Data is Risky Business: Training is More Than a Monkey with Bad PowerPoint

15-SEPCOL03OBRIEN-edI’m wearing my grumpy curmudgeon hat again this month. The Irish Computer Society recently published survey results from their annual Data Protection survey which was carried out in Ireland in Q4 2015.

The key headlines that made me sit up and take notice:

  • 56% of organizations said that staff received the right level of training to meet the organization’s objectives. Yet,
  • 45% of respondents still claimed employee negligence was the biggest threat.

So, the majority of organizations think their staff are very well trained, but their staff remains the biggest threat for almost as many respondents.

This raises some key questions that are relevant to any organization interested in Information Governance, Data Privacy, Information Quality, or any of the related disciplines:

  1. On what basis do organizations determine if their staff is “very well trained?”
  2. If there is a basis for determining that staff are “very well trained,” how do organizations explain how large numbers of staff still don’t have a clue?

The answers to these questions actually have nothing to do with the statistics presented. They have to do with the way in which organizations manage training and invest in it.

How Things Tend to Happen…

I get these calls/emails all the time. “Hello, we want training in data privacy for twenty staff. We think this should take about two hours and we want them to be ‘top guns’ when finished. Oh… and our budget is X.” I don’t respond to these. I don’t respond because the organization clearly has no idea what their objectives are from the training, other than to tick a box that they have had some training.

Usually the budget is insufficient to cover the costs of producing and delivering the training to the standards my company sets. After all, my team and I are all qualified educators and we follow a formal quality assurance framework for developing our training. Part of that is ensuring the training is fit for the purpose of the client. I’d rather not have the gig than be associated with bad quality material or training.

How Things Should Happen…

The best calls and emails I get are from clients who start like this: “We are trying to get some training in Data Protection. We want to make it effective for our teams. How can you help?” These emails and calls are the ones that I invest some time in. These organizations either have a clear idea of their required objectives from the training, or they have at least recognized that there needs to be some clear goals. And they are willing (at least for now) to invest time in getting the right product.

If we can get to the discussion about objectives, we can begin to begin to define measurable characteristics for the training to assess if it has actually been effective. In Castlebridge, we use the Kirkpatrick model for training effectiveness. At the bottom of the hierarchy is the “happy sheet.” At the top is whether the training has actually lead to a consistent and repeatable change in behavior. That requires the organization to define what the change in behavior needs to be.

From there, effective training can be developed for the client, with agreed metrics for assessing effectiveness.

Strangely, clients seem to like the idea of being able to measure the ROI on their training.

And the Survey Says…

Looking back at the survey results, it is clear to me that we can restate these results:

  • 56% of organizations may not have identified correctly the right level of training to meet their objectives
  • 45% of organizations do not have a measurable impact on employee behavior as a result of the training.

So… they are either training the wrong people, training the wrong stuff, or doing the training wrong.

Quality of Training – A Three-Pronged Pitchfork

The quality and effectiveness of training is a three pronged pitchfork in my experience. Organizations need to look to:

  1. The quality of the trainer and their delivery: do they have the skills in the subject matter and the ability to actually deliver content in an engaging way that keeps attention?
  2. The quality of the training materials: are they engaging? Comprehensive? Appropriately targeted to the audience and their ability level? There is zero point delivering CEO level Data Privacy training to an elementary school class (but then again…..)
  3. The quality of the defined learning objectives for the training against which the trainer and learners will be evaluated.

If any of these three is missing, the training will not be effective. In a large number of training courses we’ve quality reviewed for clients, number 3 is usually missing (off the shelf cookie cutter training), number 2 is often deficient (no tailoring of content to the audience), and number 1 can be a crap shoot.

What Inspired this Article?

Blame management guru Tom Peters. Bob Seiner reminded me I had a deadline and I had nothing on the page. Then Tom Peters started tweeting about training quality and I found I had to agree with every syllable.

Tom’s tweets left me with a few great takeaways for how to value and evaluate training and training ROI:

If the value of training per hour is less than the cost of lost time per hour, then you have truly shit training” – Tom Peters (

There is ZERO sense in measuring the “value” of training until you have carefully assessed the quality of the training” – Tom Peters (

Frankly it is simple. You do great training because if you do you make a lot of money. And, if you disagree, you’re an idiot” – Tom Peters

The Takeaways

So… what can we take away from all of this curmudgeonly ranting?

  1. It is essential in any information governance related domain to properly and effectively plan for and measure the effectiveness of training.
  2. If an organization hasn’t clearly defined and measured the objectives for training it will be possible to tell a survey you have the right level of training while at the same time continuing to have chronic knowledge and skills gaps and bad working practices.
  3. Organizations that skimp on the training budget or don’t plan training into their Information Governance roll outs are idiots because training helps to make and save money (there is academic research on the cost savings arising from even a small amount of data quality training).
  4. Effective training needs to be quality assured. Quality materials need to address the audience, quality trainers need to be able to deliver effectively and (where necessary) improvise around the material to make it relevant. Effectiveness of learning starts with quality of training.
  5. Training is only worth doing if the change in behaviors that result from the learning experience add value greater than the cost of keeping people from their day jobs. Crummy training is unlikely to meet that test.

Finally, there is a reason why trainers who focus on effectiveness of learning rather than efficiency of delivery are sometimes more expensive. It’s the same reason that a fine wine is often more expensive than grape juice mixed with rubbing alcohol – the experience and the return on investment is usually better.

There is more to effective training than a someone flicking through bad PowerPoint in a conference room.

As Deming said:

Never award business on the basis of price tag alone.”

Share this post

Daragh O Brien

Daragh O Brien

Daragh O Brien is a data management consultant and educator based in Ireland. He’s the founder and managing director of Castlebridge. He also lectures on data protection and data governance at UCD Sutherland School of Law, the Smurfit Graduate School of Business, and at the Law Society of Ireland. He is a Fellow of the Irish Computer Society, a Fellow of Information Privacy with the IAPP, and has previously served on the boards of two international professional bodies. He also is a volunteer contributor to the Leaders’ Data Group ( and a member of the Strategic Advisory Council to the School of Business in NUI Maynooth. He is the co-author of Ethical Data & Information Management: Concepts, Tools, and Methods, published in 2018 by Kogan Page, as well as contributing to works such as the DAMA DMBOK and other books on various data management topics.

scroll to top