The ICO exists to empower you through information.

Please see below for suggested actions and further reading based on your answers to the six questions. You can download this report as a Word document using the button on the top right corner of the page. If you have a problem downloading the report into a Word document please let us know.

Does the responsible person understand key data protection requirements so they can ensure the training covers them? - Partially


During initial training, the responsible person should explain what the data protection principles are and how they relate to your business. For example:

When a new member of staff joins your business, part of their data protection training should include an explanation of when and how you delete or destroy personal data that you no longer need. This is because one of the seven data protection principles is ‘storage limitation’, which means not keeping people’s personal data for longer than necessary. It’s not possible for one person to take sole responsibility, because it’s likely that everyone in your business is handling personal data.

They should also explain key data protection terms staff may come across.

Does the responsible person know what else they should include in a training plan? - Partially


As well as explaining key data protection terms, training should cover at least:

  • data sharing;
  • information security;
  • personal data breaches; and
  • records management.

Our SME hub has lots of useful information about these areas.

You might provide training materials to support data protection learning, such as:

  • handouts;
  • reference guides; and
  • posters.

These should be easy to find and available to everyone after their training.

You should give specific training for specialist roles. For example, someone responsible for dealing with personal data breaches needs more in-depth training in this area. Our How well could you respond to a personal data breach? checklist may be useful here.

It’s a good idea to check how well people have understood the training. You could use an assessment with a minimum pass score, for example.

At the end of the training, ask for feedback about what worked and what didn’t. You can use this to make improvements for the future.

Does the responsible person know when staff should receive their training? - Partially


The responsible person should have a training schedule in place for everyone in your business.

The schedule should set out when initial data protection training should take place, which should be within a month of someone joining your business and before they access any personal data.

It should also say when refresher training should happen to ensure they keep their knowledge up-to-date.

You should provide refresher training to all workers at regular intervals. Ideally you should provide it annually, but it shouldn’t exceed two years.

The responsible person or whoever is responsible for the training should deliver it according to the schedule, with contingency plans in place to make sure no one is forgotten. Remember to capture any new data protection responsibilities when people move roles.

Does the responsible person maintain a training log? - Yes


By already having and maintaining a log of your data protection training activities, you’re in a great position to improve your compliance, and prove what you’re doing, if you ever need to.

Do you regularly review the training? - No


You or another appropriate person in your business should review and approve the training regularly to make sure it’s accurate, up-to-date and so you can tailor it to specific people or roles.

Where you need to make changes, update training materials, hand-outs, and other reference guides as soon as possible. It’s a good idea to assign version numbers to help make sure everyone is using the right ones.

Sometimes changes happen in data protection law, for example to reflect the UK’s withdrawal from the EU, or when the ICO provides new guidance.

You can stay up-to-date with news from the ICO by subscribing to our newsletter.

You should tell all staff about the changes as soon as possible. If the changes are significant, let them know without delay.