Blog entry by Darren Bindert
Of all the compliance training obligations covered in this series, data protection is the one that generates the most confusion about what is actually required. The UK General Data Protection Regulation does not contain a clause that says ‘employers must train their staff.’ What it does contain is a set of principles and obligations that are, in practice, impossible to meet without trained employees. That distinction matters because it means many small businesses either over-engineer their data protection training programme or, more commonly, skip it entirely on the grounds that it is not explicitly mandated.
This post explains what UK GDPR actually requires of small employers in terms of staff training, how the Information Commissioner’s Office approaches this in practice, what the training should cover, and what a defensible record looks like. It builds on our broader guide to compliance training obligations for UK small businesses, which covers data protection as one of several statutory training requirements.
What UK GDPR says about training
UK GDPR, implemented through the Data Protection Act 2018, applies to every organisation that processes personal data about individuals, including employees, customers, and suppliers. It does not apply only to large organisations or those handling sensitive data categories. If your business holds names, email addresses, phone numbers, or any other information that identifies a living individual, UK GDPR applies to you.
Article 5 of UK GDPR establishes the accountability principle: organisations must be able to demonstrate compliance with the regulation, not merely assert it. Article 32 requires organisations to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing. The ICO’s guidance consistently identifies staff training as one of those organisational measures.
The practical implication is this: if the ICO investigates your organisation following a data breach or a complaint, it will examine whether your staff were adequately trained as part of its assessment of whether you took appropriate measures. A business that cannot produce evidence of staff training is in a significantly weaker position than one that can, regardless of whether the breach was the result of deliberate misconduct or a simple human error.
Where human error fits in
The most common cause of personal data breaches reported to the ICO is not malicious attack. It is human error: emails sent to the wrong recipient, documents left in insecure locations, unencrypted data shared via personal email accounts, and responses to phishing emails that expose login credentials. These are precisely the categories of error that well-designed data protection training addresses.
For a small business, the consequences of a reportable data breach extend beyond the ICO investigation itself. Certain breaches must be reported to the ICO within 72 hours of the organisation becoming aware of them. If the breach is likely to result in a high risk to the rights and freedoms of the individuals affected, those individuals must also be notified. Both obligations require someone in the business to recognise that a breach has occurred and to know what to do next, which is itself a training outcome.
As we covered in our post on Cybersecurity awareness training, the 72-hour reporting window is tight enough that a business whose staff do not know how to recognise and report a breach will frequently miss it, compounding the original incident with a procedural failure that the ICO will treat as an aggravating factor.
SkillsCircle includes a data protection and UK GDPR awareness course as part of its pre-loaded Compliance Essentials programme, covering the key obligations every employee needs to understand.
What data protection training should cover
Data protection training for employees does not need to be a comprehensive course in UK GDPR law. Its purpose is to give staff a working understanding of their responsibilities when handling personal data and the practical steps that prevent the most common types of breach. At a minimum, training should cover:
-
What personal data is: including the distinction between ordinary personal data and the special category data that attracts additional protection under UK GDPR, such as health information, biometric data, and information about religious beliefs or sexual orientation.
-
The lawful bases for processing: employees who handle personal data as part of their role should understand that processing must have a lawful basis under UK GDPR and should know which basis applies to the data they work with.
-
Individual rights: UK GDPR gives individuals a range of rights over their personal data, including the right to access it, correct it, and in certain circumstances have it erased. Employees who may receive such requests should know how to recognise them and where to direct them internally.
-
How to handle data securely: practical guidance on avoiding the most common error types, including misdirected emails, insecure file sharing, use of personal devices or accounts for work data, and the correct disposal of documents containing personal information.
-
How to recognise and report a breach: what constitutes a personal data breach, the internal reporting route, and the significance of the 72-hour reporting window to the ICO for notifiable breaches.
Not every employee needs the same depth of training. Staff who handle personal data regularly, including customer records, employee files, or sensitive correspondence, should receive more detailed training than those with minimal data exposure. For most small businesses, a well-structured online awareness course covering the areas above is sufficient for the majority of the workforce, with additional guidance for those in data-handling roles.
How often does data protection training need to be refreshed?
UK GDPR does not specify a training refresh interval. The ICO’s guidance and the standard adopted by data protection practitioners is annual refresh, with additional training triggered by changes to legislation or your organisation’s data processing activities, following a breach or near-miss, or when an employee moves into a role with greater data handling responsibility.
New starters should complete data protection training at induction, regardless of where they fall in the annual cycle. For a business onboarding staff regularly, a platform that automatically assigns training to new users and tracks their completion removes the risk of someone starting work without having received it.
What a defensible training record looks like
The accountability principle under UK GDPR means that evidence of training is as important as the training itself. In an ICO investigation, the question is not whether you believe your staff understand data protection. It is whether you can demonstrate that they were trained, when, and on what.
A defensible record should show: the name of the employee, the training they completed, the date of completion, and when renewal is due. For online training, the platform should produce this automatically in a format that can be retrieved quickly under pressure, without requiring manual compilation. As we covered in our guide to choosing an LMS for a small business, a system that produces individual-level completion records and manages the renewal cycle without manual intervention addresses both the training and the evidence requirements in a single step.
It is also worth retaining training records for longer than the minimum. Data protection claims and ICO investigations can arise months or years after the event that triggered them. A record that covers only the current training cycle may not be sufficient to demonstrate that a former employee received training before a breach that occurred in a previous period.
How SkillsCircle helps
SkillsCircle is a ready-made LMS built specifically for businesses with fewer than 200 employees, and it is designed to be operational in hours, not days. Over 800 essential training courses come pre-loaded and organised into eleven ready-to-use learning programmes, including Compliance Essentials, Health & Safety, Cyber Security, Mental Health, Safeguarding, and more, so there is no content to build and no learning pathways to design before a single employee can start.
Bulk user upload means an entire team can be onboarded in minutes, and assigning someone to an existing team automatically enrols them in that team’s learning programme and sets their deadline dates, making new joiners and role changes a one-step process. From that point, the platform runs the compliance cycle for you: automated reminder emails, recurrence scheduling, and course assignments are all handled without manual intervention.
Progress and engagement are tracked through pre-configured, filterable reports that give admins an at-a-glance view by team, user, or course, downloadable in multiple formats, so SkillsCircle is always audit-ready without any additional preparation.
For businesses that use Salesforce, SkillsCircle can even provide a live integration that synchronises user data between systems.
Pricing starts from £8 per user per month with no setup costs, no content fees, and no implementation project.