Resources

What Your Staff Members Need to Know About GDPR Compliance

Under UK GDPR, businesses must implement appropriate measures to protect personal data – and training your staff is an essential part of that. Without robust GDPR training, your staff could be putting your business at risk of non-compliance and data breaches, as well as subsequent fines and reputational damage.

In this blog post, we discuss the key elements that must be included in your GDPR training and how to choose the right course for you. 

What The GDPR Principles Look Like In Practice

There are seven core principles to GDPR: 

• Lawfulness, Fairness & Transparency
• Purpose Limitation 
• Data Minimisation 
• Accuracy
• Storage Limitation
• Integrity & Confidentiality
• Accountability

Your staff should have an understanding of what each of these core principles mean and how they apply to their day-to-day. For example, only collecting necessary data (data minimisation), keeping data accurate and up to date (accuracy) and secure handling and storage (storage limitation and integrity & confidentiality). 

Many GDPR compliance failures occur when staff understand the principles in theory, but don’t know how to apply them in real situations.

The GDPR training you choose should focus on real-life scenarios, not just the theory.  

How to Handle Personal Data

Most businesses process personal data, so understanding what does and doesn’t fall into that category, and how it should be handled, is really important. Things like emails, CCTV, HR records and customer databases are all considered personal data.  

Your employees should be able to identify personal data and be confident in handling it correctly, to ensure privacy in accordance with GDPR principles.  

What the Lawful Bases for Processing Are

You must have a valid reason for collecting or using personal information in your business. There are six ‘lawful bases’:

• Consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests

Your staff should know which of these is the most appropriate for what you’re doing with people’s information. Each of these lawful bases have their own stipulations, so it’s important that your employees understand which one applies to your business. 

How to Deal With Data Subject Rights and Requests

A data subject is anyone who can be identified by personal data, usually customers, employees and service users. GDPR gives data subjects certain rights, including the right to access, correct and delete the personal data you might hold about them.

Knowing what these rights are and how to handle a data subject access request is vital to protecting your business.   

How to Identify Data Breaches and Report Incidents

Does your team know what a data breach is? And do they know how to respond in the event of an incident? The faster your staff can identify a breach and act on it, the better it will be for your business in the long run. You will be able to prevent accidental breaches in the future, protect against malicious attacks, and hopefully mitigate any lasting impact.

Choosing the Right GDPR Training

Good data protection training includes scenario-based learning, the UK regulatory context and is refreshed regularly. It should be tailored to your business needs, including your staff’s roles, and the type of personal data they handle. 

GDPR Training Courses From Data Protection People

Our training courses are bespoke to you. Our experts have years of practical experience and can create a data protection training course that equips your staff with the knowledge and confidence to make the right decisions when it matters. 

Speak to our experts today.  

How To Choose The Right GDPR Training Course For Your Business

Ensuring your business is GDPR compliant begins with training, but GDPR training isn’t a one-size-fits-all approach. The right GDPR training course depends on your staff’s roles and the type of personal data they handle. 

In this article, we’ll help you understand what GDPR training your employees need to stay compliant and protect your customers’ data.

Why GDPR Training is Important

Under GDPR, the ICO expects organisations to provide training that is “relevant, accurate and up to date” for all staff members. GDPR training isn’t limited to Data Protection Officers (DPO), HR or IT teams, it should apply to all employees who handle personal data. Effective GDPR training helps reduce the risk of data breaches, ensures personal data is processed correctly and supports overall compliance.

Article 39 of the GDPR states that a DPO is responsible for monitoring compliance, which includes overseeing staff data training. When the ICO investigates a data breach or reviews a complaint, they will often request evidence that all employees have received adequate GDPR training. Failure to provide adequate data training can lead to fines, legal action and reputational damage. 

Who Needs GDPR Training?

Anyone in your organisation who processes or has access to personal data requires GDPR compliance training. This includes sensitive data about customers, employees, suppliers or other third parties. Consider a simple rule: if someone can access personal data, they need training.

