Do you know what to include in your data protection training?

This checklist is for sole traders, and other UK small businesses. Use it to help people in your business get the right information about handling personal data correctly.

Once you complete the checklist, you get a short report with practical actions you can take and additional guidance to improve how you give data protection training.

If you’re unsure if you need to comply with data protection law, you should take this short quiz first.

More information

You need to make sure everyone in your business knows how to handle people’s personal data correctly.

It's important that someone in your business takes responsibility for delivering data protection training.
This could be you or you can choose someone else.

Make sure all your workers know who that person is and how to contact them.

The responsible person needs to put plans in place to meet training needs within agreed timescales.

More information

The responsible person needs to understand key parts of data protection law, so they can train or help colleagues.

There are seven data protection principles, which should form the basis of training. They are:

lawfulness, fairness, and transparency;
purpose limitation;
data minimisation;
accuracy;
storage limitation;
integrity and confidentiality (security); and
accountability.

The training should also include explanations of key terms, such as:

personal data;
data subject;
personal data breach; and
information rights.

More information

In addition to understanding key data protection terms, everyone needs training that is specific to their roles and responsibilities.

You should include this in your training plans.

For example, the person who cleans your premises is unlikely to need training in all aspects of data protection. However, they do need to be able to spot when personal data is not being stored securely and who to tell.

Others may need more in-depth training, for example in:

sharing data;
avoiding personal data breaches;
keeping premises and data secure; and
the importance of good records management.

It’s also important to assess learning at the end of the training to test understanding.

More information

New starters need data protection training within a month, and before accessing any personal data.

You should provide refresher training to all workers at regular intervals. Ideally you should provide it annually, but it should not exceed two years.

If anyone needs additional support – for example, if you assess their knowledge and they get a low score - provide further training. Don’t wait until the next scheduled refresher training.

More information

The responsible person should keep a log of who completes training and when people require refresher training.

It should include where people require further support or guidance - for example if someone gets a low pass mark.

They should follow up with people who haven’t completed their training and make sure they complete it as soon as possible. For new starters, this should be within one month and before they access any personal data.

More information

You need to regularly review the training to make sure it’s accurate, up-to-date and so you can tailor it to specific people or roles.

Where you need to make changes, you should amend the training content as soon as possible.

Sometimes changes happen in data protection law, for example to reflect the UK’s withdrawal from the EU, or when the ICO provides new guidance.

You can stay up-to-date with news from the ICO by subscribing to our newsletter.