If you handle personal data in your organisation, you’ve probably asked yourself: am I legally required to train my staff on data protection? The answer from the Information Commissioner’s Office is straightforward—yes, you are. But the practical side of that obligation is less obvious. Who exactly needs training? What should it cover? How do you prove you’ve done it?
This article breaks down what the law requires, what the ICO expects, and how to approach training in a way that actually protects your organisation.
Why Data Protection Training Matters in 2025
The Data Use and Access Act came into force in 2025, reinforcing the accountability principle in UK GDPR. The Act doesn’t create new training obligations, but it sharpens the ICO’s focus on one thing: can you prove you’ve taken appropriate measures to protect personal data?
Training is how you prove it. The ICO consistently points to lack of training as a factor in data breaches. When staff don’t know what personal data is, how to handle it securely, or what to do when something goes wrong, breaches happen. Training prevents those mistakes.
The legal requirement post-DUAA
Article 5(2) of UK GDPR states that controllers must “be able to demonstrate compliance” with the data protection principles. That’s the accountability principle—it’s not enough to comply, you must prove you comply.
Training staff is one of the main ways you demonstrate accountability. The ICO’s framework explicitly lists “training and awareness” as a necessary measure. No training records means no proof of compliance.
The ICO’s Position on Training Requirements
The legal obligation under UK GDPR
Article 29 of UK GDPR is clear: any person acting under the authority of the controller who has access to personal data must not process it except on instructions from the controller.
The ICO’s interpretation is direct. According to their accountability framework:
“You should ensure that anyone acting under your authority who has access to personal data does not process personal data unless you instruct them to do so.”
You can’t instruct someone who doesn’t understand what you’re instructing them to do. Training is how you meet this legal requirement.
“Anyone acting under your authority” principle
This phrase covers more than employees. It includes:
- Temporary staff
- Contractors
- Volunteers
- Anyone who processes personal data on your behalf
The law doesn’t distinguish by contract type or hours worked. If someone has access to personal data, the training requirement applies.
Training as an accountability measure
The ICO views training as both prevention and evidence. Well-trained staff are less likely to cause breaches. Training records show you’ve taken your obligations seriously.
You need to document:
- What training was provided
- Who completed it
- When it occurred
- How you assessed understanding
This documentation can feel bureaucratic, but it serves a purpose—it forces you to think systematically about how knowledge spreads through your organisation.
Who Needs Training?
All staff members
Everyone who handles personal data needs training. The depth and frequency vary by role, but no one is exempt.
Full-time employees
How to structure training:
- Initial training during induction covering data protection basics and your policies
- Annual refresher training to maintain awareness and address changes
- Additional training when roles change or new processing activities begin
Annual refreshers matter because people forget. Regular training prevents knowledge from degrading and keeps data protection front of mind.
Part-time and temporary staff
The law makes no distinction between full-time and part-time staff. The “anyone acting under your authority” principle applies equally to someone working 40 hours a week and someone working 10.
How to check and provide:
- Include data protection training in all onboarding processes, regardless of contract type
- Ensure HR systems flag all new starters for training
- Use online modules that can be completed flexibly
- Track completion for all staff types
Contractors and volunteers
Contractors and volunteers must be trained if they process personal data. The practical approach depends on the situation.
Best approach: Provide the same core training as employees, modified for their role.
Minimum requirement:
- Include data protection obligations explicitly in contracts or volunteer agreements
- Provide clear written instructions on handling personal data
- Require signed acknowledgment that they understand their responsibilities
- Ensure they know who to contact with questions
Even at minimum, verify they understand confidentiality, security, and what to do if something goes wrong.
Role-specific requirements
Some roles need enhanced training due to the nature and volume of personal data they handle.
Data Protection Officers
DPOs need specialist knowledge:
- UK GDPR in detail
- ICO guidance and enforcement trends
- Data protection impact assessments
- International data transfers
- Emerging technologies and privacy risks
The ICO expects DPOs to maintain expertise through continuous professional development.
HR and IT staff
HR teams handle sensitive data and need training on:
- Special category data (health information, disciplinary records)
- Subject access request procedures
- Retention and deletion requirements
- Maintaining confidentiality in practice
IT staff control security infrastructure and need training on:
- Information security measures
- Breach detection and response
- Access controls and audit logging
- Secure data disposal
Marketing teams (including PECR)
Marketing teams must understand:
- Consent requirements for electronic marketing
- Privacy and Electronic Communications Regulations (PECR)
- When legitimate interests apply
- Cookie compliance and website privacy
Records management teams
Those managing information systems need training on:
- Retention schedules and legal requirements
- Secure archiving and disposal
- Freedom of Information (where applicable)
- Business continuity and data protection
What Training Must Cover
Data protection basics
Every training programme should cover:
UK GDPR principles (Article 5):
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
What constitutes personal data: Staff must recognise personal data in all forms—names and addresses, yes, but also IP addresses, device identifiers, location data, and any information that could identify someone when combined with other data.
