Training That Actually Changes Behaviour

Written by Data Protection People

Many organisations invest significant time and resources into data protection training, yet still experience avoidable breaches, poor compliance decisions, and low staff engagement. In this article, we explore why traditional training approaches often fail to change behaviour and discuss practical strategies for creating training programmes that genuinely influence how people handle personal data. Drawing on insights from a recent episode of the Data Protection Made Easy podcast, we examine the importance of practical learning, leadership buy-in, ongoing awareness, and measuring success beyond completion rates and quiz scores.

Training That Changes Behaviour

Data protection training is often treated as a compliance requirement, something that must be completed, recorded, and repeated each year. But if training does not change how people behave in practice, has it really worked?

Data Protection Made Easy Podcast Data Protection Made Easy PodcastEpisode: Training That Actually Changes BehaviourHosted by: Caine Glancy & Catarina Pereira dos Santos Listen now →

In a recent episode of the Data Protection Made Easy podcast, Caine Glancy and Catarina Pereira dos Santos discussed what makes data protection training effective, why so much training fails to influence day-to-day behaviour, and how organisations can move beyond tick-box learning.

The discussion focused on a key point that many organisations will recognise: completing a training module is not the same as understanding how to apply data protection in real situations. Attendance, quiz scores, and completion rates may show that training has taken place, but they do not always show whether staff know what to do when they handle personal data at work.

Why most data protection training fails

One of the central themes of the episode was the difference between training that informs people and training that changes behaviour. It is relatively easy to explain what the UK GDPR says. It is much harder to help staff understand what that means for their own role, their own systems, and the real decisions they make every day.

Caine explained that training cannot simply be a case of telling people what the law says and expecting them to translate that into practical action. Different people learn in different ways, and the best trainers are able to make complex information understandable to a wide range of audiences.

Effective training should leave people knowing what they have learned, why it matters, and how to apply it in practice.

This is particularly important in data protection because staff are not usually dealing with abstract legal principles. They are responding to emails, handling subject access requests, sharing information, using systems, speaking to customers, managing records, and making judgement calls. If training does not connect directly to those situations, it is unlikely to influence behaviour when it matters most.

Why this matters for your organisation

Training should not be measured by completion alone. Organisations need to consider whether staff can recognise risks, make better decisions, and apply data protection requirements confidently in their daily work.

Moving beyond tick box compliance

Catarina highlighted a common issue with traditional training: organisations often focus on whether someone attended the session, clicked through the slides, or passed the quiz. Whilst these records have value, they do not necessarily prove that training has been understood or applied.

For example, a member of staff may complete annual training and achieve a strong quiz score, but still repeatedly send emails to the wrong recipient, fail to recognise a personal data breach, or misunderstand when a data subject access request has been received. In that situation, the training record may look positive, but the behaviour has not changed.

This is why effective data protection training must be practical, relevant, and supported by ongoing awareness. It should help people understand the risks they are most likely to face and give them the confidence to act appropriately when those risks arise.

Practical training creates lasting change

Throughout the discussion, both hosts emphasised the importance of making training practical. Whilst understanding the legal framework is important, real learning happens when people can apply that knowledge to realistic situations.

This is why interactive exercises, real-world scenarios, workshops, and practical demonstrations are often far more effective than simply presenting information. When individuals actively participate in training, they are more likely to remember it, discuss it with colleagues, and apply it when similar situations arise in the workplace.

Subject access requests provide a good example. Rather than simply explaining the legislation, trainers can ask participants to review a request, identify relevant information, apply exemptions, and consider how they would respond. By working through realistic examples, staff gain confidence and develop practical skills that can be used immediately.

People rarely remember every slide from a training session, but they often remember the scenarios they worked through themselves.

Practical learning also creates opportunities for discussion. Staff can ask questions, challenge assumptions, and relate the topic directly to their own role. This often reveals misunderstandings that may otherwise go unnoticed until an incident occurs.

Why one size fits all training rarely works

Another key theme from the episode was the need to tailor training to the audience. Different teams interact with personal data in different ways, which means their risks, responsibilities, and training needs are often very different.

The information that a HR team requires may be very different from what a marketing team, IT department, customer service team, or senior leadership group needs to understand. Delivering exactly the same training to every employee may be efficient, but it is not always effective.

Staff are far more likely to engage when they can clearly see how the content applies to their day-to-day responsibilities. Relevant examples, department-specific risks, and practical guidance make it easier for individuals to understand why the training matters to them personally.

Good practice

Consider whether different teams within your organisation would benefit from tailored examples, role-specific guidance, or dedicated workshops rather than relying solely on generic annual refresher training.

The role of the trainer

The conversation also explored an often-overlooked factor in successful learning: the trainer themselves.

Even the best training materials can fall flat if they are delivered without enthusiasm, engagement, or practical insight. Effective trainers bring energy to the subject, encourage participation, and help learners understand why the topic matters.

