What the ICO Says About Data Protection Refresher Training

Introduction

One-off data protection training ticks a box. But it doesn’t keep your organisation compliant. Staff forget. Laws change. New threats emerge. The Information Commissioner’s Office knows this, which is why their accountability framework requires refresher training—not just initial training.

The question is: how often? What should it cover? And how do you prove you’re doing it properly? This article explains what the ICO says about refresher training, what’s changed in the UK data protection landscape recently, and how to approach ongoing training in a way that actually protects your organisation.

Why One-Off Training Isn’t Enough

Initial training provides the foundation, but knowledge degrades over time. Research shows that without reinforcement, people forget 50% of new information within a week and 90% within a month. Data protection is complex—staff need regular reminders to retain what matters.

The ICO’s position is direct: “Insufficient or out-of-date refresher training substantially increases the risk of a personal data breach. Staff knowledge diminishes in value and effectiveness if staff do not undergo up-to-date refresher training.”

That’s not just about forgetting principles. It’s about missing changes to the law, failing to adapt to new risks, and allowing bad habits to develop unchecked.

The Changing Data Protection Landscape in the UK

Data protection law in the UK is not static. Recent changes mean what you taught staff two years ago may no longer be current.

The Data Use and Access Act 2025

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025 and will be phased in between June 2025 and June 2026. While it doesn’t replace UK GDPR or the Data Protection Act 2018, it makes significant changes.

Key changes affecting organisations:

New lawful basis: The DUAA introduces “recognised legitimate interests”—a new lawful basis covering specific purposes like public interest, national security, crime prevention, and safeguarding vulnerable individuals.

Automated decision-making relaxed: Previously, solely automated decision-making with significant effects was generally prohibited. The DUAA permits it with adequate safeguards: informing data subjects, enabling responses, human intervention, and the right to contest decisions.

International transfers simplified: The UK now allows data transfers where protection is “not materially lower” than UK standards—a lower bar than the previous “essentially equivalent” test inherited from EU GDPR.

Complaint handling requirements: Organisations must establish clear data protection complaint processes, acknowledge complaints within 30 days, and respond “without undue delay.”

Child protection emphasis: Online services must explicitly consider children’s needs in their data protection measures.

Marketing changes: A “soft opt-in” approach for charity marketing makes it easier for charities to contact supporters.

What This Means for Training

These aren’t minor technical adjustments. They change how organisations can process data, what they must tell people, and how they handle complaints. Staff trained before these changes need updates.

The ICO is developing new codes of practice for emerging technologies, including edtech and artificial intelligence. As these roll out through 2025-2026, training must reflect new guidance.

The UK’s EU adequacy decision was extended by six months to December 2025 specifically to assess the impact of DUAA on data protection standards. This scrutiny means organisations must demonstrate they’re keeping pace with changes—refresher training is how you do that.

ICO Requirements for Refresher Training

The accountability framework position

The ICO’s accountability framework lists training and awareness as a fundamental organisational measure under Article 32 UK GDPR. It’s not optional.

According to the framework, organisations must:

“Document when staff last received training and maintain complete, up-to-date records.”

This creates an ongoing obligation. It’s not “train once and you’re done.” The framework requires periodic review and updating of training materials and completion of refresher training at appropriate intervals.

The framework also emphasises oversight: assign responsibility for refresher training to your DPO or information governance manager, monitor completion rates, and follow up non-completion.

“At appropriate intervals” explained

The ICO doesn’t specify an exact timeframe. Their guidance states staff must complete refresher training at “appropriate intervals,” leaving it to organisations to determine frequency.

This flexibility is deliberate. What’s appropriate depends on:

• The nature of personal data processed (sensitive data requires more frequent refreshers)
• Staff roles and responsibilities (high-risk roles need more regular updates)
• Changes to legislation or organisational policies
• Breach history (if mistakes are happening, training needs to increase)
• Industry sector and risk profile

The ICO’s refresher training toolkit makes clear: “appropriate intervals” means regularly enough that knowledge doesn’t degrade and staff remain current with changes.

Refresher training for all staff levels

Refresher training applies to everyone with access to personal data, without exception:

All grades, including:

• Senior managers and directors
• Full-time employees
• Part-time and temporary staff
• Contractors and volunteers

The scope mirrors initial training requirements—anyone acting under your authority who processes personal data must receive ongoing training.

Formats can vary

The ICO doesn’t mandate a specific format for refresher training. What matters is effectiveness and evidence.

Acceptable approaches include:

• Formal e-learning courses
• Workshops and briefing sessions
• Email bulletins on specific topics
• Posters and visual reminders
• Quick quizzes or knowledge checks
• Team meetings focusing on data protection
• Updates to policies with sign-off requirements

The best results come from mixing formats. A formal annual course provides structure and consistency. Regular email updates, posters, and short quizzes between annual sessions keep data protection front of mind without training fatigue.

