The GDPR requires that organisations take “appropriate and effective measures” to comply with the Regulation, and be able to demonstrate their compliance and the effectiveness of their measures (Recital 74). Although there is no explicit statement addressing compulsory workforce education within the legislative text, it is axiomatic and widely accepted that “appropriate technical and organisational measures” must include providing staff with an understanding of their data protection responsibilities and how to carry them out. Inadequacies of workforce education have been cited in decisions and enforcement actions taken by Data Protection Authorities across the EU and in the UK.