The aim of the STAR project is to contribute to fostering the harmonisation of training activities on the General Data Protection Regulation (GDPR), to ensure that the goal of unifying data protection at European level is not undermined by scattered training of operators in the public and private domains. As the first step is to overview the requirements for training materials, existing training practices and the training materials available in this domain, the STAR consortium partners conducted a series of semi-structured, qualitative interviews with
- a) senior representatives of several Member States’ DPAs,
- b) DPOs, data protection experts, and other stakeholders, and
- c) other stakeholders who do not hold training responsibilities, but who were able offer additional perspectives
between January and April 2018. Furthermore, the consortium collected existing training materials that the research consortium obtained from the interviewees and by carrying out extensive research on the DPA websites, as well as on the websites of other organisations that provide GDPR training services. In total, the consortium was able to interview 17 DPAs, including two German State DPAs (Landesbeauftragter für Datenschutz), 15 DPOs and data protection experts who are in charge of training activities in their organisations, other stakeholders without training responsibilities, such as civil servants and similar officers, as well as a DPO organization. On top of these interviews, a total number of 87 sample training materials have been collected and catalogued by the consortium, and a sample of 60 of such documents have been analysed and evaluated.
The aim of these activities was to inform the requirements for training materials and provide the consortium with an overview of existing training practices and the training material available in this domain.
A key finding of the interviews is that the approach and points of view of DPAs and other stakeholders diverge in terms of substantive training as much as they do with regard to the current and prospective training methodologies. On the one hand, authorities tend to deliver (and consider most important to deliver) more institutional, theoretical training on the GDPR, aimed at creating in trainees a clear picture of the legal framework in which both regulators and regulated operate. On the other hand, other stakeholder trainers, in particular those who provide training for a profit, tend to focus on more operative aspects, such as procedures and methods to comply with the GDPR provisions.
In terms of training methodologies, face-to-face, in-class training is preferred both by DPAs and by other stakeholders, but they are interested in technologies that allow trainers to reach a higher number of stakeholders, such as webinars to train all employees of a certain company, or videos for the general public. The target of the training however differs, as the drivers and ultimate goals of DPAs and other stakeholders also differ.
In terms of existing training materials, practices also vary, with a strong focus on general slides and not functional guides and checklists. As this deliverable shows, this best-practices-mapping exercise allowed the consortium to identify several aspects worth considering, such as necessary graphic elements, a serious need to pay attention to accessibility, and similar aspects.
These findings are explained in details in Deliverable 2.2 Report on the findings of the interviews.