change

Throughout the discussion, both hosts emphasised the value of practical learning.

Interactive workshops, scenario-based exercises and practical demonstrations often deliver stronger outcomes than traditional presentation-led training alone.

Catarina highlighted the importance of hands-on learning, explaining: “There is nothing else as doing it in practical.”

Subject Access Requests provide a useful example. Rather than simply explaining the legislation, participants can work through realistic requests, identify relevant personal data, consider exemptions and discuss how they would respond.

People may not remember every slide from a training session, but they often remember the situations they worked through themselves.

Caine reinforced this point, stating: “The best training is when you can get people talking and you can get them thinking about it afterwards.”

Why one-size-fits-all training rarely works

Another important topic covered during the episode was the need to tailor training to different audiences.

Different teams interact with personal data in different ways, which means their risks and responsibilities are often very different.

The information required by Human Resources teams may differ significantly from the needs of Marketing, IT, Customer Service or Senior Leadership teams.

Caine explained: “You’ve got to know who you’re talking to.”

He went on to emphasise the importance of role-specific training, adding: “What they need to know is what’s going to relate to their role.”

Employees are more likely to engage when they can clearly see how the content relates to their day-to-day responsibilities. Using department-specific examples and practical scenarios helps make training more relevant and memorable.

The role of the trainer

The conversation also explored an often-overlooked factor in successful learning, the trainer themselves.

Even well-designed training programmes can struggle to engage learners if they are delivered without energy, enthusiasm or practical insight.

Caine explained: “Training is only really as good as the person who is delivering it.”

Effective trainers help participants understand why data protection matters, encourage discussion and create an environment where people feel comfortable asking questions.

Importantly, successful delivery is not about personality alone. It is about demonstrating genuine passion for the topic and helping learners understand how the subject applies to their own experiences and challenges.

As Caine highlighted: “You have to bring energy and you have to bring excitement to the topic to make them care about it.”

Training alone is not enough

One of the most important takeaways from the episode was that training should not be viewed as a one-off event.

Catarina stressed this point, explaining: “The training is not just a one time thing.”

People forget information, processes change and new risks emerge. Organisations that rely solely on annual refresher training often find that important messages fade long before the next session takes place.

Regular communications, awareness campaigns, newsletters, posters, team discussions and practical reminders help keep data protection visible and relevant.

Catarina explained: “You should be expecting to have awareness campaigns, posters, sending emails, newsletters in a constant way.”

A strong data protection culture is built through continuous reinforcement rather than a single annual training session.

Leadership sets the tone

The episode also highlighted the importance of leadership involvement.

When senior leaders actively support data protection initiatives, attend training sessions and reinforce key messages, employees are more likely to recognise the importance of compliance and good information governance.

Caine explained the value of leadership engagement, stating: “If you can get the buy-in from them, it will always trickle down.”

Managers also play an important role in embedding learning after training has taken place. They are often best placed to reinforce expectations, answer questions and identify areas where additional support may be needed.

Creating meaningful behavioural change requires commitment from every level of the organisation.

Measuring training success differently

Many organisations continue to measure training success through attendance figures, completion rates and assessment scores.

Whilst these metrics provide useful information, they only tell part of the story.

The more important question is whether behaviour has changed. Are staff reporting incidents more quickly? Are fewer emails being sent to the wrong recipients? Are Subject Access Requests being identified earlier? Are teams considering privacy risks at the start of projects rather than after problems occur?

These indicators often provide a much clearer picture of whether training is having a meaningful impact.

As Catarina highlighted throughout the discussion, meaningful success is demonstrated through practical outcomes rather than training records alone.

Creating training that delivers real results

The discussion reinforced a simple but important message. Effective data protection training is not about achieving compliance for compliance’s sake. It is about helping people understand their responsibilities and giving them the confidence to make better decisions when handling personal data.

Caine summarised one of the key principles discussed during the session, stating: “Training can never be one size fits all.”

Organisations that focus on practical learning, ongoing awareness, tailored content and strong leadership support are far more likely to create lasting behavioural change.

For organisations looking to strengthen their approach, our Data Protection Training and Awareness Services, Data Protection Support Service and Outsourced DPO Service can help create effective training programmes that move beyond compliance and support a stronger data protection culture.

---

Frequently Asked Questions About Data Protection Training

Why is data protection training important?

Data protection training helps employees understand how to handle personal data correctly, recognise risks, identify potential breaches and comply with data protection legislation.

How often should staff receive data protection training?

Most organisations provide annual refresher training, but ongoing awareness activities throughout the year are equally important to reinforce learning and maintain good practices.

What makes data protection training effective?

Effective training is practical, relevant to the audience, interactive and supported by ongoing awareness activities that reinforce key messages.

Should different teams receive different training?

Yes. Different departments face different risks and responsibilities. Tailoring training to specific roles often improves engagement and learning outcomes.

How can organisations measure whether training is working?

Rather than focusing solely on attendance and completion rates, organisations should look for behavioural indicators such as improved incident reporting, reduced errors and stronger awareness of data protection responsibilities.

Can training alone create a strong data protection culture?

No. Training is only one part of the solution. Ongoing awareness, leadership support and regular reinforcement are all essential for creating a strong and sustainable data protection culture.