The ICO exists to empower you through information.

This checklist is for sole traders, and other UK small businesses. Use it to help people in your business get the right information about handling personal data correctly.

Once you complete the checklist, you get a short report with practical actions you can take and additional guidance to improve how you give data protection training.

If you’re unsure if you need to comply with data protection law, you should take this short quiz first.

More information

You need to make sure everyone in your business knows how to handle people’s personal data correctly.

It's important that someone in your business takes responsibility for delivering data protection training.
This could be you or you can choose someone else.

Make sure all your workers know who that person is and how to contact them.

The responsible person needs to put plans in place to meet training needs within agreed timescales.

More information

The responsible person needs to understand key parts of data protection law, so they can train or help colleagues.

There are seven data protection principles, which should form the basis of training. They are:

  • lawfulness, fairness, and transparency;
  • purpose limitation;
  • data minimisation;
  • accuracy;
  • storage limitation;
  • integrity and confidentiality (security); and
  • accountability.

The training should also include explanations of key terms, such as:

  • personal data;
  • data subject;
  • personal data breach; and
  • information rights.
More information

In addition to understanding key data protection terms, everyone needs training that is specific to their roles and responsibilities.

You should include this in your training plans.

For example, the person who cleans your premises is unlikely to need training in all aspects of data protection. However, they do need to be able to spot when personal data is not being stored securely and who to tell.

Others may need more in-depth training, for example in:

  • sharing data;
  • avoiding personal data breaches;
  • keeping premises and data secure; and
  • the importance of good records management.

It’s also important to assess learning at the end of the training to test understanding.

More information

New starters need data protection training within a month, and before accessing any personal data.


You should provide refresher training to all workers at regular intervals. Ideally you should provide it annually, but it should not exceed two years.


If anyone needs additional support – for example, if you assess their knowledge and they get a low score - provide further training. Don’t wait until the next scheduled refresher training.

More information

The responsible person should keep a log of who completes training and when people require refresher training.

It should include where people require further support or guidance - for example if someone gets a low pass mark.

They should follow up with people who haven’t completed their training and make sure they complete it as soon as possible. For new starters, this should be within one month and before they access any personal data.