The ICO’s own training modules are available for organisations to use and adapt—free resources covering what personal data is, handling sensitive information, data protection principles, individual rights, exemptions, and the Commissioner’s role.

How Often Should You Refresh?

ICO guidance on frequency

The ICO’s toolkit states that organisations should “periodically review and update training materials” and ensure staff complete refresher training “at appropriate intervals.”

Beyond that, they don’t prescribe a fixed schedule. This isn’t vagueness—it’s recognition that different organisations face different risks.

No fixed legal requirement

UK GDPR contains no statutory requirement for annual, biannual, or any other specific frequency of refresher training. The law requires “appropriate technical and organisational measures” to ensure security (Article 32). Training is one measure. How often you refresh it depends on whether your approach is keeping staff competent.

What they say: “Regularly” and “appropriate intervals”

The ICO’s language is consistent: “regularly,” “periodically,” “at appropriate intervals.” The implication is clear—once every five years isn’t appropriate. Nor is waiting until a breach happens to update training.

The ICO expects organisations to make evidence-based decisions about frequency. If your sector sees frequent breaches, if you process sensitive data, if legislation is changing—you need more frequent refreshers.

Industry best practice

While the ICO doesn’t mandate frequency, industry consensus and data protection professionals recommend clear minimums.

Annual refresher recommended minimum:
Most organisations adopt annual refresher training as standard practice. This aligns with:

• Employment law requirements for other compliance training
• The natural rhythm of organisational planning and budgeting
• The reality that significant changes to law or guidance often occur within 12-month periods

Annual training ensures no staff member goes more than a year without reinforcement. It’s defensible, manageable, and widely recognised as reasonable.

More frequent for high-risk roles:
Staff in roles involving higher risk or greater access to personal data should receive more frequent training—every six months or quarterly, depending on the risk.

High-risk indicators include:

• Regular handling of special category data (health, biometric, criminal offence data)
• Access to large volumes of personal data
• Roles involving international data transfers
• Processing that involves automated decision-making
• Previous history of breaches or near misses in that department

Risk-based approach to timing

The most defensible approach is risk-based:

1. Assess risk by role and department: Map who handles what data and the consequences of mishandling it.
2. Set baseline frequency: Annual for standard roles, more frequent for high-risk.
3. Trigger additional refreshers when:
   • Legislation changes (e.g., DUAA implementation phases)
   • New ICO guidance is published
   • A breach occurs or is narrowly avoided
   • Organisational policies change
   • New processing activities begin
   • Audit findings identify knowledge gaps

This approach shows the ICO you’re thinking systematically about training—not just following a schedule because someone told you to.

Who Needs Different Refresher Schedules?

Standard staff

Annual basic refresher:
Most employees should complete a core refresher course annually covering:

• Data protection principles recap
• Individual rights updates
• Organisational policy changes
• Common breach scenarios and how to avoid them
• What’s changed in the law since the last session

Ongoing awareness campaigns:
Between annual courses, maintain visibility through:

• Monthly email tips on data protection topics
• Posters in common areas highlighting key principles
• Short quizzes (2-3 questions) on recent issues
• Quick updates in team meetings

This combination prevents knowledge decay without creating training overload.

Specialised roles

Certain roles require more frequent and detailed refresher training due to the nature and volume of personal data they handle.

DPOs and information governance managers (every 1-2 years):
Data Protection Officers need continuous professional development to maintain expertise. Refresher training should be more advanced and frequent:

• Specialist courses on emerging issues (AI, biometric data, children’s data)
• ICO guidance updates as they’re published
• Legal developments and case law
• Sector-specific regulatory changes
• Attendance at professional forums and conferences

Annual CPD is standard; some DPOs refresh specific areas more frequently depending on organisational changes.

HR, IT, and Procurement teams:
These functions handle sensitive or extensive personal data routinely.

HR teams should refresh annually on:

• Special category data handling (health, disciplinary, diversity data)
• Subject access request procedures
• Employee data retention and deletion
• Confidentiality in recruitment and dismissals

IT staff should refresh annually on:

• Information security measures and emerging threats
• Breach detection and response procedures
• Access controls and audit logging
• Secure data disposal and system decommissioning

Procurement teams should refresh annually on:

• Data processing agreements with suppliers
• International transfer safeguards
• Due diligence on third-party processors
• Contract terms for data protection compliance

Subject access request handlers:
Anyone regularly processing subject access requests should receive refresher training every 12 months covering:

• Updated ICO guidance on SARs
• Time limits and exemptions
• Identification and verification procedures
• Redacting third-party information
• Complex or vexatious requests

High-risk processing roles

Staff involved in processing that carries higher risk should receive more frequent refreshers—every six months or quarterly.

