Skip to main content
Templates/Compliance/GDPR Data Handling Essentials
CCompliance

GDPR Data Handling Essentials

Covers UK GDPR and the Data Protection Act 2018: the six lawful bases, data subject rights, the 72-hour breach reporting window, and when a DPO is required, with scored scenarios on real data handling decisions.

8 sections
12 minutes
📋 Compliance

Who this is for

Office-based staff who handle personal data day to day, and the compliance or HR leads responsible for evidencing their training

Learners will be able to

  • Identify the correct lawful basis for common processing activities such as marketing emails, HR records, and CCTV
  • Respond correctly when a subject access request arrives, including the one-calendar-month statutory deadline
  • Recognise a reportable personal data breach and escalate it fast enough to meet the 72-hour ICO notification window
  • Explain when an organisation must appoint a Data Protection Officer and which questions to route to them
  • Apply data minimisation and storage limitation principles to everyday file handling and email habits

Template prompt

Create a GDPR compliance module for office workers covering lawful bases for processing, data subject rights, breach reporting procedures, and DPO responsibilities. Include scenario questions about real-world data handling situations.

This prompt is fully editable. Customise it to match your audience, regulations, and learning objectives before generating.

What the 8 sections cover

  1. 1

    Why UK GDPR matters to you

    Context panel framing the UK GDPR and Data Protection Act 2018, what counts as personal and special category data, and why ICO enforcement makes this everyone's job, not just legal's.

  2. 2

    The six lawful bases for processing

    Flashcard set working through consent, contract, legal obligation, vital interests, public task, and legitimate interests, with a plain-English example of each.

  3. 3

    Scenario: choosing a lawful basis

    Scored scenario question where you pick the right basis for a marketing mailing list and a staff sickness record, with consequence feedback explaining common mis-picks.

  4. 4

    Data subject rights in practice

    Walkthrough of the eight rights, focusing on access, rectification, and erasure, and what a valid subject access request actually looks like when it lands in your inbox.

  5. 5

    Scenario: a subject access request arrives

    Scored decision point on handling a SAR received by email, testing the one-calendar-month deadline, identity verification, and when the extension of up to two further months for complex requests applies.

  6. 6

    Recognising and reporting breaches

    Visual flowchart from suspected breach to internal escalation to ICO notification, anchored on the 72-hour rule and when affected individuals must also be told.

  7. 7

    The DPO and your responsibilities

    Explains when a Data Protection Officer is mandatory, what they do, and the specific everyday duties that stay with you regardless, such as clean data storage and access control.

  8. 8

    Final knowledge check and key takeaways

    Scored end-of-module assessment across all seven prior sections plus a key-takeaways recap you can keep for your compliance records.

Structure is representative — the generator adapts sections to your edited prompt and passes every package through interactivity and visual-density quality gates.

Topics covered

GDPRData ProtectionPrivacyCompliance

Make it yours

  • Upload your own data protection policy or privacy notice as a source file so the scenarios reference your actual escalation routes and named contacts
  • Add a line to the prompt naming your sector, for example schools or healthcare, so examples use pupil or patient data rather than generic customer records
  • If you have a data protection lead rather than a formal DPO, say so in the prompt and the module will describe that role instead

Frequently asked questions

Is GDPR training a legal requirement for UK businesses?

UK GDPR does not name staff training explicitly, but the accountability principle (Article 5(2)) and the security requirements in Article 32 mean regulators expect staff who handle personal data to be trained. The ICO's accountability framework lists training delivery and completion monitoring as evidence it looks for, so most organisations treat role-appropriate training with recorded completions as effectively mandatory.

How often should GDPR training be refreshed?

There is no fixed statutory interval. The ICO expects training to be regular and kept current, and an annual refresher is the widely adopted standard, with additional training whenever roles, systems, or policies change. Keeping SCORM completion records in your LMS is the simplest way to evidence this.

What is the difference between UK GDPR and EU GDPR?

After Brexit the UK retained the GDPR as 'UK GDPR', sitting alongside the Data Protection Act 2018, with the ICO as regulator. The regimes remain closely aligned, though the Data (Use and Access) Act 2025 has amended parts of the UK framework, with its main data protection provisions in force from February 2026. This module covers the core concepts that are stable across both.

Does this template cover breach reporting timescales?

Yes. It covers the requirement to notify the ICO within 72 hours of becoming aware of a reportable breach, the internal escalation step that must happen first, and the separate duty to inform affected individuals without undue delay where the breach poses a high risk to them.

Ready to make it yours?

Customise the prompt, generate a draft, then review the content and SCORM package before delivery.