The ICO exists to empower you through information.

Follow up on non-completion of training

Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.

Contents

Control measure: There is a process to identify and follow up on non-completion or non-attendance of data protection related training.

Risk: If there is no process in place to identify and follow-up when staff miss or fail to complete training, there is an increased risk of personal data breaches and non-compliance with data protection law.

Ways to meet our expectations:

Allocate responsibility for identifying staff who have not completed or attended data protection training, and for ensuring the staff complete it.
Implement procedures to ensure that a staff member completes or attends data protection training as soon as possible, if they have failed to do so.
Consider removing access to personal information from staff who fail to undergo data protection training.

Options to consider:

Allocate some specific ‘protected’ time for staff to complete training.