The ICO exists to empower you through information.

Please see below for suggested actions and further reading based on your answers to the six questions. You can download this report as a Word document using the button on the top right corner of the page. If you have an problem downloading the report into a word document please let us know.

Is someone responsible for delivering data protection training in your business? - Yes


That’s great. Having somebody responsible for training your staff is an important starting point in protecting the personal data you hold.

You need to support them in their role, for example by regularly reviewing and, where necessary, improving the support and resources available to them. You should also make sure they have access to regular refresher training.

If they move on, you need to choose someone to replace them, train the new person and let everyone know who to contact.

Does the responsible person understand key data protection requirements so they can ensure the training covers them? - Yes


Having someone in place who is responsible for passing on key data protection information is great. It ensures your workers have a good understanding of data protection law and how it relates to their day-to-day activities.

This helps them spot problems and you should encourage them to tell the relevant person in your business.

Make sure you support your data protection trainer with their own refresher training, including in the principles and key data protection terms.

Does the responsible person know what else they should include in a training plan? - No


As well as explaining key data protection terms, training should cover at least:

  • data sharing;
  • information security;
  • personal data breaches; and
  • records management.

Our SME hub has lots of useful information about these areas.

You might provide training materials to support data protection learning, such as:

  • handouts;
  • reference guides; and
  • posters.

These should be easy to find and available to everyone after their training.

You should give specific training for specialist roles. For example, someone responsible for dealing with personal data breaches needs more in-depth training in this area. Our How well could you respond to a personal data breach? checklist may be useful here.

It’s a good idea to check how well people have understood the training. You could use an assessment with a minimum pass score, for example.

At the end of the training, ask for feedback about what worked and what didn’t. You can use this to make improvements for the future.

Does the responsible person know when staff should receive their training? - Yes


It’s great your responsible person already has plans for your workers’ data protection training.

It’s important that you support them, for example by giving them appropriate time and resources to carry out their training.

Make sure they know when workers’ roles change and if they need additional data protection training, so they can plan it in.

They should also plan extra support for anyone who needs it, as well as refresher training for everyone. They should provide refresher training at regular intervals. Ideally they should provide it annually, but it shouldn’t exceed two years.

Does the responsible person maintain a training log? - Yes


By already having and maintaining a log of your data protection training activities, you’re in a great position to improve your compliance, and prove what you’re doing, if you ever need to.

Do you regularly review the training? - No


You or another appropriate person in your business should review and approve the training regularly to make sure it’s accurate, up-to-date and so you can tailor it to specific people or roles.

Where you need to make changes, update training materials, hand-outs, and other reference guides as soon as possible. It’s a good idea to assign version numbers to help make sure everyone is using the right ones.

Sometimes changes happen in data protection law, for example to reflect the UK’s withdrawal from the EU, or when the ICO provides new guidance.

You can stay up-to-date with news from the ICO by subscribing to our newsletter.

You should tell all staff about the changes as soon as possible. If the changes are significant, let them know without delay.