Who is exempt from the data protection fee?

Exemptions apply if you process personal data only for specific purposes such as staff administration, advertising/PR, accounts and records, not-for-profit purposes, personal/household affairs, maintaining a public register, judicial functions, or non-automated processing. Elected representatives are also exempt. Even if exempt, you must still comply with the UK GDPR.

What are the Data Protection Act principles?

The UK GDPR sets out seven principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability.

Data Protection Training for Employees (GDPR): What the ICO Expects and How to Get It Right

Q: What’s the difference between data protection and data security?

Data protection is the overall framework covering lawful bases, rights and governance. Data security is one principle within that framework, delivered via appropriate technical and organisational measures—including staff training.

Jake Richards
Sep 25
3 min read

If your employees access/process personal data, they must be trained—before access, then regularly. The ICO expects an all-staff programme, role-specific modules, record-keeping, and ongoing awareness. Training underpins the accountability and security principles in the UK GDPR: it’s evidence you’ve taken “appropriate technical and organisational measures.” Skipping it risks breaches, 72-hour reporting failures, reputational harm, and possible fines.

Meeting room with a screen displaying data protection training

Why this matters now

Picture this: a rushed team member emails a spreadsheet to the wrong “James.” You now face a personal data breach—and a 72-hour clock to notify the ICO if risk to individuals is likely. Organisations repeatedly report misdirected emails among the most frequent incidents to the ICO. Solid, documented staff training dramatically reduces that risk—and proves you took proportionate steps when the regulator asks for your training records.

What the ICO expects from your data protection training programme

This from the ICO:

Your programme incorporates national and sector-specific requirements.
Your programme is comprehensive and includes training for all staff on key areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management.
You consider the training needs of all staff and use this information to compile the training programme.
You assign responsibilities for managing information governance and data protection training across your organisation and you have training plans or strategies in place to meet training needs within agreed time-scales.
You have dedicated and trained resources available to deliver training to all staff.
You regularly review your programme to ensure that it remains accurate and up to date.
Senior management sign off your programme.

These are not “nice-to-haves”—they’re the ICO’s baseline expectations.

These expectations are underlined within the GDPR as follows:

Accountability principle: You must be able to demonstrate compliance—training records are Exhibit A.
Article 24 (controller responsibilities): Put in place appropriate technical and organisational measures—training is a core organisational measure.
Article 32 (security of processing): Security isn’t only tech; it requires people controls, testing, and resilience—again, training.
Article 39 (DPO tasks): Where you have a DPO, they must monitor compliance including awareness-raising and training.

The National Cyber Security Centre reinforces this: “User education and awareness” is one of the UK’s 10 Steps to Cyber Security.

Risk, cost… and the price of doing nothing

Beyond incident response costs, the ICO can fine for serious infringements up to £17.5m or 4% of worldwide turnover, whichever is higher. Even “administrative” failings (e.g., weak records or late breach reports) can attract the standard maximum (up to £8.7m or 2%). Training is one of the cheapest controls to reduce both likelihood and impact.

How LAUDIS can help

At LAUDIS, we understand that effective data protection training is more than a box-ticking exercise—it’s about building confidence, reducing risk, and showing the ICO that your organisation takes compliance seriously. Our training solutions are designed to give your employees the awareness and knowledge they need to handle personal data responsibly, while giving you peace of mind that your business is protected.

Ready to de-risk? Take a look Data Protection Training and get compliant evidence your board can stand behind. 👉 Visit our training page | 📞 Prefer a chat? Let’s talk.

FAQs

What are the Data Protection Act / UK GDPR principles?

There are seven:

Lawfulness, fairness, transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability

What’s the difference between data protection and data security?

“Data protection” is the full framework (lawful basis, rights, governance, risk). “Data security” is one principle within that framework and is underpinned by Article 32 measures—and by trained people using systems correctly.

How often should refresher training run?

The ICO expects refresher training at appropriate intervals—annually would likely be a minimum for most staff; higher-risk roles may require more frequent touchpoints.