Privacy Training, Awareness and Competence Policy

The Privacy Training, Awareness and Competence Policy defines how an organization manages privacy training within its Privacy Information Management System. Its purpose is to ensure that people whose work affects PII processing understand their responsibilities, complete training on a defined cadence, maintain role-relevant competence, and produce auditable evidence of training, awareness, and escalation. The policy applies across controller, joint controller, processor, and subprocessor contexts, making it relevant for organizations that handle PII directly as well as those acting on customer instructions or through third-party processing arrangements. The scope is intentionally broad and operational. It applies to personnel, contractors, temporary personnel, relevant third parties, processors, subprocessors, and other interested parties whose work can affect PII processing, PII principal rights, privacy risk, information security related to PII, processor instructions, privacy incidents, documented information, or compliance evidence. The policy covers privacy training audience identification, onboarding training, annual refresher training, role-based and event-triggered training, training completion evidence, non-completion escalation, training effectiveness review, and processor, subprocessor, and third-party training assurance evidence. A central feature of the policy is its evidence model. It states that a separate training matrix, dashboard, competence register, disciplinary register, or customer training register is not created. Instead, training assignments, completions, reminders, competence evidence, and awareness evidence are recorded in REG11. Exceptions, escalations, nonconformities, corrective actions, and review evidence are recorded in REG12. Processor, subprocessor, and third-party training assurance evidence is recorded in REG08 where relevant, while incident lesson input may be linked through REG10. This approach helps keep privacy training traceable without duplicating registers or creating unnecessary administrative overhead. The policy establishes specific training cadences and triggers. Baseline privacy awareness training must be assigned within 10 business days of onboarding for personnel with access to PII or PIMS responsibilities, and personnel must complete onboarding privacy training before unsupervised access to PII is approved or within 30 days of onboarding, whichever occurs first. Annual privacy refresher training must be assigned at least once every 12 months. Targeted refresher training is required within 30 days after a material privacy policy change, material PIMS process change, audit finding, recurring training failure, or relevant PII incident lesson. Role-based training is also required before personnel take on responsibilities involving lawful basis, notices, consent, PII principal rights, DPIAs, retention, sharing, international transfers, privileged access, security administration, logging, monitoring, or incident support. Governance and enforcement are built into the policy through defined responsibilities, monitoring, and escalation. The Privacy Lead / PIMS Manager maintains training content, assignments, completion evidence, acknowledgements, and effectiveness evidence. Process Owners support completion for personnel under their responsibility, System Owners verify training before approving privileged or high-impact PII system access, and Vendor / Procurement Owners maintain training or equivalent assurance evidence for suppliers, processors, subprocessors, and external workforce members. The policy requires quarterly review of completion, overdue training, role-based assignments, and exceptions, with unresolved evidence gaps reported before management review. Internal Audit / Compliance Reviewers sample REG11 and REG12 evidence according to the approved audit plan, supporting continual improvement and certification-ready accountability.