GDPR training: How to segment learning for maximum impact

Posted on Jan 04, 2018

Learning strategies

Games & gamification

Tick tock, tick tock. The calendar has flipped over from 2017 to 2018, which means that GDPR is no longer that distant challenge to worry about “next year”. If your organisation has been putting off addressing the challenge until this year, then now is the time for action!

GDPR – the key facts

The EU’s General Data Protection Regulation comes into force on 25 May 2018. Its impact is global because it doesn’t just apply to organisations within in EU. It also applies to those outside EU, but which offer goods and services to people within the EU. In the UK, it replaces the existing Data Protection Act.

GDPR tightens up existing regulations and introduces new ones. It covers data kept in both manual and automated storage. 

A serious breach could lead to fines of up to 4% of global turnover or €20 million, whichever is greater. There are also significant penalties for failing to notify a breach.

There is more in-depth information about GDPR in an earlier insight, which also has some useful links. And we’ve also produced a handy list of 7 things to do now on GDPR.

Ready, or not?

A recent survey paints a picture of organisations being unready or of over-estimating their readiness. The study looked at 57 different surveys of UK firms and found that as late as Q3 in 2017, some 70% stated they had a degree of preparedness. Of those, however, only 15% said they were “very prepared”. That’s 85% that admit they aren’t very prepared!

And yet, breaches are on the increase, with 54% of UK businesses saying they expect an incident in the next 12 months.

The fact is, many firms feel overwhelmed by GDPR and don’t know where to start. Well, a good place to start is employee compliance. The key to 100% staff coverage is to deliver the appropriate training to two different groups: high risk data users, and the general workforce.

High-risk - tailored blend

Bespoke, blended learning is excellent for embedding knowledge because, when designed well, it becomes part of everyday working. The impact of this deep knowledge training is that it constantly re-enforces key information without being boring.

A blended learning programme has added value when strong branding is incorporated, as it helps to actively engage employees. Because GDPR will evolve and change over time, the blend would also need a continuous learning element.

General workforce - learning game

Most employees will require just the GDPR basics, so that they are aware of the risks they might encounter and will be able to correctly identify them to prevent potential breaches happening.

In response to the GDPR challenge, Sponge UK has designed and produced a GDPR game, using the knowledge of GDPR experts. GDPR – Sorted! gets the core regulations across in an engaging and memorable way, using tried and trusted methods and bringing together both game design and learning design.

The game is experiential with scenarios, so staff do the learning and can see, without risk, the consequences of their choices. It can be re-played in part or in full, so the learner can practice and re-learn. And it can be played on a device or a desktop.


Employee training is critical to being GDPR-ready and the good news is that there is still time – just! One thing’s for sure: organisations who don’t train staff will receive little sympathy from the regulators in the event of a breach. Can you afford not to be ready?

Pre-order: GDPR - Sorted!

The GDPR training game that's simple to play and easy to learn