TrainMeUK LogoTrainMeUK
Back to Resources
Compliance Guide
10 min read
20 December 2025

What Counts as GDPR Training? (UK GDPR Explained)

GDPR does not define a single type of training — but the ICO expects training to be appropriate, role-based, and evidenced. This guide explains what actually counts as GDPR training and what doesn't.

What actually counts as GDPR training?

Short answer:

GDPR does not require a specific course, format, or qualification. What counts as GDPR training is any structured learning that is appropriate to the role, improves understanding of data protection responsibilities, and can be evidenced.

This flexibility is intentional — but it's also where many businesses get it wrong.

The four criteria the ICO cares about

Rather than focusing on formats, the ICO looks at whether training meets four core criteria. For a complete overview of GDPR training requirements for UK businesses, these criteria form the foundation of what regulators expect.

These work well as a simple visual breakdown.

1️⃣ Relevance to the role

Training must match what people actually do with personal data.

  • HR and managers require deeper training
  • Frontline or operational roles may only need awareness
  • Irrelevant content adds no value and weakens your case

If training doesn't align to role risk, it's unlikely to be seen as appropriate.

2️⃣ Structure (not ad-hoc)

Training must be intentional, not accidental.

  • planned sessions
  • defined content
  • consistent delivery

Informal chats, assumptions, or "common sense" briefings do not count as training on their own.

3️⃣ Evidence that it happened

If you can't prove it, it doesn't count.

The ICO expects organisations to show:

  • who received training
  • when it was delivered
  • what it covered

Good intentions without records offer no protection.

4️⃣ Ongoing, not one-off

Training must be kept up to date.

This usually means:

  • refresher training
  • updates after incidents
  • updates after role or system changes

Training done years ago rarely meets current expectations.

Types of training that do count

✅ These formats usually count as GDPR training

The following formats are generally acceptable if they meet the criteria above:

  • online GDPR courses
  • instructor-led training sessions
  • structured onboarding training
  • role-specific briefings
  • refresher or update sessions
  • documented internal training materials

The format matters far less than appropriateness and evidence.

Types of training that usually don't count on their own

⚠️ Top tip: These are common compliance traps

The following are rarely sufficient by themselves:

  • sending a policy by email
  • asking staff to "read the GDPR policy"
  • informal chats with no record
  • relying on prior knowledge
  • assuming managers will "figure it out"

These may support training — but they don't replace it.

Courses vs briefings vs refreshers (what's the difference?)

This table helps clarify how different training types fit together.

Training type When it's appropriate What it's used for
Full GDPR course High-risk or decision-making roles Core understanding and accountability
Role-specific briefing Targeted responsibilities Practical application in day-to-day work
Refresher training Periodic updates Reinforce knowledge and reflect change
Induction training New starters Establish baseline awareness
Incident-led training After issues or near-misses Prevent repeat failures

A strong approach usually combines more than one of these.

What matters more than the training format

Regulators are not impressed by:

  • expensive courses
  • long slide decks
  • certificates with no context

They are interested in outcomes.

🧠 Good practice: What auditors look for

Auditors and regulators look for:

  • staff understanding their responsibilities
  • consistent behaviour
  • correct incident reporting
  • decision-making aligned with policy
  • evidence that training influenced practice

Training that doesn't change behaviour is treated as ineffective.

How this fits into wider GDPR compliance

GDPR training supports:

  • accountability obligations
  • breach prevention
  • secure data handling
  • consistent decision-making

This is why training is assessed alongside:

  • policies
  • access controls
  • incident management
  • audit readiness

For the full picture of what UK organisations must implement, see our GDPR Training Requirements for UK Businesses: The Complete 2025 Guide.

Learn more about whether GDPR training is mandatory for all employees, what the ICO expects from GDPR training, and how often GDPR training should be done.

The bottom line

There is no single thing that "counts" as GDPR training.

What matters is that training is:

  • appropriate to the role
  • structured
  • documented
  • refreshed

If training meets those criteria, it will usually stand up to scrutiny — regardless of format.

