How GDPR-ready are UK businesses in 2026? The headline data-protection compliance and training statistics in one place — awareness of the ICO, how many firms actually train staff, the widening small-business gap and what the new Data (Use and Access) Act 2025 changes — with the data period stated next to every figure.

The most reliable UK data-protection compliance figures come from two recurring official surveys that most competitors overlook: the government's UK Business Data Survey (UKBDS), run by the Department for Science, Innovation and Technology and published on 18 June 2026, and the annual Cyber Security Breaches Survey (CSBS), published in May 2026. Together they measure how aware UK firms are of the rules, whether they train their people, and who leads on compliance.

This page pulls the headline preparedness numbers from both surveys together. It is scoped to awareness, preparedness and training — the "how compliant are UK firms?" question — with the data period beside every figure and every source linked in full at the end. Breach-incident counts and fine totals are covered on separate pages and referenced only in passing.

Key facts and figures

  • 62% of UK businesses handling digitised data have heard of the ICO and know what it does; 21% have never heard of it at all (UKBDS 2026).
  • 11% of businesses ran data-protection training for existing staff in 2025/26 — down from 23% in 2023/24, roughly halving in one cycle (UKBDS 2026).
  • 10% of micro businesses ran data-protection training in 2025/26, against 49% of large businesses — the clearest small-firm gap (UKBDS 2026).
  • 56% of firms that employ staff and handle personal data have someone whose role includes leading on compliance — 53% of micro firms vs 92% of large ones (UKBDS 2026).
  • 46% of businesses handling personal data agree the ICO's guidance is "clear and easy to understand"; 34% are neutral and 9% disagree (UKBDS 2026).
  • 19% of businesses carried out any staff cyber-security training or awareness activity in 2025/26 — unchanged year on year (CSBS 2025/26).
  • 31% of businesses have board-level responsibility explicitly assigned for cyber security and data protection, up from 27% (CSBS 2025/26).
  • 5 February 2026 — the date the main data-protection reforms in Part 5 of the Data (Use and Access) Act 2025 came into force, changing what firms must train against (GOV.UK).

The headline preparedness measures at a glance:

MeasureLatest figureData periodTrend / detail
Businesses that know what the ICO is62%UKBDS 2026 (fieldwork Oct 2025 – Jan 2026)21% have never heard of it
Firms training existing staff on data protection11%2025/26 (UKBDS 2026)Down from 23% in 2023/24
Micro businesses running data-protection training10%2025/26 (UKBDS 2026)49% among large businesses
Firms with someone leading on compliance56%UKBDS 202692% of large firms, 53% of micro firms
Businesses running any staff cyber-security training19%2025/26 (CSBS)Unchanged year on year; 84% of large firms
Board-level responsibility for cyber / data protection31%2025/26 (CSBS)Up from 27% the prior year

These are the latest figures available as of July 2026, and this page is updated as new data is released — the UK Business Data Survey is republished on a roughly annual-to-biennial cadence (2026, 2024, 2022, 2021), the Cyber Security Breaches Survey each spring, and the Data (Use and Access) Act 2025 continues to phase in through 2026, supplying fresh compliance milestones to train against.

What percentage of UK businesses have trained staff on data protection?

Just 11% of UK businesses ran data-protection training for existing staff in 2025/26, down from 23% in 2023/24 — a near-halving in a single survey cycle, according to the UK Business Data Survey 2026 (fieldwork October 2025 to January 2026, n=4,450). It is the single most striking preparedness finding in the survey: at a moment when the law is changing, formal training has gone backwards, not forwards.

The wider picture is no more reassuring. The Cyber Security Breaches Survey 2025/26 found that fewer than one in five businesses — 19% — carried out any staff cyber-security training or awareness activity in the year, exactly the same as the year before. Data-protection training and cyber-security training are related but distinct, and both are stuck at low levels while the risk backdrop climbs.

Training matters because most everyday compliance failures are human, not technical — a misdirected email, an unlocked spreadsheet, a subject access request nobody recognised. For how staff mistakes translate into reported incidents, see our human error data breach statistics, and for the volume of reports themselves our UK data breach statistics page.

How aware are UK businesses of the ICO and GDPR requirements?

62% of UK businesses handling digitised data have heard of the Information Commissioner's Office and know what it does, according to the UK Business Data Survey 2026. Another 17% have heard of the ICO but do not know what it does, and 21% have never heard of it at all — meaning more than a third of firms handling data cannot correctly place their own regulator.

Awareness is uneven, and the survey shows it climbs steadily with organisation size and varies sharply by sector. 73% of large businesses know what the ICO is, against 56% of micro businesses, and awareness peaks at 94% in finance and insurance — the sectors where data protection is most tightly bound into day-to-day regulation.

Understanding the regulator is only half the battle; firms also have to find its guidance usable. Only 46% of businesses handling personal data agree the ICO's published guidance is "clear and easy to understand", with 34% neutral and 9% disagreeing. That clarity gap matters for training: if fewer than half of firms find the official guidance easy to follow, the case for structured, plain-English training rather than DIY interpretation is strong.

Are small businesses less GDPR-compliant than large ones?

Yes — on almost every measure, and the training gap is the starkest of all: 10% of micro businesses ran data-protection training in 2025/26 against 49% of large businesses. The UK Business Data Survey 2026 shows the same size gradient running through awareness, accountability and training alike, so the smallest firms are consistently the least prepared.

Accountability follows the same pattern. Across firms that employ staff and handle personal data, 56% have someone whose role includes leading on data-protection compliance — but that falls to 53% among micro businesses and rises to 92% among large ones. The Cyber Security Breaches Survey shows an even wider training divide on the cyber side: 84% of large businesses ran staff cyber-security training or awareness activity in 2025/26, against just 19% of businesses overall.

