The Briefing Room HR & Compliance

What is GDPR training and why is it mandatory in the UK?

GDPR training is a legal requirement for every UK employer that handles personal data. Here is what the Data Protection Act 2018 and UK GDPR demand of your staff, and how to prove compliance to the ICO.

The learndirect compliance team - learndirect
7 min read
What is GDPR training and why is it mandatory in the UK?

Yes. In the UK, GDPR training is a legal requirement for every employer that handles personal data, from small charities to enterprise employers. If your organisation collects, processes or stores information about customers, employees, patients or suppliers, you are legally obliged to train your staff on data protection responsibilities. Failure to do so can result in fines of up to £20 million or 4% of global annual turnover, whichever is higher. This is not a nice-to-have, it is a foundation of workplace compliance.

What is GDPR?

The General Data Protection Regulation (GDPR) is a UK and EU law that came into effect on 25 May 2018. It governs how organisations collect, store, process and share personal data. Following Brexit, the UK adopted the UK GDPR, which mirrors EU GDPR closely and is enforced alongside the Data Protection Act 2018.

Under GDPR, "personal data" means any information relating to an identifiable individual. This includes names, addresses, email addresses, phone numbers, IP addresses, employee records, customer databases, CCTV footage, biometric data and health records. If your organisation touches any of this, GDPR applies.

UK legal requirement: the Data Protection Act 2018 and UK GDPR

Under UK data protection law, employers must ensure staff understand and can apply data protection principles in their day-to-day work. The relevant obligations sit across several provisions:

Article 32 (Security of processing)

Article 32 of UK GDPR requires organisations to implement appropriate technical and organisational measures to protect personal data. The Information Commissioner's Office (ICO) has repeatedly confirmed that staff training is one of those organisational measures. Untrained staff are the single biggest cause of data breaches.

Accountability principle

Employers must be able to demonstrate compliance, not merely claim it. That means keeping documented evidence of GDPR training, refresher schedules, attendance records and assessment results. If the ICO investigates a breach, the first question is often: "Can you show your staff were trained?"

Consequences of non-compliance

  • ICO fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.
  • Reputational damage from public enforcement notices and press coverage.
  • Compensation claims from individuals whose data has been mishandled.
  • Contract loss where clients require documented compliance as a supplier condition.
  • Personal liability for directors and data protection officers in the most serious cases.

What does GDPR training cover?

An accredited GDPR training course, such as the learndirect GDPR Compliance Training course (£25), gives your staff a working understanding of:

  1. The seven GDPR principles, including lawfulness, fairness, purpose limitation, data minimisation, accuracy and accountability.
  2. Lawful bases for processing, from consent to legitimate interest and contractual necessity.
  3. Individual rights, including the right of access, rectification, erasure and portability.
  4. Handling subject access requests (SARs) within the one-month statutory deadline.
  5. Data breach recognition and reporting, including the 72-hour ICO notification rule.
  6. Secure data handling, from email etiquette and encryption to safe disposal of physical records.
  7. Third-party sharing, including data processing agreements and international transfers.
  8. Special category data, such as health, ethnicity, religion and biometric information.
  9. Practical scenarios tailored to office, remote and hybrid working environments.
  10. The role of the Data Protection Officer (DPO) and when one must be appointed.

The course is delivered online, takes 1 to 2 hours to complete, and concludes with an assessment. On successful completion, learners receive an instant CPD accredited certificate recognised by UK employers, regulators and insurers.

Who needs GDPR training?

The short answer is everyone who handles personal data at work. In practice that includes:

  • All employees with access to customer, patient, learner or colleague records, regardless of role.
  • Managers and team leaders responsible for how personal data flows through their department.
  • HR, payroll and recruitment staff who handle sensitive employee information every day.
  • Marketing and sales teams managing databases, consent records and outbound campaigns.
  • IT and security staff responsible for the technical safeguards that Article 32 requires.

Volunteers, contractors and temporary staff also need GDPR training if they will handle personal data. The obligation follows the data, not the employment contract.

How often must staff be trained?

  • Before taking on a data handling role. New starters should complete GDPR training as part of induction, ideally in their first week.
  • At least annually. Refresher training every 12 months is the ICO recommended minimum and the expectation of most auditors.
  • After any significant change. New systems, mergers, remote working policies or a change in the categories of data you hold all warrant refresher training.
  • After a data breach or near miss. Any incident should trigger targeted refresher training for the teams involved.

