GDPR Training Requirements: What Businesses Need to Know

Updated: March 2026

The General Data Protection Regulation does not contain a single article that says “organisations must train their staff.” Yet data protection regulators consistently treat inadequate staff training as a primary cause of breaches and an aggravating factor in enforcement decisions. 

One ICO’s annual breach report identifies human error as the leading cause of personal data breaches in the UK, ahead of cyberattacks. Training is not an optional extra. It is a core element of the accountability principle.

This guide sets out the legal basis for GDPR training requirements, who needs training, what it must cover, how often it should run, and how to document it.

Is GDPR employee training a legal requirement?

While the GDPR does not include a standalone article mandating employee training, it is effectively required through several interlocking provisions. Article 39 requires Data Protection Officers to deliver “awareness-raising and training of staff involved in processing operations.” Article 5(2) requires controllers to demonstrate compliance. Article 32 requires appropriate organisational measures to protect personal data. Training is a core organisational measure, and regulators treat its absence as a compliance failure.

GDPR Article 39(1)(b) specifies that one of the DPO’s mandatory tasks is “monitoring compliance with this Regulation, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations.” This makes awareness-raising and training an explicit regulatory expectation, even if not framed as a standalone duty.

The European Data Protection Board (EDPB) reinforces this in its Guidelines 07/2020 on the concepts of controller and processor: “The controller shall implement appropriate technical and organisational measures, such as basic personnel training.” Training is expressly named as an example of an appropriate organisational measure.

GDPR Article 32(1) requires controllers and processors to implement measures “to ensure a level of security appropriate to the risk.”GDPR Article 32(4) goes further: “The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instruction from the controller.” Staff who do not understand GDPR obligations cannot process data only as instructed. Training is the mechanism by which organisations ensure this.

Who needs GDPR training within an organisation?

Every member of staff who has access to personal data in any form needs some level of GDPR training. This includes not just IT teams and data protection officers, but also HR, finance, marketing, customer service, legal, and management. The training required varies by role: some staff need foundational awareness, while others require deep technical or legal knowledge specific to their responsibilities.

A common misconception is that GDPR training is primarily for IT teams or compliance officers. In practice, personal data flows through almost every business function:

• HR processes employee personal data, handles sensitive (special category) health and diversity data, and manages data subject access requests from staff

• Marketing processes customer and prospect data, operates consent mechanisms, and runs email campaigns subject to PECR

• Finance handles financial personal data, payment information, and payroll

• Customer service accesses customer records, responds to Subject Access Requests (SARs), and handles complaints involving personal data

• IT and security administrators are responsible for systems that process personal data and are responsible for data security measures

• Legal and compliance advice on data protection obligations and managing regulatory relationships

• Procurement and vendor management assess third-party processors and manage Data Processing Agreements

The ICO’s guidance on training notes that training “should be tailored to the specific role of the individual.” A customer service agent needs to understand how to respond to a SAR. A software developer needs to understand data minimisation and data protection by design. A marketing executive needs to understand consent and lawful basis requirements for campaigns.

What topics must GDPR training cover?

Effective GDPR training must cover the six data protection principles, the lawful bases for processing, individual data subject rights, how to recognise and respond to data breaches, data security responsibilities, and handling Subject Access Requests. Role-specific modules should supplement this foundational content for staff in high-risk functions.

Core topics for all staff

1. The six GDPR principles. All staff who handle personal data should understand the principles set out in GDPR Article 5: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality. These principles are the basis of almost every compliance obligation.

2. Lawful bases for processing. Staff should understand that personal data can only be processed if there is a valid legal basis under GDPR Article 6, and that the appropriate basis depends on the context. They do not need to be lawyers, but they need enough understanding to know when to ask for guidance.

3. Data subject rights. All eight rights under the GDPR should be covered at a minimum: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the rights related to automated decision-making. Staff need to know how to recognise a request and who to escalate it to.

4. Recognising and reporting data breaches. Under GDPR Article 33, personal data breaches must be reported to the supervisory authority within 72 hours. Staff cannot report breaches they fail to recognise. Training should include practical examples of what constitutes a breach (such as sending an email to the wrong recipient, losing a laptop, or exposing data through a misconfigured system) and a clear escalation path.

5. Data security responsibilities, including password hygiene, device security, handling of physical documents, use of personal devices for work, and email security. These behaviours prevent the human-error breaches that make up the majority of ICO reports.

6. How to handle Subject Access Requests. Every organisation receives SARs. Staff who interact with customers, employees, or third parties need to know how to recognise a SAR (which can be made verbally or in writing, using any channel), what to do when they receive one, and that the 30-day response deadline starts immediately.

Role-specific training modules

IT and security teams: Data protection by design and by default (GDPR Article 25), encryption and pseudonymisation techniques, access controls and audit logging, vulnerability management, and incident response procedures.

Marketing teams: Consent requirements under PECR and GDPR; the distinction between consent and legitimate interests; soft opt-in rules for existing customers; unsubscribe obligations; and profiling regulations.

HR teams: Processing of special category data (including health data, ethnicity data, and criminal conviction records), employee monitoring obligations, handling DSARs from current and former employees, and onboarding data flows.

Finance teams: Third-party processor obligations (including ensuring DPAs are in place with payroll providers and accounting platforms), handling of payment data, and retention obligations for financial records that include personal data.

How often must GDPR training be refreshed?

There is no fixed statutory training interval specified in GDPR. The EDPB and ICO both recommend annual refresher training as a minimum. High-risk roles require more frequent updates, particularly when regulations change, when new systems are deployed, or when an incident reveals a training gap. New starters must complete training before or immediately upon taking up their role.

