Follow up on non-completion of training
-
The Data (Use and Access) Act 2025 got Royal Assent on 19 June 2025. All the provisions affecting data protection law and the Privacy and Electronic Regulations Communications are now in force. The Department for Science and Innovation (DSIT) has set out the commencement plans. You can find more details on the Gov.uk website.
Control measure: There is a process to identify and follow up on non-completion or non-attendance of data protection related training.
Risk: If there is no process in place to identify and follow-up when staff miss or fail to complete training, there is an increased risk of personal data breaches and non-compliance with data protection law.
Ways to meet our expectations:
- Allocate responsibility for identifying staff who have not completed or attended data protection training, and for ensuring the staff complete it.
- Implement procedures to ensure that a staff member completes or attends data protection training as soon as possible, if they have failed to do so.
- Consider removing access to personal information from staff who fail to undergo data protection training.
Options to consider:
- Allocate some specific ‘protected’ time for staff to complete training.