Skip to content

GDPR Staff Compliance Training Course

Data protection relates to how all organisations collect, use, and store personal and sensitive data. That includes the government, companies, service providers and anyone who manages data.

Data protection legislation, which includes the General Data Protection Regulation (GDPR), aims to help prevent data misuse and inflicts penalties on those in breach of the law.

Our Data Protection Online Training Course will help your employees understand what personal and sensitive data are, why they need protection, and how to comply with the GDPR.
Start your trial Course details
  • 30 Minutes
  • All staff

Learning objectives

  • Distinguish between non-personal, personal and special category ('sensitive') data
  • Recognise how our Company complies with the General Data Protection Regulation (GDPR) and other data protection legislation
  • Take appropriate action to safeguard personal and special category data
  • Identify how and when to report breaches

    What can you expect your employees to learn?

Introduction

What is Data Protection?

  • You decide: The importance of data protection
  • You decide: Breaches of data protection law
  • Crossing the line: Breaches of data protection law
  • Who is involved in data protection?
  • Personal data
  • Special category ('sensitive') data
  • You decide: Types of data


Data protection legislation

  • The GDPR
  • Rights of the data subject
  • Scenarios: Rights of the data subject

The data protection principles

Principle: Lawfulness, fairness & transparency

  • Lawful bases
  • Lawful basis: Consent
  • Scenario: Getting consent
  • Scenario: A customer withdraws consent
  • Scenario: Passing on contact details
  • Lawful basis: Legitimate interests
  • Legitimate interest assessments
  • You decide: LIAs
  • Documenting & reviewing LIAs
  • Data protection impact assessments

Principle: Data limitation

  • Scenario: An offer for a new service
  • Scenario: Contacting customers' connections

Principle: Data minimisation

  • Scenario: Information from job applicants
  • Scenario: Information from customers

Principle: Accuracy

  • You decide: Keeping data accurate & updated

Principle: Storage limitation

  • Scenario: Retaining job applicants' details
  • Scenario: Keeping details of former customers

Principle: Security, integrity & confidentiality

  • International transfers of personal data
  • Scenario: Gina's data transfer
  • You decide: Are additional safeguards required?

Data subject access requests

  • Dealing with DSARs
  • You decide: Is it a valid DSAR?

Personal data breaches

  • Scenarios: Personal data breaches
  • Notification of breaches
  • Scenario: Stolen data

Accountability & governance

  • Records of processing activities
 

Penalties

  • Crossing the line: Further breaches of data protection law

Your responsibilities

Summary

Affirmation

Assessment

Start your compliance e-learning journey with a free trial

Our no-obligation free trial gives you access to our libraries and compliance platform. 

Ready to start your free trial? Complete the form, and a member of the Skillcast team will be in touch with further details.

Your questions, answered

Data Protection (GDPR)

Common FAQs

Where can I track incidents involving personal data?

Tools such as a Data Breach Register enable you to log, track, and respond to data breaches and similar incidents efficiently. Skillcast offers this tool, making it easy to document and manage incidents in line with compliance requirements.

How can I ensure that employees formally attest to our internal Data Protection Policy?

Our Policy Hub tool allows you to easily assign policies, track when employees read them, and capture their attestation with a simple digital acknowledgement. The tool also provides automated reminders to employees who haven't yet acknowledged the policy, ensuring full compliance and a clear audit trail.

What makes a password secure?

A secure password is long (ideally 12+ characters), contains a mix of letters, numbers, and symbols, and avoids obvious choices like names, birthdays, or simple sequences.

What is a passphrase, and is it better than a password?

A passphrase is a string of unrelated words (e.g., "BlueMonkeySkyLadder!") that's easier to remember but harder to crack. It’s often more secure and user-friendly than traditional complex passwords.

How can organisations help staff manage secure passwords?

Encourage the use of password managers, provide cybersecurity training, and implement policies that support strong, unique password creation.

What exactly must be included in a DSAR response under GDPR?

Under Article 15 of the GDPR, a controller must provide confirmation of processing, access to the personal data, and supplemental information such as:
  • Purposes of processing
  • Types of personal data involved
  • Recipients of data (including third countries)
  • Retention period or criteria
  • Data source (if not collected directly)
  • Rights to rectification, erasure, restriction, or to object
  • Right to lodge a complaint with a supervisory authority
  • Automated decision-making logic and consequences
Plus, where relevant, safeguards for international transfers.

Can I ask for identification before fulfilling a DSAR?

Yes. Controllers should apply reasonable identity verification measures to ensure that they don't disclose data to the wrong person. However, it is important not to request excessive or unnecessary documentation, especially formal ID, if other reasonable methods (such as email verification or an identity-proofing platform) are available.

