Data Protection

Your questions, answered

Data Protection (GDPR)

Common FAQs

Data Protection (GDPR) Common FAQs

Where can I track incidents involving personal data?

Tools such as a Data Breach Register enable you to log, track, and respond to data breaches and similar incidents efficiently. Skillcast offers this tool, making it easy to document and manage incidents in line with compliance requirements.

How can I ensure that employees formally attest to our internal Data Protection Policy?

Our Policy Hub tool allows you to easily assign policies, track when employees read them, and capture their attestation with a simple digital acknowledgement. The tool also provides automated reminders to employees who haven't yet acknowledged the policy, ensuring full compliance and a clear audit trail.

What makes a password secure?

A secure password is long (ideally 12+ characters), contains a mix of letters, numbers, and symbols, and avoids obvious choices like names, birthdays, or simple sequences.

What is a passphrase, and is it better than a password?

A passphrase is a string of unrelated words (e.g., "BlueMonkeySkyLadder!") that's easier to remember but harder to crack. It’s often more secure and user-friendly than traditional complex passwords.

How can organisations help staff manage secure passwords?

Encourage the use of password managers, provide cybersecurity training, and implement policies that support strong, unique password creation.

What exactly must be included in a DSAR response under GDPR?

Under Article 15 of the GDPR, a controller must provide confirmation of processing, access to the personal data, and supplemental information such as:

• Purposes of processing
• Types of personal data involved
• Recipients of data (including third countries)
• Retention period or criteria
• Data source (if not collected directly)
• Rights to rectification, erasure, restriction, or to object
• Right to lodge a complaint with a supervisory authority
• Automated decision-making logic and consequences

Plus, where relevant, safeguards for international transfers.

Can I ask for identification before fulfilling a DSAR?

Yes. Controllers should apply reasonable identity verification measures to ensure that they don't disclose data to the wrong person. However, it is important not to request excessive or unnecessary documentation, especially formal ID, if other reasonable methods (such as email verification or an identity-proofing platform) are available.

How is the one-month response deadline calculated precisely?

GDPR mandates response "without undue delay" and within one month from receipt of the request, or from receipt of necessary information to verify identity or a valid fee. That deadline runs to the same calendar date the following month; if that date doesn't exist (e.g., from 31 January), the deadline is the last day of the next month. If it falls on a weekend or holiday, the next working day applies.

When and how can the response deadline be extended?

A controller can extend the deadline by up to two months if the request is complex or the data subject has submitted multiple rights requests simultaneously (e.g., access, erasure, portability). However, the extension must be issued within the initial one-month period, providing reasons for the delay.

How is data privacy different from data security?

They’re closely related but differ: data privacy is all about how personal info is collected, used and shared, centring on policies, consent and ethical handling, whereas data security focuses on protecting information using technical measures.

Who is responsible for data privacy in compliance training?

Your organisation (the data controller), even if training is delivered through a third-party vendor (data processor) such as Skillcast.

What is multi-factor authentication?

Multi-factor authentication is a security protocol that requires two or more steps of verification when attempting to gain access to an account/system. The first is typically a username/email combination and the second can be one-time passcodes, biometrics, verification codes through email or text, authentication apps or FIDO2. It’s more secure than relying on passwords alone because it requires a device or biometrics, which cybercriminals don't typically have access to.

What is the difference between MFA and 2FA?

Two-factor authentication (2FA) is a type of multi-factor authentication that uses a two-stage verification process. For example, you may be required to login using your password and username, and then a one-time passcode, which is sent through your email. MFA can include two, three or more factors of verification but the government recommends using the authentication method that is best suited to the specific needs and risks of what is being protected.

How to log in with MFA?

With Skillcast, once you've entered your username and password, you will be presented with a one-time passcode screen. Click 'Get OTP' and you will be sent a code to your registered email address. The code is time-limited, so enter it into the screen quickly and then click 'Validate OTP' to sign in.

Are Skillcast courses SCORM-compliant?

Yes. This means they can be delivered via the Skillcast Portal or any other SCORM-compliant Learning Management System.

What other tools are needed beyond training?

A comprehensive compliance solution often needs more than just training. Alongside e-learning, tools such as declarations, surveys and registers that track compliance tasks are usually essential. Skillcast provides full support to help you set up these additional tools.

Is our training content still compliant with the latest legislation?

• You can check the latest course content updates in our library updates page: https://www.skillcast.com/compliance-course-library-updates
• For major legislative changes, we:
  • Send you email alerts to ensure you are notified
  • Offer you a free trial of newly created or updated content
  • Host webinars with compliance experts to explain the changes and how our training supports your ongoing compliance

Can you translate our content into other languages?

Yes, we offer translations in a wide range of languages. Let us know your needs, and we’ll confirm availability or work with you to plan translations for your selected modules.

What file types are supported by the Skillcast system?

Features	Supported file types and details
File Exchange	File types: PDF, Excel spreadsheets, Word documents, SCORM and xAPI files, and compressed zip files. Max file size: Default is 1GB, can be increased to a max of 2GB
SCORM files	Versions: SCORM 1.2, SCORM 1.2 for Moodle, SCORM 2004 2nd, 3rd and 4th Edition. Max file size: 1024MB
xAPI file	Max file size: 2GB
Videos	File types: MP4 or MOV. Videos must be optimised, with a max file size of 100MB. If the file is bigger, our Design Team can help
Images	File types: jpg, png and gif. The file size should ideally be 100KB, but it can be up to 250KB
CPD evidence	File types: Word, PDF, Excel and CSV. File size: the limit should be whatever the portal config option is set to. Servers are set to max 2GB
Policy documents	PDF or Word File size: the limit should be whatever the portal config option is set to. Servers are set to max 2GB
Offline activities evidence	File types: PDF, DOC, DOCX, XLS, XLSX, CSV, PNG, GIF, JPEG, JPG, PPTX and MSG. File size: the limit should be whatever the portal config option is set to. Servers are set to max 2GB
Client logo files	File types provided by client: EPS, PDF, AI and SVG
Registers	PDF, DOC, DOCX, XLS, XLSX, CSV, PPT, PPTX, POT, PPA, PPS, JPG, JPEG, PJEPG, PNG, BMP, GIF, MP4, MOV, WMV, CPTX, CP, TXT, ZIP and MSG files
Declarations	JPG, JPEG, PNG, GIF, XLS and XLSX files

 

What is Aida and how does it ensure reliable answers?

 Aida is an AI tutor embedded in courses that allows learners to ask questions at any point during learning. It draws exclusively on content that has been vetted and curated by your organisation, including course materials, internal policies, approved web resources, and regulator sites. This curated approach ensures answers reflect accurate, organisation‑specific guidance. 

Can administrators see what questions are asked and how Aida responds?

Yes. Reporting includes both the questions asked and Aida’s responses. For meaningful insight, questions are also categorised by topic (e.g., records management, gifts and hospitality) to reveal trends. All reporting is anonymised by default to encourage open, non‑threatening inquiry. To protect assessment integrity, Aida is disabled during assessments and is only available during the learning components of a course.