While every department and employee in your business will handle data differently, everyone needs to understand their responsibilities under GDPR. 

• Marketing teams use customer data and analytics for targeted messages and must understand GDPR consent requirements. 
• Sales teams handle prospect and client data, so they must ensure they have permission to make contact and know how to comply with data erasure requests. 
• IT teams must ensure appropriate security measures and access controls are in place to protect personal data.
• Finance teams process confidential employee, customer and supplier data and must handle it securely.
• HR teams manage staff records and sensitive personal information that must comply with GDPR requirements around confidentiality and data retention.
• Customer service teams regularly access and handle customer details and must ensure data is protected at all times.

Roles that have access to more sensitive data types and have increased responsibility for compliance, such as finance and IT teams, will require more specialised training than others.

Choosing The Right GDPR Training Course

GDPR training should be delivered during an employee’s induction and refreshed annually to maintain awareness and stay up to date with policy and legislative changes. The ideal course should be comprehensive, covering core principles of GDPR, data subject rights, data protection policies, protocols for data breaches and data security measures. 

General GDPR training can be delivered company-wide, but role-specific training should be provided for different departments based on how they handle data. For example, customer service teams need training on security protocols for handling phone calls, while marketing teams require additional training on the Privacy and Electronic Communications Regulations (PECR) to ensure communications are sent lawfully and with consent.

GDPR Training From The Experts

As leading experts in data protection support, we offer a range of online and in-person GDPR training services to address your business requirements. 

From awareness programmes that cover the fundamentals of data protection to bespoke training courses focusing on specific risks and roles, we have a solution for you. Additionally, our soon to launch data protection eLearning platform is packed with comprehensive online courses if you prefer a more flexible option. 

Speak to our team today to learn more about our data protection training services. 

Updated ICO guidance on DSARS

Updated ICO guidance on Data Subject Access Requests, what organisations need to know in 2026

The Information Commissioner’s Office (ICO) has published updated guidance on handling Data Subject Access Requests (DSARs). The update reflects changes introduced by the Data (Use and Access) Act 2025, alongside recent case law that clarifies how these changes should operate in practice.

While the right of access remains a fundamental data protection right, DSARs can be challenging to manage. Requests are often broad, unclear, repeated, or involve large volumes of data held across multiple systems. The updated guidance aims to help organisations handle these requests more consistently, while continuing to recognise the importance of transparency and accountability.

Understanding DSARs and the right of access

The right of access allows individuals to obtain confirmation as to whether their personal data is being processed and to receive a copy of that data, together with supplementary information about how and why it is processed.

This right sits at the core of UK data protection law and plays a critical role in enabling transparency, fairness, and accountability in how organisations handle personal data.

Key changes introduced by the Data Use and Access Act and ICO guidance

Stopping the clock where clarification is reasonably required

The updated guidance confirms that organisations may pause the one month response deadline where clarification is reasonably required to provide an effective response to a DSAR.

Importantly, the previous requirement that the organisation must be processing a large volume of personal data has been removed. Organisations may now seek clarification whenever it is genuinely necessary to understand the scope of a request.

The clock pauses only until sufficient clarification is received and resumes immediately afterwards. Organisations must still act without undue delay and should not use clarification requests to extend deadlines unnecessarily. Decisions to seek clarification should be documented clearly.

Increased transparency when refusing a DSAR

Individuals now have an explicit right to complain directly to the organisation if they believe their DSAR has not been handled in line with UK data protection law.

Where a DSAR is refused, organisations must inform the individual of the reason for refusal, their right to complain to the organisation, their right to complain to the ICO, and their right to seek a judicial remedy.

This change requires organisations to review refusal templates, ensure internal complaint processes are accessible, and respond to complaints without undue delay.

Reasonable and proportionate search assessments

The guidance reinforces that organisations are required to carry out reasonable and proportionate searches, rather than exhaustive searches in all circumstances.

When assessing proportionality, organisations should consider factors such as the volume of data involved, how information is stored and retrieved, technical or practical limitations, and the context of the request. These decisions should be documented so they can be justified if challenged.