How is the one-month response deadline calculated precisely?

GDPR mandates response "without undue delay" and within one month from receipt of the request, or from receipt of necessary information to verify identity or a valid fee. That deadline runs to the same calendar date the following month; if that date doesn't exist (e.g., from 31 January), the deadline is the last day of the next month. If it falls on a weekend or holiday, the next working day applies.

When and how can the response deadline be extended?

A controller can extend the deadline by up to two months if the request is complex or the data subject has submitted multiple rights requests simultaneously (e.g., access, erasure, portability). However, the extension must be issued within the initial one-month period, providing reasons for the delay.

How is data privacy different from data security?

They’re closely related but differ: data privacy is all about how personal info is collected, used and shared, centring on policies, consent and ethical handling, whereas data security focuses on protecting information using technical measures.

Who is responsible for data privacy in compliance training?

Your organisation (the data controller), even if training is delivered through a third-party vendor (data processor) such as Skillcast.

What is multi-factor authentication?

Multi-factor authentication is a security protocol that requires two or more steps of verification when attempting to gain access to an account/system. The first is typically a username/email combination and the second can be one-time passcodes, biometrics, verification codes through email or text, authentication apps or FIDO2. It’s more secure than relying on passwords alone because it requires a device or biometrics, which cybercriminals don't typically have access to.

What is the difference between MFA and 2FA?

Two-factor authentication (2FA) is a type of multi-factor authentication that uses a two-stage verification process. For example, you may be required to login using your password and username, and then a one-time passcode, which is sent through your email. MFA can include two, three or more factors of verification but the government recommends using the authentication method that is best suited to the specific needs and risks of what is being protected.

How to log in with MFA?

With Skillcast, once you've entered your username and password, you will be presented with a one-time passcode screen. Click 'Get OTP' and you will be sent a code to your registered email address. The code is time-limited, so enter it into the screen quickly and then click 'Validate OTP' to sign in.

Are Skillcast courses SCORM-compliant?

Yes. This means they can be delivered via the Skillcast Portal or any other SCORM-compliant Learning Management System.

What other tools are needed beyond training?

A comprehensive compliance solution often needs more than just training. Alongside e-learning, tools like declarationssurveys, and registers that track compliance tasks are usually essential. Skillcast provides full support to help you set up these additional tools.

Is our training content still compliant with the latest legislation?

  • You can check the latest course content updates in our library updates page: https://www.skillcast.com/compliance-course-library-updates
  • For major legislative changes, we:
    • Will send you email alerts to ensure you are notified
    • Offer you a free trial of newly created or updated content
    • Host webinars with compliance experts to explain the changes and how our training supports your ongoing compliance

Can you translate our content into other languages?

Yes, we offer translations in a wide range of languages. Let us know your needs, and we’ll confirm availability or work with you to plan translations for your selected modules.

What file types are supported by the Skillcast system?

Features

Supported file types and details

File Exchange

File types: PDF, Excel spreadsheets, Word documents, SCORM and xAPI files, and compressed zip files. Max file size: Default is 1GB, can be increased to a max of 2GB

SCORM files

Versions: SCORM 1.2, SCORM 1.2 for Moodle, SCORM 2004 2nd, 3rd and 4th Edition. Max file size: 1024MB

xAPI file

Max file size: 2GB

Videos

File types: MP4 or MOV. Videos must be optimised, with a max file size of 100MB. If the file is bigger, our Design Team can help

Images

File types: jpg, png and gif. The file size should ideally be 100KB, but it can be up to 250KB

CPD evidence

File types: Word, PDF, Excel and CSV. File size: the limit should be whatever the portal config option is set to. Servers are set to max 2GB

Policy documents

PDF or Word File size: the limit should be whatever the portal config option is set to. Servers are set to max 2GB

Offline activities evidence

File types: PDF, DOC, DOCX, XLS, XLSX, CSV, PNG, GIF, JPEG, JPG, PPTX and MSG. File size: the limit should be whatever the portal config option is set to. Servers are set to max 2GB

Client logo files

File types provided by client: EPS, PDF, AI and SVG

Registers

PDF, DOC, DOCX, XLS, XLSX, CSV, PPT, PPTX, POT, PPA, PPS, JPG, JPEG, PJEPG, PNG, BMP, GIF, MP4, MOV, WMV, CPTX, CP, TXT, ZIP and MSG files

Declarations

JPG, JPEG, PNG, GIF, XLS and XLSX files

 

Related courses

Boost your compliance efforts with our range of courses. Varying in length and topic, our courses equip you with the tools to create an ethical and resilient workplace.

