Navigating the Complexities of Data Protection to Build Trust and Enhance Compliance
When it comes to data protection, most staff want to do the right thing—but they’re often unsure how. That’s why training is essential—not just to tick a compliance box, but to build real understanding.
Over hundreds of sessions, we’ve heard the same types of questions pop up. So, here are the top 10 questions employees ask during data protection training—along with the answers every business should know.
1. What counts as personal data?
Personal data is anything that can identify a living person—either on its own or when combined with other information. This includes names, emails, photos, IP addresses, and even opinions.
3. What should I do if I send an email to the wrong person?
Report it immediately to your data protection lead or manager—even if you think it’s harmless. Quick action can reduce risk and is key to meeting your legal obligations under GDPR.
4. Is a work email address considered personal data?
This depends on two factors. 1. If you’re marketing them. 2. If the email is the name of an individual (e.g.jane.doe@company.com). If you’re marketing them it’s a limited company then no. If it’s not a limited company and contains the individuals name then yes. The acceptation applies to generic email addresses such as info@. In this instance you can still market them.
5. Can we keep data just in case we need it later?
This question comes up a lot and the answer is no. GDPR requires you to have a clear purpose for collecting and storing data. You must also have a policy for how long to keep it—and delete it when it’s no longer needed. This is usually 6 years for financial data.
6. Do I need consent to use someone’s data?
Not always. Consent is just one lawful basis. If you’re marketing someone and they’ve brought from you in the past then you can rely on what we call the soft opt-in exemption. Again it applies to marketing, but under this exception you can send individuals your own services or similar. As long as you add an opt out at the end of each Email/SMS. If you do rely on consent, it must be freely given, specific, informed, and easy to withdraw.
7. What’s the difference between a data breach and a security incident?
A data breach involves personal data being lost, stolen, accessed, or shared without authorisation. A security incident might be technical or operational, but doesn’t always involve personal data.
8. Can I use personal data in AI tools like ChatGPT?
No—not unless you’re using a secure, approved tool with the right data safeguards. Public AI tools may store or use the data you input, which can lead to breaches. Think of it like using public Wifi. Other people are logging in and may see a response based on your information.
9. Do I need to worry about GDPR if I work in the UK?
Yes—UK GDPR applies to anyone handling personal data in the UK, regardless of where the individual lives. It’s the foundation of data protection compliance in UK organisations. This also applies if you’re selling products into the UK or Europe then GDPR also applies to you.
10. What happens if we get it wrong?
Things always go wrong. This is why we’re here to help. But most issues come from human error—which is why good training and a strong culture of awareness are your best defence.
If Your Staff Are Asking These Questions, You’re on the Right Track
Data protection isn’t just about policies and paperwork—it’s about people. Giving your team space to ask questions and get real-world answers is one of the most powerful ways to build a culture of compliance.
If you’d like to book a session with Clara then reach out to here at clara.westbrook@wdps.co.uk
