The majority of organisations today, provide data protection training. The training covers the GDPR principles, the definition of personal data, the basics of breach reporting. The staff who handle data complete the training. The completion rate hits 95%, and on paper everything looks good.
Then someone publishes a spreadsheet with 2,000 employees' health data hidden in a column, and the ICO asks why nobody knew about Excel's Inspect Document feature.
That isn't a hypothetical example. It's what happened in Southend-on-Sea City Council in 2024. The ICO's reprimand linked the breach directly to a lack of staff training on the software they used every day. The failure wasn't caused by lack of GDPR training. It was a lack of understanding about how their applications actually worked.
Southend-on-Sea City Council aren't an outlier, I've seen similar patterns everywhere. Organisations invest in training that explains what the regulation says, and then they don't understand why staff still make mistakes with the applications that they use to handle data. The training meets the needs of the compliance check. It fails at the day to day reality of operations.
The legal position is clear enough
Training is not explicitly mandated by any single provision of the UK GDPR. It is derived from the accountability principle (Article 5(2)), the requirement for appropriate technical and organisational measures (Articles 24 and 32), and the DPO's explicit responsibility for "awareness-raising and training of staff involved in processing operations" (Article 39(1)(b)).
Despite some confusion, the Data Use and Access Act 2025 did not change any of this. The ICO's Accountability Framework treats training as a core compliance expectation, and enforcement actions consistently cite inadequate training as a contributing factor in breaches.
The law in itself is not the problem, it's more to do with how companies are turning the obligation into training structures.
Where it sometimes goes wrong
The ICO's enforcement record tells the story. Southend-on-Sea City Council received their reprimand after hidden personal data, including health information, ethnicity, and salary details of approximately 2,000 employees, embedded in an Excel spreadsheet were released in response to an FOI request. The ICO recommended training on Excel's Inspect Document feature. The required general data protection training existed; what didn't exist was the practical, application-specific training.
In the same year, Central YMCA was fined £7,500 after a programme coordinator emailed 264 participants in an HIV support programme using CC instead of BCC, disclosing the email addresses and HIV status of 166 identifiable individuals. The coordinator had not completed data protection training. There was no central oversight of whether training had been completed, and the monitoring mechanism the organisation had in place failed to work.
The scenarios aren't those of staff members who dismissed compliance as annoying bureaucracy. One person didn't understanding how to use BCC, and the other didn't know how to check a spreadsheet for hidden data. The training that existed in both organisations covered the principles of data protection. It did not cover the five minutes of practical application instruction that would have prevented the breaches.
What I often check
When I assess any company's training, I don't simply run with the completion spreadsheet. I look at the work processes.
If there is a lack of clarity, rather than just examining spreadsheets, I can shadow people doing their jobs. A desk-side walk-through, sitting with a staff member while they perform a standard task like onboarding a new client, can often reveal more than any training record will.
The training says "don't store personal data on local drives," but the employee knows the reporting tool is too slow and they'll never get the work done in time using it. Instead to speed things up they download a CSVs from the CRM to their desktop, the training isn't the fail point. The system that takes too long and forces the employee to override the training is at the root, the download the CSV shortcut is now part of the unofficial SOPs. That is fundamentally a technical issue, not an awareness problem.
I read the breach log. It's the most honest report card an organisation has. Incidents can sometimes be mapped to specific training modules. If 40% of a companies breaches involve misdirected emails while the training spends about 30 seconds on BCC versus CC, the training is misaligned with the real threat.
Sometimes clusters will show: if one department has a high rate of near-misses despite a 100% training completion record, the training is probably too generic for their specific workflow.
Audit training against the RoPA. The Record of Processing Activities and any DPIAs should dictate the training syllabus. If the RoPA shows the organisation processes Special Category Data (health information, for example), but the training is too generic and only uses examples of names and addresses, there is an obvious weakness. Staff who handle the most sensitive processing activities often need targeted training, not just the standard organisation overview.
Can staff spot data in context? Recognising a database entry as personal data is easy. Recognising a subject access request buried in a Slack message is where companies can fail. Test this with your own tools: take redacted screenshots from Teams, Slack, or Zendesk and ask staff to identify the data protection implication. An email thread where a customer mentions a medical condition in passing, what should happen next? If staff miss it, or don't know what to do, the training is too focused on legal definitions and not enough on practical recognition.
A new test is coming in June 2026
The Data Use and Access Act 2025 introduces a statutory duty for all controllers to maintain a formal data protection complaints process, effective 19 June 2026. Organisations must acknowledge complaints within 30 days and take appropriate steps to respond. Critically, individuals will generally need to raise complaints with the controller first before escalating to the ICO.
The training implication is immediate. Every customer-facing member of staff needs to be able to recognise a data protection complaint, even when the person making it does not use legal language. A customer who says "why do you still have my details? I asked you to delete them months ago" is making a data protection complaint. If the person on the phone treats it as a general customer complaint, the organisation fails its new statutory obligation. The 30-day clock starts on receipt, not on the day someone in the compliance team gets to find out about it.
Why the answer isn't always more training
Here is what experience has taught me: when I see the same error happening repeatedly, the answer isn't always more training. It is often far more productive to engineer the risk out. Instead of training people not to send sensitive files via email, disable email attachments for certain file types and force the use of a secure portal. Instead of telling staff not to use public AI tools with customer data, provide an approved alternative that is easier to use than the unauthorised one.
A DPO who understands the systems knows when training is the right response and when redesigning the process is the better approach. Many training programmes fail not because they are poorly delivered, but because they are trying to solve a problem that training alone cannot fix. When the system makes it easier to do the wrong thing than the right thing, no amount of e-learning will ensure a positive outcome.
The companies that get this right, treat training as critical element of a risk reduction system, but not the whole system. The training completion rate is not the only measure that matters. What also matters is whether your staff can handle personal data safely with the daily tools they use, under the time pressures they face, with the processes they actually follow. If they cannot, the training missed the objective, regardless of what the spreadsheet tells you.