If it doesn't, even the most expensive course won't protect you.

If you're responsible for demonstrating GDPR compliance, having clear, role-based training records makes regulatory reviews far easier to manage.

📥 Free Download: GDPR Training Compliance Toolkit

Get our comprehensive GDPR compliance resources used by 500+ UK businesses:

  • GDPR Training Compliance Checklist - 30-point ICO-aligned checklist with audit-ready framework
  • GDPR Training Policy Template - Customizable policy covering frequency, roles, and evidence requirements
  • Training Records Template - Excel template for tracking completions and renewals
  • Free GDPR Awareness SCORM Course - Ready-to-use training module compatible with any LMS platform
Access Free Toolkit → Automate with TrainMeUK

📧 Instant access. No spam. Professional resources for UK businesses.

Frequently Asked Questions: What Counts as GDPR Training?

Common questions about what types of training count as GDPR training, what formats are acceptable, and what the ICO looks for. Click on any question to expand the answer.

What actually counts as GDPR training? +

GDPR does not require a specific course, format, or qualification. What counts as GDPR training is any structured learning that is appropriate to the role, improves understanding of data protection responsibilities, and can be evidenced. The ICO cares about four core criteria: relevance to the role, structure (not ad-hoc), evidence that it happened, and ongoing refreshers (not one-off).

What types of training count as GDPR training? +

The following formats are generally acceptable if they meet the ICO criteria: online GDPR courses, instructor-led training sessions, structured onboarding training, role-specific briefings, refresher or update sessions, and documented internal training materials. The format matters far less than appropriateness and evidence. What matters is that training is appropriate to the role, structured, documented, and refreshed.

What doesn't count as GDPR training? +

The following are rarely sufficient by themselves: sending a policy by email, asking staff to read the GDPR policy, informal chats with no record, relying on prior knowledge, or assuming managers will figure it out. These may support training but don't replace it. Training must be intentional (not accidental), structured with planned sessions and defined content, and evidenced with records of who received training, when it was delivered, and what it covered.

What's the difference between GDPR courses, briefings, and refreshers? +

Full GDPR courses are appropriate for high-risk or decision-making roles (core understanding and accountability), role-specific briefings are for targeted responsibilities (practical application in day-to-day work), refresher training provides periodic updates (reinforce knowledge and reflect change), induction training establishes baseline awareness for new starters, and incident-led training prevents repeat failures after issues or near-misses. A strong approach usually combines more than one of these.

What matters more than the GDPR training format? +

Regulators are interested in outcomes, not expensive courses or long slide decks. They look for: staff understanding their responsibilities, consistent behaviour, correct incident reporting, decision-making aligned with policy, and evidence that training influenced practice. Training that doesn't change behaviour is treated as ineffective. What matters is that training is appropriate to the role, structured, documented, and refreshed.

What are the four criteria the ICO cares about for GDPR training? +

The ICO looks at whether training meets four core criteria: relevance to the role (training must match what people actually do with personal data), structure (training must be intentional with planned sessions and defined content, not ad-hoc), evidence that it happened (organisations must show who received training, when it was delivered, and what it covered), and ongoing refreshers (training must be kept up to date with refreshers, updates after incidents, and updates after role or system changes).

Related Articles

GDPR Training Requirements for UK Businesses: The Complete 2025 Guide

Learn what UK GDPR training is required in 2025, who needs it, how often it must be completed, and how to evidence compliance for the ICO.

Read More →

Is GDPR Training Mandatory for All Employees? (UK 2025)

GDPR does not require every employee to complete the same training — but staff handling personal data must be appropriately trained.

Read More →

What Does the ICO Expect From GDPR Training? (UK Guidance Explained)

The ICO doesn't mandate specific GDPR courses — but it does expect staff training to be appropriate, documented, and ongoing.

Read More →

Need Help Implementing These Strategies?

Our team is here to support you with expert guidance and implementation assistance.

Get Expert SupportExplore More Resources