The ICO’s guidance on training recommends refresher training “at least annually” to keep knowledge current and to cover regulatory updates. The EDPB, in its review of DPO tasks under Article 39, emphasises that training must be a continuous function rather than a one-time event.

Events that should trigger ad hoc training updates:

• A regulatory change that affects how staff carry out their duties (for example, new ICO guidance on SARs or new PECR rules)

• A data breach or near-miss that reveals a knowledge gap

• The introduction of a new system or process that involves personal data

• A failed internal or external audit that identifies training as a gap

• New legislation entering force (such as the UK’s Data Protection and Digital Information Act developments)

New starters: Training should be completed before or on the first day of employment, or as part of a structured induction within the first week. Staff who have access to personal data from day one and have not been trained represent an immediate compliance risk.

Annual refresher format: Refresher training need not replicate the full foundational programme. It can focus on regulatory updates, case studies from ICO enforcement decisions, and any areas where internal monitoring has identified knowledge gaps. Keeping it current and relevant significantly improves completion rates.

How should organisations document and evidence GDPR training?

Organisations must maintain records of GDPR training as part of their accountability documentation. Records should capture who was trained, when, what was covered, and whether the training was completed or only partially attended. The ICO can request this documentation during an investigation, and its absence is treated as evidence of inadequate organisational measures.

Under GDPR Article 5(2), the accountability principle requires controllers to demonstrate compliance. Training records are part of that demonstration.

Records should capture:

• Employee name and role
• Date of training
• Training content covered (by module or topic)
• Delivery method (online, in-person, blended)
• Completion status (completed, partially completed, not completed)
• Assessment scores where training includes a knowledge check
• Sign-off or acknowledgement from the employee

Online learning management systems (LMS) automate this process and generate exportable reports. For smaller organisations, a spreadsheet with the above fields maintained by HR or the DPO is sufficient.

Senior management should regularly review training completion rates and have escalation processes in place for non-completion. The ICO considers management oversight of training completion as evidence of an organisation’s commitment to compliance. Where training completion rates are low, this is itself a compliance risk.

What specialist training is required for Data Protection Officers?

DPOs are required by GDPR Article 37 to have “expert knowledge of data protection law and practices.” The specific content of DPO training is not prescribed. Still, it must include deep knowledge of GDPR and applicable national data protection law, privacy risk management, conducting Data Protection Impact Assessments (DPIAs), managing data subject rights, and handling supervisory authority investigations.

The EDPB’s Guidelines 07/2016 on DPOs note that the level of expert knowledge required should be “determined in particular by the data processing activities carried out and the protection required for the personal data processed.” A DPO working in a healthcare organisation requires deeper knowledge of special category data than one working in a retail business.

DPO training typically includes:

• Advanced GDPR and UK GDPR compliance
• International data transfers (including Standard Contractual Clauses, adequacy decisions, and Binding Corporate Rules)
• Conducting and reviewing DPIAs under GDPR Article 35
• Managing supervisory authority investigations and enforcement actions
• Data subject rights management and SAR handling
• Data breach response and 72-hour notification procedures
• Privacy by design and by default under GDPR Article 25
• Records of Processing Activities under Article 30

Continuing professional development is essential for DPOs. The data protection regulatory landscape is constantly evolving. DPOs should maintain membership of professional bodies (such as the IAPP or BCS) that provide ongoing education and regulatory updates.

Frequently Asked Questions

Does GDPR require annual data protection training for all staff? GDPR does not specify “annual” training, but the ICO and EDPB both recommend annual refreshers as a minimum. The accountability principle requires that training be effective and demonstrably so, meaning one-time training from several years ago would not satisfy a regulator that staff knowledge is current.

What happens if an employee causes a data breach because they were not properly trained? The ICO considers staff training when assessing whether a controller has implemented appropriate organisational measures under Article 32. If a breach occurs and the investigation reveals that staff had not been trained on the relevant obligations, this is an aggravating factor in any enforcement action.

Can online training satisfy GDPR training requirements? Yes. Online training can fully satisfy GDPR training requirements provided it covers the necessary content, is tailored to the individual’s role, and is documented. Many organisations use a combination of online foundational training and in-person sessions for higher-risk functions.

Do contractors and temporary staff need GDPR training? Yes, if they have access to personal data. The GDPR applies to all natural persons who process data under the controller’s authority, regardless of employment status. Contractors, agency workers, and freelancers with access to data should complete appropriate training before accessing personal data.

Who is responsible for GDPR training in an organisation? Responsibility typically lies with the DPO (where one is appointed), working with HR to design and implement training programmes. Senior management is accountable for ensuring training is resourced and completed. Where no DPO is appointed, a senior leader with data protection responsibility should own the training function.

What should training records contain? Name, role, date of training, content covered, completion status, and assessment scores, where applicable. Records should be maintained for the duration of employment and for a reasonable period afterwards (typically consistent with the organisation’s general HR record retention policy).

Is specialist training required for employees handling special category data? Yes. Staff who process special category data (health data, biometric data, racial origin, political opinions, etc.) require training that specifically addresses the higher protection standard set out in GDPR Article 9 and the limited conditions under which such data may be processed.

How do you measure whether training has been effective? Through knowledge assessments after training modules, regular testing (simulated phishing exercises for security training, mock SAR scenarios for customer-facing teams), monitoring of breach incident volumes and types, and supervisory authority feedback during inspections. Effective training reduces real-world incidents.

For specialist GDPR training programmes, contact our team or find out about our Data Protection Consultancy services.