Data Protection

Data protection relates to how all organisations collect, use, and store personal and sensitive data.

Read more

In-depth 45 Minutes Data Protection (GDPR) All staff

Data Protection

Data protection relates to how personal and sensitive data is collected, used and stored by all organisations.

Refresher 15 Minutes Data Protection (GDPR) All staff

Privacy and Electronic Communications Regulations (PECR)

PECR are new regulations that, along with the GDPR and Data Protection Act 2018 (in the UK), give consumers specific rights in respect of electronic communications.

Express 15 Minutes Data Protection (GDPR) All staff

Understanding the GDPR

The General Data Protection Regulation (GDPR) sets out key principles for handling personal data and protecting individuals' rights.

Microlearning 5 Minutes Data Protection (GDPR) All staff

Personal Data Breaches

Personal data breaches can occur through hacking, human error or unauthorised access, leading to serious legal and reputational consequences.

Microlearning 5 Minutes Data Protection (GDPR) All staff

Data Protection Impact Assessments

Data Protection Impact Assessments (DPIAs) are used to evaluate our data processing activities and mitigate risks to individuals.

Microlearning 5 Minutes Data Protection (GDPR) All staff

Controllers and Processors

The differences between data controllers and data processors are crucial to understanding data protection obligations.

Microlearning 5 Minutes Data Protection (GDPR) All staff

Special Category Data

In many workplaces, sensitive data, including special category data, is collected and requires extra care.

Microlearning 5 Minutes Data Protection (GDPR) All staff

GDPR Principle 1

The first principle of the GDPR requires that personal data must be processed lawfully, fairly and transparently.

Microlearning 5 Minutes Data Protection (GDPR) All staff

GDPR Principle 2

The second principle of the GDPR, purpose limitation, requires that personal data be collected for specified, explicit and legitimate purposes.

Microlearning 5 Minutes Data Protection (GDPR) All staff

GDPR Principle 3

The third principle of the GDPR, data minimisation, requires that personal data collected must be adequate, relevant and limited to what is necessary.

Microlearning 5 Minutes Data Protection (GDPR) All staff

GDPR Principle 4

The fourth principle of the GDPR, accuracy, requires that personal data must be correct, up to date and not misleading.

Microlearning 5 Minutes Data Protection (GDPR) All staff

GDPR Principle 5

The fifth principle of the GDPR, storage limitation, requires that personal data be retained only for as long as necessary for its intended purpose.

Microlearning 5 Minutes Data Protection (GDPR) All staff

GDPR Principle 6

The sixth principle of the GDPR, integrity and confidentiality, requires that personal data be protected against unauthorised access, loss or damage.

Microlearning 5 Minutes Data Protection (GDPR) All staff

GDPR Principle 7

The seventh principle of the GDPR, accountability, requires organisations to take responsibility for compliance and demonstrate good governance in data protection.

Microlearning 5 Minutes Data Protection (GDPR) All staff

GDPR and Consent

Consent is one of the six lawful bases for processing personal data under the GDPR, requiring individuals to give clear, informed and voluntary agreement.

Microlearning 5 Minutes Data Protection (GDPR) All staff

GDPR Lawful Bases for Processing

The General Data Protection Regulation (GDPR) requires organisations to have a lawful basis for processing personal data, chosen from six legal grounds.

Microlearning 5 Minutes Data Protection (GDPR) All staff

GDPR Legitimate Interests

Legitimate interests is a flexible lawful basis for processing personal data, but it requires balancing business needs with individuals' rights.

Microlearning 5 Minutes Data Protection (GDPR) All staff

GDPR International Transfers

The international transfer of personal data is restricted to ensure individuals' privacy rights are protected when data is sent abroad.

Microlearning 5 Minutes Data Protection (GDPR) All staff

GDPR Individual Rights

The General Data Protection Regulation (GDPR) grants individuals eight specific rights over their personal data, ensuring transparency and control.

Microlearning 5 Minutes Data Protection (GDPR) All staff

GDPR Subject Access Requests

Individuals have the right to access their personal data and organisations must respond to subject access requests (SARs) within legal timeframes.

Microlearning 5 Minutes Data Protection (GDPR) All staff

Legitimate Interest Assessments

When relying on legitimate interests as a legal basis for processing personal data, you are taking on additional responsibility for protecting people's rights and interests.

Express 10 Minutes Data Protection (GDPR) All staff

PCI Data Security Standard

PCI Data Security Standard (PCI-DSS) is the information security standard for organisations that process credit card payments.

In-depth 60 Minutes Data Protection (GDPR) All staff