Some of the gap is structural — a two-person firm will not have a dedicated data-protection lead the way a bank does — but the risk does not scale down in the same way. Small firms hold real personal data, face the same UK GDPR duties and the same subject access request obligations, and are the least likely to have anyone whose job is to keep on top of them. Who exactly the rules apply to, regardless of size, is covered in our guide to who GDPR applies to.

Preparedness measureMicro businessesLarge businessesSource
Ran data-protection training (2025/26)10%49%UKBDS 2026
Someone leads on data-protection compliance53%92%UKBDS 2026
Know what the ICO is56%73%UKBDS 2026
Ran any staff cyber-security training84%CSBS 2025/26 (19% all firms)

Who leads on data-protection compliance in UK firms?

56% of businesses that employ staff and handle personal data have someone whose role includes leading on data-protection compliance, according to the UK Business Data Survey 2026 — which means a substantial minority have no named owner for the task at all. The figure is 92% among large businesses and 53% among micro businesses, so the accountability gap tracks size just as training does.

Dedicated resource is rarer still. The survey found 29% of businesses employ or outsource specialist data-protection staff, while 44% have no dedicated full-time compliance role of any kind. For most UK firms, in other words, data protection is a part of someone's job rather than anyone's whole job — which puts the weight on that person actually being trained.

The compliance workload is not letting up to compensate. 76% of businesses say the compliance burden stayed about the same over the last 12 months, 19% say it increased and just 1% say it decreased (UKBDS 2026). A steady-to-rising burden, carried by part-time owners in firms that mostly aren't training staff, is the structural weakness the numbers keep pointing back to. Assigning a clear owner is a recognised first step; our ROPA and Article 30 guide covers the documentation that owner is responsible for.

What is the Data (Use and Access) Act 2025 and does it change GDPR training needs?

The main data-protection reforms in Part 5 of the Data (Use and Access) Act 2025 came into force on 5 February 2026, according to GOV.UK guidance, with further duties phased in through June 2026. The Act sits on top of the UK GDPR and the Data Protection Act 2018 rather than replacing them — but it changes several rules staff have to work to, which is precisely why the training slump is badly timed.

The reforms touch areas that show up in everyday handling: the lawful bases for processing (including a new category of "recognised legitimate interests"), the rules on automated decision-making, and the way subject access requests and complaints must be handled. Firms that trained staff against the pre-2026 rulebook now have material to refresh, and firms that never trained at all are further behind than before. For the mechanics of the requests themselves, see our subject access request statistics; for how the Act interacts with the wider regime, our UK GDPR vs EU GDPR guide gives the context.

Confidence, unsurprisingly, is not high. In a European study by Usercentrics (UK subset n=150, fieldwork December 2024, published March 2025), only about one-third of businesses were fully confident in their data-protection compliance, and 43% of UK firms said clearer guidelines would improve that confidence — a vendor survey rather than an official source, so best read as directional colour alongside the government figures, but consistent with the UKBDS clarity gap. Enforcement, meanwhile, remains real: our GDPR fines and enforcement statistics track the penalties on the other side of getting compliance wrong.

Frequently asked questions

What percentage of UK businesses have trained staff on data protection?

Just 11% ran data-protection training for existing staff in 2025/26, down from 23% in 2023/24, according to the UK Business Data Survey 2026 — a near-halving in one cycle. On the broader cyber-security side, the Cyber Security Breaches Survey found 19% of businesses ran any staff training or awareness activity, unchanged year on year.

How aware are UK businesses of the ICO and GDPR requirements?

62% of businesses handling digitised data know what the ICO is and what it does; 17% have heard of it but do not know what it does, and 21% have never heard of it (UKBDS 2026). Awareness rises with size — 73% of large firms against 56% of micro firms — and peaks at 94% in finance and insurance.

Are small businesses less GDPR-compliant than large ones?

Yes, on almost every measure. Only 10% of micro businesses ran data-protection training in 2025/26 against 49% of large businesses, 53% of micro firms have someone leading on compliance against 92% of large firms, and ICO awareness is 56% against 73% (UKBDS 2026). Smaller firms are consistently the least prepared.

What is the Data (Use and Access) Act 2025 and does it change GDPR training needs?

It is a 2025 law that amends the UK GDPR and Data Protection Act 2018; the main data-protection reforms in Part 5 came into force on 5 February 2026, with further duties phased to June 2026. It changes lawful bases, automated-decision rules and how subject access requests and complaints are handled — so it changes what staff must be trained against, even though the seven core principles are unchanged.

How many UK firms have no one leading on data-protection compliance?

Around 44% of businesses have no dedicated full-time compliance role, and 44% of firms that employ staff and handle personal data have no one whose role includes leading on compliance (56% do). Only 29% employ or outsource specialist data-protection staff (UKBDS 2026).

Is the compliance burden on UK businesses increasing?

Most firms say it is steady: 76% report the compliance burden stayed about the same over the last 12 months, 19% say it increased and 1% say it decreased (UKBDS 2026). Board-level ownership is edging up on the cyber side — 31% of businesses have it explicitly assigned, from 27% the year before (CSBS 2025/26).

Sources & references

With formal data-protection training halved and the DUAA 2025 changing the rules, a short accredited course is the simplest way to get your whole team back up to standard.

Explore the GDPR & Data Protection Course →
Mark McShane
Mark McShane
Health & Safety Training Specialist, Online CPD Academy

Mark writes about data protection, GDPR compliance and accredited online training for GDPR & Data Protection Course, part of Online CPD Academy.