What Is GDPR and What Does It Mean for Your Team?

Written By Kelsie Sims

Most people have a rough idea what GDPR is. A regulation. Something to do with data. Europeans. Fines. Cookie banners that nobody reads.

What most people, including a lot of HR and L&D professionals, do not have is a clear understanding of what GDPR actually requires from their organization on a day-to-day basis. And that gap is exactly where things go wrong.

This post covers what GDPR is, who it applies to, what your employees need to know, and why training is not the optional extra most organizations treat it as.

What GDPR actually is

The General Data Protection Regulation came into force in May 2018. It is EU law, but it applies to any organization that processes personal data belonging to people in the EU, regardless of where the organization is based.

In the UK, post-Brexit, the same rules apply under UK GDPR. Same framework, same principles, enforced by the Information Commissioner's Office (ICO) rather than EU regulators.

The regulation exists because personal data had become enormously valuable and enormously mishandled. GDPR sets out rules for how organizations collect, store, use, and share information about people. It gives individuals rights over their own data. And it gives regulators serious enforcement powers when things go wrong.

The maximum fine under UK GDPR is £17.5 million, or 4% of annual global turnover, whichever is higher.

Who does it apply to?

Pretty much everyone. If your organization holds personal data, employee records, customer contact details, a marketing mailing list, a spreadsheet with job applicants, GDPR applies to you. There is no size threshold. A business with ten employees and one that has ten thousand are both subject to the same framework.

There is a common assumption that GDPR is really an IT or legal issue. Something for the data protection officer to worry about. In reality, the regulation applies to every person in your organization who handles personal data in any form. That is a much wider group than most employers realize.

The ICO is clear on this: training should be provided to all staff who process personal data as part of their role, and it should happen before they are given access to that data, not months after they have started.

What counts as personal data?

This catches people out more than almost anything else. Personal data is not just names and email addresses. Under GDPR, it is any information that can identify a living individual, directly or indirectly. That includes IP addresses, CCTV footage, location data from a phone or app, employee performance reviews, browsing history, and photos.

The bar is lower than most organizations assume. If a piece of information, combined with other information you hold, could identify a specific person, it is personal data, and GDPR applies to how you handle it.

The seven data protection principles

GDPR is built around seven principles. These are not guidelines. They are legal requirements. Every organization that processes personal data must be able to demonstrate compliance with all of them.

Lawfulness, fairness, and transparency. You need a lawful basis for processing personal data, and you need to be open with people about how their data is used. There are six lawful bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Using the wrong one, or failing to document which one applies, is a compliance failure.

Purpose limitation. Data collected for one purpose cannot be used for something else without a fresh lawful basis.

Data minimization. Collect only what you actually need. Not what might be useful one day. What you need, now, for a specific purpose.

Accuracy. Keep personal data up to date. If it is wrong, correct it.

Storage limitation. Do not keep data longer than necessary. This sounds obvious. In practice, most organizations have data sitting in folders, inboxes, and spreadsheets that nobody has looked at in years.

Integrity and confidentiality. Protect personal data against unauthorized access, loss, or destruction. This is where cybersecurity and data protection overlap.

Accountability. Be able to demonstrate that you are complying with all of the above. Not just say that you are. Show it.

That last one is where training becomes unavoidable. You cannot demonstrate accountability if your employees do not know what they are supposed to be doing.

Individual rights

GDPR gives people a set of rights over their own personal data. Your employees need to know these exist, because they will sometimes be on the receiving end of them from customers, from job applicants, from members of the public.

The rights include the right to access their data (a Subject Access Request, or SAR), the right to have inaccurate data corrected, the right to have their data deleted (the right to erasure, sometimes called the right to be forgotten), the right to restrict how their data is used, the right to data portability, and the right to object to certain types of processing.

Organizations have one month to respond to most of these requests. Missing that deadline, or failing to recognize that a request has been made in the first place, is a compliance failure. The ICO has issued enforcement action specifically over mishandled SARs.

Staff who interact with customers, clients, or the public need to be able to recognize a data rights request and know what to do when they receive one.

Data breaches: what your team needs to know

Under GDPR, a data breach is not just a hack. It is any incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

That includes sending an email containing personal data to the wrong recipient, losing a laptop or phone that contains personal data, a disgruntled employee accessing records they should not have, and a spreadsheet shared via a public link by mistake.

When a reportable breach occurs, organizations have 72 hours to notify the ICO. That is not a lot of time, particularly if the people who discovered the breach do not know it is a breach, or do not know who to tell.

Most data breaches are caused by human error, not sophisticated cyberattacks. The ICO consistently identifies inadequate staff training as a contributing factor in enforcement decisions.

Is GDPR training actually a legal requirement?

Technically, neither UK GDPR nor EU GDPR contains an article that says organizations must train their staff. But the accountability principle requires organizations to demonstrate that they have appropriate technical and organizational measures in place. Staff training is the primary organizational measure the ICO looks for.

Article 39 requires organizations with a Data Protection Officer to ensure staff are trained. Article 32 requires appropriate security measures, of which training is a core component. And the ICO's own guidance is unambiguous: training should be provided before staff access personal data, and at regular intervals thereafter.

The practical effect is that GDPR training is legally required. If a breach occurs and you cannot demonstrate that your team was appropriately trained, that absence will be treated as an aggravating factor in any enforcement decision. It will make a fine larger, not smaller.

One-off training is not enough. The ICO expects regular refresher training, at minimum annually, and more frequently for staff in high-risk roles such as HR, finance, and marketing.

What good GDPR training actually covers

Not all GDPR training is worth doing. A 20-minute click-through module that nobody remembers a week later does not meaningfully reduce your risk or strengthen your compliance position.

Good GDPR training for employees covers what personal data is and why the definition is broader than most people expect, the seven data protection principles in plain language, what a lawful basis is and why it matters, how to recognize and handle a Subject Access Request, what constitutes a data breach and what to do when one happens, and practical scenarios relevant to the employee's role.

The ICO expects training to be documented. Who completed it, when, and what it covered. Without records, training provides no compliance protection.

A note on keeping training current

GDPR is not static. The UK's Data (Use and Access) Act 2025, which came into force in February 2026, introduced changes to how organizations handle Subject Access Requests, automated decision-making, and cookie consent. If your training materials were written three years ago and have not been updated, they may no longer reflect current law.

This is particularly relevant for organizations using off-the-shelf training that they purchased once and have not touched since. If the vendor has not updated the content, your team may be learning from outdated material.

Where Eloqvia fits in

Our GDPR and Data Protection course covers everything your team needs to know: what personal data is, the seven principles, individual rights, data breaches, and how to handle real-world situations. Written in plain language, no legal background assumed.

You buy it once. It is yours permanently. No subscriptions, no per-seat pricing, no platform to log into, just a SCORM file you upload to your existing LMS. For regulation-linked courses, we offer an optional annual update plan so your content stays current when legislation changes.

Get in touch at info@eloqvia.com.

Kelsie Sims
Previous

EU AI Act Employee Training: What Employers Need to Do Before August 2026