GDPR requires everyone in the organisation to have the correct training in regard to dealing with personal data.

It is up to management staff to provide appropriate initial and refresher training, including: 

• Responsibilities as a data controller under GDPR
• Staff responsibilities for protecting personal data
• Proper procedures to identify callers
• The dangers of people trying to obtain personal data by deception
• Any restrictions to the personal use of systems and devices