GDPR Data Handling Essentials
Covers UK GDPR and the Data Protection Act 2018: the six lawful bases, data subject rights, the 72-hour breach reporting window, and when a DPO is required, with scored scenarios on real data handling decisions.
Who this is for
Office-based staff who handle personal data day to day, and the compliance or HR leads responsible for evidencing their training
Learners will be able to
- Identify the correct lawful basis for common processing activities such as marketing emails, HR records, and CCTV
- Respond correctly when a subject access request arrives, including the one-calendar-month statutory deadline
- Recognise a reportable personal data breach and escalate it fast enough to meet the 72-hour ICO notification window
- Explain when an organisation must appoint a Data Protection Officer and which questions to route to them
- Apply data minimisation and storage limitation principles to everyday file handling and email habits
Template prompt
“Create a GDPR compliance module for office workers covering lawful bases for processing, data subject rights, breach reporting procedures, and DPO responsibilities. Include scenario questions about real-world data handling situations.”
This prompt is fully editable. Customise it to match your audience, regulations, and learning objectives before generating.
What the 8 sections cover
- 1
Why UK GDPR matters to you
Context panel framing the UK GDPR and Data Protection Act 2018, what counts as personal and special category data, and why ICO enforcement makes this everyone's job, not just legal's.
- 2
The six lawful bases for processing
Flashcard set working through consent, contract, legal obligation, vital interests, public task, and legitimate interests, with a plain-English example of each.
- 3
Scenario: choosing a lawful basis
Scored scenario question where you pick the right basis for a marketing mailing list and a staff sickness record, with consequence feedback explaining common mis-picks.
- 4
Data subject rights in practice
Walkthrough of the eight rights, focusing on access, rectification, and erasure, and what a valid subject access request actually looks like when it lands in your inbox.
- 5
Scenario: a subject access request arrives
Scored decision point on handling a SAR received by email, testing the one-calendar-month deadline, identity verification, and when the extension of up to two further months for complex requests applies.
- 6
Recognising and reporting breaches
Visual flowchart from suspected breach to internal escalation to ICO notification, anchored on the 72-hour rule and when affected individuals must also be told.
- 7
The DPO and your responsibilities
Explains when a Data Protection Officer is mandatory, what they do, and the specific everyday duties that stay with you regardless, such as clean data storage and access control.
- 8
Final knowledge check and key takeaways
Scored end-of-module assessment across all seven prior sections plus a key-takeaways recap you can keep for your compliance records.
Structure is representative — the generator adapts sections to your edited prompt and passes every package through interactivity and visual-density quality gates.
Topics covered
Make it yours
- Upload your own data protection policy or privacy notice as a source file so the scenarios reference your actual escalation routes and named contacts
- Add a line to the prompt naming your sector, for example schools or healthcare, so examples use pupil or patient data rather than generic customer records
- If you have a data protection lead rather than a formal DPO, say so in the prompt and the module will describe that role instead
Frequently asked questions
Is GDPR training a legal requirement for UK businesses?
UK GDPR does not name staff training explicitly, but the accountability principle (Article 5(2)) and the security requirements in Article 32 mean regulators expect staff who handle personal data to be trained. The ICO's accountability framework lists training delivery and completion monitoring as evidence it looks for, so most organisations treat role-appropriate training with recorded completions as effectively mandatory.
How often should GDPR training be refreshed?
There is no fixed statutory interval. The ICO expects training to be regular and kept current, and an annual refresher is the widely adopted standard, with additional training whenever roles, systems, or policies change. Keeping SCORM completion records in your LMS is the simplest way to evidence this.
What is the difference between UK GDPR and EU GDPR?
After Brexit the UK retained the GDPR as 'UK GDPR', sitting alongside the Data Protection Act 2018, with the ICO as regulator. The regimes remain closely aligned, though the Data (Use and Access) Act 2025 has amended parts of the UK framework, with its main data protection provisions in force from February 2026. This module covers the core concepts that are stable across both.
Does this template cover breach reporting timescales?
Yes. It covers the requirement to notify the ICO within 72 hours of becoming aware of a reportable breach, the internal escalation step that must happen first, and the separate duty to inform affected individuals without undue delay where the breach poses a high risk to them.
Ready to make it yours?
Customise the prompt, generate a draft, then review the content and SCORM package before delivery.
Related templates
Data Protection Essentials
Quick-fire quiz on everyday data protection practices — password hygiene, phishing red flags, and secure file handling.
Cybersecurity Awareness Training
All-staff cybersecurity awareness covering phishing recognition, social engineering beyond email, password practice, two-factor authentication and incident reporting, built around realistic phishing emails to analyse.
Employee Onboarding Essentials
A structured first-week induction module that walks new starters through day-one paperwork, health and safety basics, must-know policies and 30-60-90 day expectations, ending with a scored knowledge check.