GDPR Compliance Online Course

Although the UK has now left the European Union, employees must comply still comply with UK data protection laws.

Now, the UK's main data protection law is still known as the GDPR.

GDPR Hero covers a broad range of topics to ensure your staff are clear on how to handle and protect data within your organisation.

Start a Free Trial

Chevron Skillcast chevron graphic
GDPR Compliance Online Course

About this Course

In this premium e-learning course, we first conduct a brief overview of the UK GDPR to settle into the topic. Then we challenge learners on their knowledge of the UK GDPR through quickfire questions. Finally, a feedback page details the topics each learner needs to work through in order to complete the course. 

Learning Objectives 

This course covers the following key areas:

  • The six principles of data processing
  • Individual Rights
  • The lawful basis for data processing
  • Legitimate interests
  • Consent
  • Dealing with special categories of data
  • Personal data breaches
  • International transfers
  • Accountability and governance
  • Data Protection Impact Assessments (DPIAs)

Course Outline


Overview of the GDPR

- Exercise: Key definitions
- Exercise: Data processing
- Exercise: Lawful basis
- Exercise: Rights
- Exercise: Compliance measures
- Exercise: Breaches

The Challenge

- Multi-choice questions to assess existing knowledge

How Am I Doing?

- Dashboard view of training needs in 10 key topics

Six Principles of Data Processing

- What are the key principles
- Can we process personal information for another purpose?
- How can we meet the data minimisation principle?
- Does this meet the accuracy principle?
- Does this violate the storage limitation principle?
- How can we be more proactive when it comes to security?
- Best practice and the six principles of data processing

Individual Rights

- What are Individual Rights?
- How should we meet the right to be informed?
- What is the right of access?
- Do we need to fulfil this request?
- When requests are refused or the time is extended
- What other rights do individuals have under the GDPR?
- Is the right to rectification justified?
- When does the right of erasure apply?
- Does the right of erasure apply in this case?
- When does the right to restrict processing apply?
- What other rights do individuals have under the GDPR?
- What rights do you have to stop marketing?
- Can we make solely automated decisions with a legal or significant impact on individuals?
- What is the right to data portability?
- Best practice and individual rights

Lawful Basis for Data Processing

- What is the lawful basis?
- Why is lawful basis important?
- The six lawful bases
- Relying on consent
- When might we rely on contract?
- You decide: What lawful basis applies in this case?
- Can the company share our personal data?
- Can we rely on contract for this purpose?
- Other obligations in respect of lawful basis
- When is legitimate interests appropriate?
- When we use consent as the lawful basis
- Can we switch the basis from consent to legitimate interests?
- The link between lawful basis and individual rights
- Best practice on the lawful basis for processing personal data

Legitimate Interests

- What is a legitimate interest?
- When might individual interests override Company interests?
- When the interests of the Company and individuals collide
- The Legitimate Interests Assessment (LIA)
- Sophie's story: The purpose test
- Sophie's story: The necessity test
- Sophie's story: The balancing test
- Meeting the GDPR principles
- Individual rights when relying on legitimate interests
- Documenting and reviewing your LIA
- Best practice for using legitimate interests


- What is consent?
- Do we always need consent?
- Is consent the gold standard?
- When do we need consent?
- What constitutes valid consent?
- Can we automatically enrol website visitors?
- Consent can't be bundled with another action
- Consent by default?
- Does consent always require an opt-in box?
- How should we obtain consent?
- How long does the consent last?
- Right to withdraw consent
- Best practice in obtaining consent

Dealing with Special Categories of Data

- What is special category data?
- Is it special category data?
- Collecting special category data
- Conditions for processing special category data
- What separate condition would apply in this case?
- Conditions for processing special category data
- What is the condition for substantial public interest?
- Safeguarding special category data
- How should we protect special category data?
- What more can we do to protect special category data?
- Best practice and special category data

Personal Data Breaches

- The impact of data breaches
- Do we always need to report breaches?
- Informing individuals
- Recognising data breaches
- Informing relevant people
- What information is required for a breach notification to the ICO?
- What if we don't have all the information yet?
- Assessing the impact on individuals affected by a data breach
- Do the affected individuals need to be informed?
- Data breaches and third parties
- Accountability
- Documentation
- Best practice and personal data breaches

International Transfers

- What are restricted transfers?
- Checklist for restricted transfers
- Is it a restricted transfer?
- Adeel's bookings
- What's the difference between transfer and transit?
- How can you make a restricted transfer in accordance with the GDPR?
- Is there an "adequacy decision"?
- Can PNR data be shared outside the UK?
- Are there appropriate safeguards?
- What appropriate safeguards are in place?
- What are the main exceptions?
- Do you know what exception applies here?
- Best practice and international transfers

Accountability & Governance

- What does accountability mean in data protection?
- How do we demonstrate accountability?
- Good Governance Measures 1-3
- Who needs a DPO?
- Good Governance Measures 4-5
- When do we need to conduct a DPIA?
- How can we mitigate risks?
- Good Governance Measures 6-8
- Checklist
- Best practice in accountability and governance

Data Protection Impact Assessments

- When do you need a DPIA?
- Benefits of conducting a DPIA
- How to conduct a DPIA
- Exercise: When is a DPIA required?
- Scenario: CCTV data
- The risk of CCTV
- The legal basis for CCTV
- The necessary criteria for CCTV
- CCTV in the workplace
- The impact of CCTV on privacy
- Best practice for DPIAs


Course Specifications




Approximately 90-minutes long e-learning course followed by a 10-question assessment.



Suitable for DPOs, senior managers, and frontline staff that regularly deal with personal data. Previous knowledge of data protection legislation required.



SHARD-compliant, responsive display on all devices, accessibility on screen readers, visual design controlled via a client style sheet.



All Windows, Mac OSX, iOS, Android (Flash-free for mobile compatibility). AICC and SCORM 1.2-compliant, suitable for both hosted and deployed SCORM or AICC.



Fully customisable on Skillcast Portal CMS.



Pre-translated versions not available, but all text content can be exported for translation into all languages.



Based on UK legislation, but suitable for global audiences upon the removal of UK-specific references and translation as necessary.

Try our courses for free...

Compliance Essentials Library is our best-selling comprehensive corporate training solution.

100+ e-learning and microlearning courses that help companies from SMEs to global corporates achieve compliance success.

Start a Free Trial

Chevron Skillcast chevron graphic