Manifestly unfounded or excessive requests

Providing personal data in a commonly used electronic format, such as via a secure portal, will generally satisfy the obligation to provide a copy, unless the individual objects.

However, the ICO recognises that repeated requests for the same information in different formats, after it has already been provided, may be treated as manifestly unfounded or excessive. Any such assessment must be fact specific, narrowly applied, and clearly documented.

Disclosing identities of recipients

One of the most significant clarifications relates to the disclosure of recipients of personal data. The ICO states that organisations should disclose specific recipients by default.

Providing only categories of recipients should be the exception, permitted only where it is impossible to identify specific recipients or where disclosure would adversely affect the rights or freedoms of another person. Where categories are used, organisations must document their justification and any exemption relied upon.

Use of exemptions in supplementary information

The guidance confirms that exemptions may apply not only to the personal data disclosed, but also to supplementary information provided in response to a DSAR.

Where an exemption is relied upon, organisations should identify the specific exemption, document the balancing exercise undertaken, and record why disclosure would adversely affect the rights or freedoms of another individual.

What the courts have said

Harrison v Cameron

In Harrison v Cameron, the court confirmed that the right of access generally includes a right to know who personal data has been disclosed to. Reliance on categories of recipients alone requires justification, and organisations must be able to explain why naming specific recipients is not possible or appropriate.

The court also confirmed that exemptions, including the rights of others exemption, may apply to supplementary information in certain circumstances.

Ashley v HMRC

In Ashley v HMRC, the court clarified that not all information connected to an individual will qualify as personal data. Information must relate to an individual in a meaningful and biographical way.

The court confirmed that DSARs cannot be used as a means to access an organisation’s internal analysis or decision making processes, supporting a targeted and proportionate approach to searches.

Practical implications for organisations

Organisations should review and update SAR policies and procedures, including when stop the clock provisions may be used. Refusal templates should be updated, and internal complaint handling workflows established or revised.

Clear documentation should be maintained for clarification requests, search scoping decisions, recipient disclosures, exemption reliance, refusals, and any fees charged. Staff responsible for handling SARs should receive targeted training to ensure consistent application of the updated guidance.

Conclusion

The ICO’s updated guidance reinforces the importance of transparency, proportionality, and procedural fairness in DSAR handling. While organisations now have greater clarity and flexibility in managing complex requests, expectations around reasoning, documentation, and accountability have increased.

Organisations should ensure their DSAR processes reflect these expectations to reduce both regulatory and reputational risk.

How Data Protection People can help

Data Protection People support organisations with DSAR process reviews, policy development, and staff training to help ensure requests are handled consistently and in line with ICO expectations.

Data Use and Access Act- Key Updates

UK data protection reform, key updates from the Data Use and Access Act

Significant reforms to UK data protection and ePrivacy law take effect on 5 February 2026 under the Data (Use and Access) Act 2025 (DUAA). The Act amends rather than replaces the UK GDPR, Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). While core data protection principles remain intact, several material changes affect lawful bases, subject access rights, automated decision making, cookies, international transfers, and regulatory enforcement powers.

This document summarises the key changes and highlights practical implications for organisations subject to UK data protection law.

Background overview

The DUAA represents the UK Government’s targeted reform of UK GDPR and related legislation. Its stated aim is to clarify areas of legal uncertainty, reduce administrative burden, support innovation and research, and maintain high standards of data protection.

Many provisions reflect established ICO guidance but now have statutory footing. However, certain changes, particularly in relation to PECR fines, international transfers, and automated decision making, are substantive and require careful review.

What are the key changes?

1. Recognised legitimate interests

The DUAA introduces a new category of lawful processing under Article 6(1)(ea), permitting processing necessary for specified recognised legitimate interests. These include purposes such as crime prevention and fraud detection, safeguarding vulnerable individuals, public security, emergency response, and assisting public authorities.

Where processing falls strictly within the statutory list, organisations are not required to conduct a balancing test between their interests and the individual’s rights. However:

Processing must still be necessary for the stated purpose. Transparency obligations continue to apply. This basis does not replace Article 6(1)(f), it operates alongside it.