Protect your organisation: make GDPR training mandatory today

Every organisation that handles personal data is exposed to GDPR risk, and the ICO has made it clear that lack of training is no defence. If your staff have not completed formal GDPR training in the last 12 months, or if a new team member has joined without induction, the time to act is now. The learndirect GDPR Compliance Training course takes 1 to 2 hours, costs £25 per person, and leads to an instant CPD accredited certificate.

Explore the full HR compliance training category to see the other courses your team may need, including data protection training and cyber security awareness. For a wider view of every compliance course we offer, browse our full 82-course compliance catalogue.

Frequently asked

Is GDPR only for large companies?

No. UK GDPR and the Data Protection Act 2018 apply to any organisation that handles personal data, from a two-person business to a multinational. Fines are scaled to turnover, but the legal obligations are the same. In practice, smaller organisations often carry more risk because they lack a dedicated Data Protection Officer or IT team.

What counts as personal data under GDPR?

Any information that can identify a living individual, directly or indirectly. That includes names, addresses, email addresses, phone numbers, IP addresses, employee IDs, CCTV footage, biometric data and online identifiers. Special category data (health, ethnicity, religion, sexual orientation, biometrics used for identification, trade union membership) carries stricter obligations.

Can we skip GDPR training if we argue it is not relevant to us?

Almost no UK employer can honestly make that argument. If you keep employee records, take customer bookings, hold a mailing list, run CCTV or hire suppliers, GDPR applies. The ICO explicitly treats untrained staff as a breach of the security-of-processing duty under Article 32.

What happens if we suffer a data breach and staff have not been trained?

The ICO will ask, on day one, for evidence that staff had been trained. Absence of that evidence is treated as an aggravating factor and typically increases the size of any fine. It can also invalidate cyber insurance cover, where policies routinely require documented staff training.

How much does GDPR training cost?

Accredited online courses such as the learndirect GDPR Compliance Training course cost £25 per person, and you receive your CPD accredited certificate immediately upon passing. Volume discounts are available for teams enrolling multiple learners in one order.

How long does GDPR training take?

Most accredited online GDPR courses take between one and two hours to complete. The learndirect course is self-paced, so staff can pause and resume as needed. The final assessment can be retaken until it is passed, and the certificate is issued instantly on completion.

Sources and further reading

  1. Information Commissioner's Office (ICO)
  2. Data Protection Act 2018 (legislation.gov.uk)
  3. GOV.UK: Data protection
  4. learndirect GDPR Compliance Training

Rated by our learners

Rated Excellent by our learners

4.5 out of 5

Based on 31,120 Trustpilot reviews

Read all reviews →
Verified

Laura Campbell - Exceptional customer service

Customer services/Enrolment team... This is quite possibly one of the best, easiest, nicest and most personable experience with any customer service department I have ever had, in my life. I was lucky enough to have Laura Campbell answer my first call/email, then stick with me for the entirety of my LD journey. Laura was just fabulous. It was like chatting with my best friend i'd known for years, truly, every conversation we had was fantastic, funny, serious, professional, personal, I could go on and on....! Professionally, Laura was able to answer ALL of my questions (to which there were many) with ease, a high level of knowledge and professionalism. Exactly how it should be, really, so it was the more personal aspect to our interaction that made me feel at ease and comfortable with her. This lady does her job very well indeed! Thank you, Laura, for taking the time to explain, talk through things with me and put any worries or fears I had about enrolling, aside. I really appreciate the time and effort you put in to myself and my first experience with Learndirect. :)

Dawn 13 Jul 2026
Verified

Nice and Welcoming

The customer assistant, Thomas, truly made me feel welcome and created an positive environment for me to understand the course and the company itself. Would definitely recommend to others

Toyin 13 Jul 2026
Verified

Harley talked me through the whole…

Harley talked me through the whole process answering any questions I had. He was very professional and friendly putting any worries I had at ease.

Mrs S. 13 Jul 2026
Verified

The staff was very helpful and patient…

The staff was very helpful and patient with me throughout the registration process and that’s a good reason

WuntiaLouisa 13 Jul 2026
Verified

Scott's communication was clear and to…

Scott's communication was clear and to the point. Suggestions given were both practical and relevant.

Maureen. C. 12 Jul 2026
Verified

They have helpful team

Freddie was very helpful, get in touch with me in no time and led me through all the enrollment process, very good and friendly

Folasade E. 12 Jul 2026
Ready when you are

Take the next step in your learning journey

Course tips, career advice and exclusive offers, straight to your inbox. No spam, just guidance.

Accredited & trusted

Working with the UK's leading awarding bodies

Call us
today