Importantly, this does not mean every trainer needs to have the same personality. Some are naturally more outgoing than others. What matters is demonstrating genuine passion for the topic and creating an environment where people feel comfortable asking questions and sharing experiences.

People are far more likely to engage with training when they can see that the trainer understands the challenges they face and is focused on helping them succeed rather than simply delivering information.

Training alone is not enough

One of the most important points raised during the discussion was that training should never be viewed as a one-off activity. Completing an induction session or annual refresher course is only one part of developing a strong data protection culture.

People forget information over time. New risks emerge. Processes change. Staff move into new roles. Organisations that rely solely on annual training sessions often find that important lessons are forgotten long before the next refresher arrives.

This is where awareness activities become critical. Regular communications, team discussions, newsletters, posters, brief reminders, and ongoing conversations all help reinforce key messages and keep data protection visible throughout the year.

A strong data protection culture is built through continuous reinforcement, not a single annual training session.

Awareness should also be relevant. Rather than simply distributing generic messages, organisations should use real examples, common mistakes, recent incidents, and practical guidance that staff can immediately relate to. This helps create an environment where data protection becomes part of everyday decision-making rather than something people only think about during training.

Leadership sets the tone

Creating meaningful behavioural change requires more than just good trainers and engaging content. Leadership support plays a significant role in determining whether training succeeds or fails.

When senior leaders actively support data protection initiatives, attend training, discuss compliance openly, and reinforce expectations, employees are more likely to recognise the importance of the topic. Conversely, if leadership treats training as a box-ticking exercise, staff are likely to adopt the same attitude.

Managers also have an important role to play after training has been delivered. They are often best placed to reinforce learning, answer questions, identify areas where additional support may be required, and encourage good practices within their teams.

Leadership tip

Data protection culture is far easier to establish when managers and senior leaders actively participate in awareness activities and demonstrate that compliance is a shared organisational responsibility.

Measuring success differently

Many organisations measure training success using attendance figures, completion rates, or assessment scores. Whilst these metrics can provide useful information, they only tell part of the story.

The real question is whether behaviour has changed. Are staff reporting incidents more quickly? Are fewer emails being sent to incorrect recipients? Are teams identifying subject access requests sooner? Are managers asking better questions about privacy risks before projects begin?

These behavioural indicators often provide a far more accurate picture of whether training is having a meaningful impact. They demonstrate whether learning has moved beyond theory and become embedded in day-to-day operations.

Organisations that focus solely on completion statistics risk missing the bigger picture. Successful training programmes should ultimately be judged by the decisions people make, not simply the certificates they receive.

Key takeaways

  • Training should focus on changing behaviour, not simply achieving completion rates or passing quiz scores.
  • Practical exercises, real-world scenarios, and interactive discussions are often more effective than purely theoretical learning.
  • One size fits all training rarely delivers the best results. Different teams have different risks, responsibilities, and learning needs.
  • Training should be supported by ongoing awareness activities that keep data protection visible throughout the year.
  • Leadership engagement plays a crucial role in building a positive data protection culture and encouraging accountability.
  • Success should be measured by behavioural improvements and reduced risk, not solely by attendance records and certificates.

Frequently asked questions

What makes data protection training effective?
Effective data protection training is practical, relevant, engaging, and tailored to the audience. It helps individuals understand not only what the law requires, but also how those requirements apply to their day-to-day responsibilities.
How often should organisations provide data protection training?
Most organisations provide induction training for new starters and refresher training on a regular basis. However, training should be supported by ongoing awareness activities throughout the year to reinforce key messages and address emerging risks.
Why doesn’t annual training always improve compliance?
People naturally forget information over time. If training is delivered once a year without ongoing reinforcement, employees may struggle to remember important concepts when they encounter them in practice. Behavioural change requires continuous engagement and support.
How can organisations measure whether training is working?
Beyond attendance and quiz results, organisations should look at behavioural indicators such as incident reporting, data breach trends, subject access request handling, staff confidence levels, and the quality of data protection decision-making across the organisation.
Do different departments need different data protection training?
In many cases, yes. Whilst core data protection principles apply to everyone, different departments face different risks. Tailored training helps ensure employees receive guidance that is relevant to the information they handle and the decisions they make.

CG&CS

Caine Glancy & Catarina Pereira dos Santos

As experienced data protection practitioners, Caine and Catarina regularly deliver training and awareness programmes to organisations across a wide range of sectors. Their focus is on helping organisations move beyond compliance exercises and develop practical data protection cultures that support long-term behavioural change.

Looking to improve your organisation’s training and awareness programme?

Whether you need GDPR awareness training, role-specific workshops, leadership sessions, or ongoing support to strengthen your compliance culture, our consultants can help.

Speak to an expert →