What organisations need to do

Update lawful basis assessments and internal guidance. Clearly document reliance on Article 6(1)(ea) in records of processing activities and privacy notices. Ensure teams do not extend this basis beyond the defined statutory purposes.

2. Subject access request reforms

The DUAA formalises several clarifications regarding data subject rights.

(a) Reasonable and proportionate searches

Organisations are now required to conduct reasonable and proportionate searches. There is no obligation to conduct exhaustive searches of archives where this would be disproportionate. This reflects long standing ICO guidance and applies to all ongoing and future subject access requests.

(b) Stop the clock mechanism

A new Article 12A allows organisations to pause the response deadline where clarification of scope is genuinely required or proof of identity is reasonably necessary. The response period is paused between the clarification request and receipt of a response.

What organisations need to do

Update SAR policies, procedures, and workflow tools. Train staff on lawful use of stop the clock provisions. Ensure decisions on scope and proportionality are documented and auditable.

3. Amendments to scientific research definition

The definition of scientific research has been broadened to explicitly include commercial and private sector research.

Key implications include the ability to rely on broad consent for related research areas, relaxed compatibility assessments for further processing, and facilitation of research innovation in commercial environments.

Organisations relying on research exemptions should review research governance frameworks, update consent language where relying on broad research consent, and ensure privacy notices clearly distinguish research from operational processing.

4. Cookie consent exemptions (PECR)

The DUAA introduces additional exemptions from cookie consent requirements under PECR. Consent is no longer required for cookies used solely for delivering a requested service, first party analytics for performance measurement, storing visual or functional user preferences, or fraud detection, security, or device integrity.

Third party advertising and tracking cookies still require consent. Transparency requirements remain, and users must still be informed and provided with clear opt out mechanisms where applicable.

PECR maximum fines increase from £500,000 to 4 percent of worldwide turnover, significantly increasing enforcement exposure for cookies, email marketing, and electronic communications.

What organisations need to do

Re audit cookie categorisation. Update cookie banners and consent management platforms. Review email and electronic marketing practices.

5. Flexibility around AI and automated decisions

The changes replace Article 22 of the UK GDPR with a more permissive framework. Automated decision making with legal or significant effects is permitted using any lawful basis, provided safeguards are implemented.

Safeguards include informing individuals, allowing representation, providing human review, and enabling contest of decisions.

Organisations should identify automated decision making systems, ensure safeguards are operational, update AI governance and DPIA processes, and establish clear human review escalation pathways.

6. International data transfers

The DUAA reforms Chapter V by focusing transfer assessments on the receiving organisation’s legal jurisdiction rather than server location.

This may require reclassification of transfers, review of transfer risk assessments, and updates to contractual safeguards.

Organisations should re map international data flows, reassess transfer risk assessments, update SCCs and vendor contracts, and update transfer risk assessment templates.

7. Charitable marketing soft opt in

Charities may rely on a new soft opt in for marketing communications relating to their own charitable purposes where individuals have expressed support or interest.

This does not extend to third party marketing. Clear opt outs must still be provided, and charities should segregate charitable and third party marketing activities.

8. Enhanced ICO enforcement powers

The Information Commissioner’s enforcement powers are strengthened. The Commissioner may require organisations to appoint and fund external experts, compel interviews with staff, and exercise broader investigative powers.

Combined with higher PECR fines, enforcement risk is materially increased.

What organisations need to consider

Organisations should review and update privacy notices, records of processing, and lawful basis assessments. Subject access request procedures should be refreshed to incorporate stop the clock provisions.

International data transfers should be reassessed under the revised framework. Automated decision making governance and safeguards should be reviewed. Cookie consent mechanisms and marketing compliance under PECR should be updated.

Although the DUAA reduces administrative burden in certain areas, it does not diminish accountability. Organisations must continue to demonstrate lawful, fair, and transparent processing and be able to evidence compliance to regulators.

Sources

Data Use and Access Act 2025, February 2026 changes paper.