High-risk processing includes:

• Health and social care records
• Children’s data
• Biometric or genetic data
• Criminal offence data
• Large-scale profiling or automated decision-making
• International data transfers to non-adequate countries

These roles should also receive immediate targeted training when:

• A new processing activity begins
• A breach occurs in their area
• ICO guidance relevant to their work is updated

What Refresher Training Should Include

Refresher training isn’t just repeating the basics. It should update staff on what’s changed and reinforce areas where mistakes commonly happen.

Updates to legislation

DUAA changes in 2025-2026:
As the Data Use and Access Act provisions come into force, refresher training must cover:

• New recognised legitimate interests lawful basis—when it applies and how to document reliance on it
• Relaxed automated decision-making rules—what safeguards are now required
• Updated international transfer test—understanding “not materially lower” protection
• Complaint handling obligations—30-day acknowledgment and response procedures
• Child protection considerations for online services

These aren’t optional add-ons. They change how organisations can lawfully process data. Staff need to understand what’s different.

New ICO guidance:
The ICO regularly publishes updated guidance, toolkits, and codes of practice. Refresher training should reflect:

• New sector-specific codes (edtech, AI, biometrics)
• Updated guidance on existing topics (e.g., legitimate interests, cookies, international transfers)
• ICO’s enforcement priorities and recent decisions

Case law developments:
Significant court decisions interpret data protection law. Refreshers should highlight relevant cases and their practical implications—what organisations must now do differently.

Common breach scenarios

Real-world examples make training memorable. Include:

Emailing personal data to wrong recipients:

• How it happens (autocomplete errors, similar names, “reply all”)
• How to prevent it (double-checking, using BCC, delayed send)
• What to do if it happens (immediate containment, breach assessment)

Phishing and social engineering:

• Current tactics attackers use
• How to recognise suspicious requests
• Reporting procedures

Insecure disposal:

• Documents left in bins, printers, or desks
• Unwiped devices
• Proper destruction methods

Unauthorised access:

• Sharing passwords or leaving systems unlocked
• Accessing data without business need
• Weak authentication practices

Use examples from your own organisation where possible (anonymised). If you’ve had breaches or near misses, teach staff what went wrong and how to avoid it.

Organisational policy changes

Refresher training must cover updates to your own policies since the last session:

Changes to privacy notices:
What’s new and why it matters.

Updated security procedures:
New password requirements, multi-factor authentication, remote working policies.

Revised retention schedules:
What must be kept longer or deleted sooner.

New processing activities:
If you’ve started processing data in new ways, staff need to know the rules.

This ensures training reflects how your organisation actually operates, not just generic legal requirements.

New threats and risks

The threat landscape evolves. Refresher training should address current risks:

Ransomware and cyberattacks:
How attacks happen, what to watch for, how to respond.

Remote and hybrid working risks:
Home network security, public Wi-Fi, physical security of devices.

Third-party breaches:
How supplier failures can affect your organisation and what due diligence is required.

Emerging technologies:
If you’re adopting AI, biometrics, or new data analytics, staff need to understand the data protection implications.

Keeping Training Effective

Effective refresher training isn’t just about content—it’s about engagement and retention.

Varying delivery methods

Using different formats prevents training fatigue and reaches different learning preferences.

E-learning modules:

• Consistent content delivery at scale
• Self-paced completion
• Built-in assessments
• Easy tracking and reporting

Workshops and briefings:

• Interactive discussion of complex issues
• Role-specific scenarios
• Immediate questions and clarifications
• Team building around compliance culture

Email updates and posters:

• Quick, digestible reminders
• Timely responses to emerging issues
• Low effort for both organisation and staff
• Reinforcement between formal sessions

Short quizzes:

• Test knowledge without heavy time commitment
• Identify areas where understanding is weak
• Gamification can increase engagement

Mix these approaches throughout the year. An annual e-learning course provides structure; monthly emails and quarterly quizzes maintain momentum.

Measuring understanding

Refresher training should include assessment to verify knowledge is retained.

Assessments and pass marks:
The ICO’s toolkit recommends “a knowledge check with a minimum pass mark” to assess understanding. This:

• Forces engagement (staff can’t just click through)
• Identifies individuals who need additional support
• Provides evidence that training is effective

Set a reasonable pass mark—70-80% is common. Require retakes for those who don’t pass.

Feedback mechanisms:
Ask staff what’s useful and what isn’t. Anonymous feedback after training sessions helps refine content.

