GDPR training: what UK employers must actually deliver

This is a practical summary based on ICO enforcement patterns and UK GDPR requirements. It is not legal advice. For specific guidance on your organisation’s obligations, consult your Data Protection Officer or a solicitor.

The UK GDPR doesn’t say “every employee must complete 8 hours of training” or “run an annual GDPR refresher by June 30th.” It doesn’t mandate a curriculum or set a passing score. That flexibility is intentional: what “appropriate” training looks like depends on your sector, your data handling practices, and your workforce.

But the ICO has been clear in enforcement actions what “appropriate” actually means in practice. And the pattern is consistent across decisions.

What the law says vs. what regulators expect

Article 32 of the UK GDPR (and Section 66 of the Data Protection Act 2018) requires that organisations implement “appropriate technical and organisational measures” to protect personal data. Staff training is explicitly listed as one of those measures.

The law itself is outcome-focused: your security measures should reduce the risk of unauthorised processing, accidental loss, and breach. Training is part of that risk reduction.

The ICO, in its enforcement actions, has been specific: they expect to see documented evidence that training happened, that it was reviewed when regulations or internal practices changed, and that different roles received training appropriate to their data-handling responsibilities. A one-off session at onboarding doesn’t cut it. Recycled generic content doesn’t cut it either.

Who needs training, and at what depth

Think of your data handlers in three tiers:

Tier 1: Every employee with access to personal data

This includes people who see customer names and email addresses, salary information, medical histories, or anything that identifies an individual. In a mid-size organisation, that’s often larger than you’d expect: it includes anyone who handles customer enquiries, HR, finance, operations, senior leadership.

For Tier 1, training should cover:

• What is personal data (and why it matters)
• The seven data protection principles
• Individual rights (access requests, deletion, objection)
• Who to contact if you spot a breach

Duration: 20–30 minutes, annually or on-hire.

Tier 2: People who handle data routinely as part of their core role

Customer support, HR, finance, sales, operations leads. These roles make decisions about what data to keep, how long, who can see it, and how to handle subject access requests.

For Tier 2, training should add:

• Lawful basis (why you can process this data)
• Data minimisation in practice (only ask for what you need)
• Handling subject access requests correctly
• Third-party data sharing (what needs a DPA)
• Retention rules and deletion processes

Duration: 45–60 minutes, annually; refresher when processes change.

Tier 3: Senior leaders, DPO, and decision-makers

Anyone who approves new data processing, handles investigations, or speaks for the organisation to regulators.

For Tier 3, training should cover:

• Data protection accountability (documenting your decisions)
• Data protection impact assessments (when and how)
• Data breach response (first-hour actions, notification timeline)
• Regulator engagement and audits
• Cross-border data transfers and legal bases
• Contract terms for processors and joint controllers

Duration: 90 minutes initially, with updates when regulations or case law changes.

What “adequate” training looks like in 2026

Based on recent ICO enforcement decisions and guidance:

Recurring, not one-off. A single session at onboarding doesn’t count. The ICO expects to see an annual refresher minimum, with additional training when processes change, new systems are introduced, or breaches occur.

Role-specific. The ICO looks for evidence that a finance person received different training than a customer service agent. Generic “everyone takes the same course” doesn’t demonstrate you’ve thought about actual risk.

Documented per-individual. The ICO will ask “what did this employee complete, and when?” They want dates, course titles, and in some cases, evidence of comprehension (test scores, quiz results). Aggregate percentages (“82% of staff completed training”) don’t satisfy this.

Includes incident response. Every employee should know what to do in the first hour after spotting a possible breach. Where do they report it? Who do they tell? How quickly? Most compliance training skips this entirely. It shouldn’t.

What the ICO actually checks during investigations

When the ICO investigates a breach, they typically request:

• Training records showing who attended, what course, when, and for how long.
• Job role or department of each attendee (to verify role-specific training happened).
• Test results or completion certificates where available.
• Details of any follow-up training given after a breach or process change.
• Evidence that senior staff received training on accountability obligations.

They then cross-check: if a breach occurred in the customer service team, did the customer service team receive role-specific training on data handling? If a breach involved third parties, did staff training cover processor contracts?

The message is simple: train people according to their actual data-handling responsibilities, document it, and be able to show the ICO exactly who knew what and when.

Common gaps we see in audits

• Training was delivered once at onboarding and never refreshed. The ICO interprets this as a one-time awareness activity, not an ongoing protection measure.
• Records aren’t held per-employee, only as aggregate completion %. “85% of staff completed GDPR training” isn’t evidence. “Jane Smith completed ‘GDPR Foundations’ on 14 March 2025” is.
• Senior leaders signed off “GDPR training complete” but couldn’t articulate the seven principles if asked. The ICO occasionally asks staff directly. If a director who oversees data processing can’t explain data minimisation, that signals the training wasn’t effective.
• Third-party processors aren’t covered by the training programme. If a processor (vendor, agency, contractor) handles your data on your behalf, they need training too. Many organisations skip this.
• Breach response training is missing entirely. Staff know to report a potential breach “to IT” but not which hour makes a difference, not what information needs to go in the first report, not how to preserve evidence.

The shape of sustainable GDPR training

Build a programme with three components:

1. Baseline training (per role tier) on-hire or within 30 days.
2. Annual refresher for all staff (same content, delivered again).
3. Event-triggered updates whenever processes change, new tools are introduced, or a breach occurs.

Document everything: who trained, what, when, duration, and comprehension check (if available). Hold records for at least 3 years.

For the baseline and refresher, role-specific content matters much more than duration. A 20-minute course tailored to your finance team beats a 60-minute generic course every time.

For breach response, run a tabletop exercise annually. Walk a scenario (“suspicious data export from Finance”) and ask staff to say what they’d do. You’ll find gaps. Fill them.

What to do next week

1. Audit your current training: list every staff member, their role, what training they’ve received, and when.
2. Segment by role tier (all-staff, routine-handlers, decision-makers) and assess whether the training matched the tier.
3. Check your records. If they’re scattered across email, Slack messages, and an LMS, start consolidating.
4. Identify gaps: is breach response covered? Is annual refresher scheduled? Do third-party staff need inclusion?
5. Plan the next 12 months: baseline for new starters, annual refresher, event-triggered updates.

Jupiter’s GDPR module is built specifically for this workflow. Per-employee evidence, role-tiered content that adapts to your organisation, annual refresher automation, and breach response scenarios built in. See our compliance solutions.