Individual rights:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making
Organisational policies
Connect legal requirements to your specific policies:
Your privacy notices:
- What you tell customers and staff about data processing
- How to direct people to privacy information
- When and how to update notices
Security procedures:
- Password policies
- Clean desk protocols
- Email and communications security
- Working remotely securely
Breach response:
- How to recognise a potential breach
- Who to report to immediately
- The 72-hour notification requirement
- How to contain and mitigate breaches
Role-specific topics
Tailor training to job functions:
Subject access requests: Who can receive them, time limits (one month), what must be provided, available exemptions.
Data sharing: When it’s permitted, what legal basis applies, how to share securely, when agreements are required.
Information security: Encryption, access controls, physical security, incident response.
Personal data breaches: What constitutes a breach, assessment procedures, notification requirements, documentation.
Does Training Have to Be a Course?
The ICO doesn’t mandate a specific format. What matters is that training is effective and can be evidenced.
Format options
Structured courses (online or in-person) work well because they:
- Provide consistent content for all participants
- Enable assessment to verify understanding
- Simplify documentation of completion
- Present complex information clearly
You can also supplement with:
- Email bulletins on specific issues
- Posters and visual reminders in work areas
- Lunch-and-learn sessions
- Quick reference guides
- Team briefings
- Privacy tips in newsletters
The best approach combines formal training with ongoing awareness activities. A course provides the foundation; regular reminders keep data protection in mind day-to-day.
Evidence and Documentation
Why keeping records matters
The accountability principle demands evidence. “We provide training” isn’t sufficient—you must prove it.
Good documentation also helps you:
- Identify gaps in training coverage
- Plan refresher sessions
- Demonstrate mitigation if a breach occurs
- Support your defence in enforcement proceedings
What to document
Keep records of:
Training materials used: Maintain copies of presentations, course content, handouts, and e-learning modules.
Who completed training: Track every individual, including their role and department.
When training occurred: Record dates for initial training and all refreshers.
Assessment results: If you test knowledge (recommended), keep scores and records of follow-up for those who struggled.
Store this information securely and review it regularly to ensure coverage remains complete.
Using documentation to demonstrate compliance
When the ICO investigates, training records show:
- You’ve taken reasonable steps to prevent breaches
- Your accountability framework is functioning
- You’ve made mitigation efforts (which can reduce penalties)
Documentation turns training from a claim into provable fact.
Consequences of Not Training Staff
Increased breach risk
Untrained staff are more likely to:
- Send data to wrong recipients
- Fall for phishing attacks
- Misconfigure security settings
- Delete or lose important data
- Fail to recognise and report breaches promptly
Each of these can trigger a reportable breach with serious consequences.
ICO enforcement action
The ICO has powers to audit your organisation and assess compliance. They examine whether you’ve taken “appropriate technical and organisational measures” under Article 32 UK GDPR—training is a fundamental organisational measure.
Lack of training appears frequently in enforcement notices as a contributing factor.
Training as a mitigating factor in penalties
When determining fines, the ICO considers whether you’ve taken appropriate measures to comply. Training records demonstrate good faith efforts.
Real enforcement examples:
Transport for London (September 2022) The ICO issued a reprimand after a breach affecting over 5,600 customers. The investigation found “staff members had not received adequate training” on data protection. Inadequate training was explicitly identified as a systemic failing.
Interserve Group Limited (October 2020) Fine of £4.4 million after personal data of up to 113,000 employees was compromised. The ICO found the company “failed to provide adequate training to staff” on information security and phishing awareness. The decision noted that better-trained staff might have recognised the attack earlier.
British Airways (October 2020) Fine of £20 million (reduced from £183 million) following a breach affecting approximately 400,000 customers. The ICO’s investigation found multiple failures, including inadequate security training. The report stated that “a more security-aware workforce” could have helped prevent or detect the attack sooner.
These cases show the ICO examines whether organisations adequately prepared their people to protect data. Training gaps are viewed as organisational failures that contribute directly to breaches.
Conclusion
Training your team is a legal requirement under UK GDPR. The ICO’s position is clear: anyone handling personal data must be properly instructed, and you must be able to prove it.
But training is more than compliance. It’s how you protect the people whose data you hold and reduce the risk of breaches that damage your reputation and result in regulatory action.
The practical steps:
- Provide initial training during induction
- Run annual refresher training
- Tailor content to specific roles
- Keep detailed records of who completed what training and when
- Supplement formal courses with regular awareness activities
Training doesn’t guarantee perfect compliance—mistakes still happen. But it significantly reduces risk and demonstrates you’ve taken your obligations seriously. That matters both legally and ethically.
If you haven’t reviewed your training programme recently, start now. Assess who has access to personal data, what training they’ve received, and whether you can prove it. Build from there.
Useful Sources
- ICO Accountability Framework: Training and Awareness
- ICO: Getting Started with Data Protection
- Data Use and Access Act 2025: Data Protection Changes