Completion monitoring:
Track who has completed refresher training and when. Flag those overdue. Report completion rates to senior management regularly.

Maintaining engagement

Data protection training has a reputation for being dull. Make it relevant.

Updating content regularly:
Refresh examples, scenarios, and case studies each year. Don’t just recycle the same course annually.

Role-relevant scenarios:
Generic training is forgettable. Use examples specific to what staff actually do in their jobs.

Practical examples:
Focus on “what do I do when…” questions:

• What do I do if someone asks for their data?
• What do I do if I accidentally send data to the wrong person?
• What do I do if I’m not sure whether something is personal data?

Practical guidance is more valuable than abstract principles.

Documentation Requirements

Recording refresher completion

The ICO’s accountability framework requires organisations to “document when staff last received training.”

What to record:

• Employee name and role
• Date of refresher training
• Training content or course version completed
• Assessment result (if applicable)
• Next refresher due date

This can be simple or sophisticated depending on your organisation’s size.

Tracking who hasn’t completed

Maintain a current view of who is overdue for refresher training.

Follow-up procedures:

• Automated reminders before training is due
• Escalation to line managers for overdue completions
• Regular reporting to senior management on compliance rates
• Clear consequences for persistent non-completion (e.g., system access restrictions)

The ICO’s toolkit suggests organisations may “consider removing system access” for staff who don’t complete training. This isn’t punishment—it’s a proportionate response to someone who hasn’t demonstrated they know how to handle data safely.

Can be just in a spreadsheet—this is fine

Documentation doesn’t require expensive systems.

Simple spreadsheet approach:
A well-maintained Excel or Google Sheets document can record:

• All staff members
• Training completion dates
• Assessment scores
• Next due dates
• Reminders sent

For small organisations, this is perfectly adequate. It’s auditable, updateable, and proves compliance.

Or a complete HR system if you have it:
Larger organisations often integrate training tracking into HR or learning management systems. Benefits include:

• Automated reminders and escalations
• Real-time reporting and dashboards
• Integration with other compliance training
• Easier management at scale

Use what fits your organisation. The ICO cares that you have accurate records, not what software you use.

Evidence for ICO audits

If the ICO investigates or audits your organisation, they will ask for evidence of training.

Be prepared to provide:

• Training materials and course content
• Records showing who completed training and when
• Evidence of how you assessed understanding
• Follow-up actions for those who didn’t complete or didn’t pass
• How often you review and update training content

Complete records demonstrate your accountability framework is functioning. Incomplete or missing records suggest training is an afterthought—a red flag for regulators.

Following up non-completion

Tracking completion is pointless without follow-up.

Effective follow-up process:

1. Automated reminder one week before training is due
2. Second reminder on the due date
3. Escalation to line manager one week after due date
4. Report to senior management monthly on overdue staff
5. Formal consequences after persistent non-compliance (e.g., restricted access, disciplinary process)

Make it clear that refresher training is not optional. Treat it like other mandatory compliance requirements.

Conclusion

Refresher training is not a box-ticking exercise. It’s how you keep staff competent to handle personal data safely as laws change, threats evolve, and organisational processing activities develop.

The ICO’s position is clear: one-off training isn’t sufficient. Staff must receive refresher training “at appropriate intervals,” and you must document it.

What “appropriate” means in practice:

• Annual refresher training as a minimum for all staff
• More frequent training (six months or quarterly) for high-risk roles
• Immediate updates when legislation changes or breaches occur
• Ongoing awareness activities between formal sessions
• Assessment to verify understanding
• Complete documentation of who completed what and when

Staying current with 2025 changes:
The Data Use and Access Act 2025 makes significant changes to UK data protection law. As provisions come into force through 2025-2026, refresher training must reflect new requirements—recognised legitimate interests, relaxed automated decision-making rules, updated international transfer tests, and complaint handling obligations.

You’d be surprised how much changes—and how often those changes make compliance easier rather than harder. The DUAA relaxes some restrictions, opening up new processing opportunities. But staff won’t know they can take advantage of these changes unless you tell them.

The practical steps:

1. Set a baseline frequency (annual minimum)
2. Identify high-risk roles needing more frequent refreshers
3. Update training content to reflect DUAA changes and current ICO guidance
4. Mix delivery formats—courses, emails, quizzes, posters
5. Assess understanding with pass marks
6. Track completion rigorously and follow up non-completion
7. Keep complete records for ICO audits

Refresher training protects your organisation by keeping staff current. It also protects the individuals whose data you process by reducing the risk of breaches caused by outdated knowledge or forgotten procedures.

If you haven’t reviewed your refresher training programme recently, start now. Check who’s received updates, what content is current, and whether your documentation proves compliance. Build from there.