Training Records
Definition
Under the EU General Data Protection Regulation (GDPR), training records are documented evidence that staff and relevant contractors have received privacy and security training appropriate to their roles and the organisation’s processing activities. While the GDPR does not mandate a single universal training format, it expects organisations to implement and be able to demonstrate appropriate technical and organisational measures (Articles 24 and 32) and to uphold accountability (Article 5(2)). In practice, training records help show that people who handle personal data understand key obligations, such as secure handling, confidentiality, incident reporting, and lawful processing practices. Training records also support the Data Protection Officer (where appointed) in monitoring compliance through awareness-raising and training activities (Article 39). A good training record typically captures who was trained, what was covered, when it occurred, the delivery method (e.g., e-learning, workshop), and proof of completion (e.g., attestation, quiz score, certificate). These records should be protected against tampering and retained for a period that is proportionate to risk, legal needs, and audit expectations. Comparable evidence is also commonly expected under other assurance and management system frameworks (e.g., ISO/IEC 27001 and SOC 2), even when not required by a specific law.
Real-World Examples
Startup onboarding privacy training log
A small SaaS startup tracks new-hire privacy onboarding with completion dates, quiz scores, and signed acknowledgements in a controlled repository.
Role-based training evidence for engineers
A scaleup documents annual secure coding and data handling training for engineers, including course outlines, attendee lists, and completion proof.
Enterprise audit-ready training repository
A large enterprise maintains tamper-evident records of mandatory privacy training, refresher cycles, and targeted sessions for high-risk teams and processors.
Training records are documented proof that people completed required security, privacy, or compliance training, including details like dates, content, and completion evidence.
Auditors use training records to verify that staff are educated on policies and risks and that the organisation can evidence ongoing awareness and compliance practices.
A training record should capture who attended, when it happened, what topics were covered, who delivered it, and objective proof of completion such as an attestation or test result.
Map required training to roles, maintain separate course outlines and completion logs per team, and keep evidence that each person completed the modules relevant to their access and duties.
Retention should be risk-based and aligned to legal and audit needs; many organisations keep records for several years to demonstrate sustained compliance across audit cycles.
Store records in access-controlled systems with audit logs, immutable or versioned storage, and defined permissions so updates are traceable and unauthorised changes are prevented.
Use completion evidence such as signed acknowledgements, LMS completion certificates, timestamps, quiz scores, and system logs that link the training outcome to the individual.
Certificates are one type of evidence, but training records are broader and include context like course content, dates, assignment to roles, and organisation-wide tracking information.
Ownership varies by organisation, but HR, security, and compliance typically share responsibility, with clear accountability for tracking completion and producing audit evidence.
Common options include learning management systems (LMS), HRIS platforms, ticketing/workflow tools, and governed document repositories that can export reports and preserve audit trails.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
