Privacy & Compliance
Training
Practice data breach response, DSAR handling, privacy by design, and cross-border transfers across 11 free interactive exercises.
Every exercise is free, runs in your browser, and requires no sign-up. Prepare your team for the GDPR requirements auditors actually check.
GDPR Compliance
11 hands-on exercises covering consent management, breach notification, privacy engineering, data subject rights, and international transfers.
Marketing Consent Management
Build compliant opt-in flows that regulators accept.
- Apply GDPR Article 7 consent standards
- Design proper consent withdrawal mechanisms
Data Breach Response
Triage a breach and meet the 72-hour notification clock.
- Apply Article 33 notification requirements
- Assess breach severity and reporting thresholds
- Draft a supervisory authority notification
Privacy by Design Review
Evaluate a product feature through a privacy-first lens.
- Apply Article 25 data minimization checks
- Identify privacy gaps in product designs
Legitimate DSAR Processing
Process a data subject access request end to end.
- Verify requester identity under Article 15
- Search and compile data across systems
- Meet the 30-day response deadline
PII Document Redaction
Redact personal data from documents before disclosure.
- Strip PII from text and metadata layers
- Avoid recoverable redaction failures
Fraudulent DSAR Detection
Spot fake data access requests used for social engineering.
- Identify fraudulent DSAR indicators
- Apply Article 12(6) refusal grounds
Third-Party Data Processor Vetting
Evaluate a vendor's data processing controls before signing.
- Review DPA terms against Article 28
- Assess sub-processor chains and controls
- Apply vendor risk scoring frameworks
Security Incident Response
Coordinate security and privacy teams during a live breach.
- Run parallel security and privacy workstreams
- Triage breach severity for Article 33 reporting
- Apply IBM-benchmarked IR plan savings
Cross-Border Data Transfers
Navigate transfer mechanisms for data leaving the EEA.
- Select the right transfer mechanism (SCCs, BCRs)
- Conduct a Transfer Impact Assessment
- Apply Schrems II safeguard requirements
Data Protection Impact Assessment
Run a DPIA for a high-risk data processing activity.
- Identify Article 35 DPIA triggers
- Apply structured risk assessment methodology
- Document DPO consultation outcomes
Data Mapping and Records of Processing
Build an Article 30 processing register from scratch.
- Conduct cross-department data flow interviews
- Create a compliant Records of Processing register
- Map data flows across systems and vendors
What Is GDPR Compliance Training?
GDPR compliance training teaches employees to handle personal data according to the European Union's General Data Protection Regulation, which took effect on 25 May 2018. The regulation applies to any organization that processes personal data of EU residents, regardless of where the organization is headquartered.
Training covers data breach notification requirements under Article 33 (72-hour deadline to supervisory authorities), data subject access request processing under Article 15 (30-day response window), privacy by design obligations under Article 25, cross-border data transfer mechanisms, and third-party processor vetting under Article 28.
Organizations face fines of up to EUR 20 million or 4% of annual global turnover for non-compliance. This catalogue includes 11 free interactive GDPR exercises that simulate real compliance scenarios employees encounter in their daily work.
GDPR Compliance FAQ
Common questions about GDPR compliance and our data protection training exercises.
What does GDPR Article 7 require for marketing consent?
GDPR Article 7 requires that consent be freely given, specific, informed, and unambiguous. Organizations must use clear affirmative action like unticked checkboxes, keep records proving when and how consent was obtained, and make withdrawal as easy as opting in. Pre-ticked boxes, bundled consent, and vague privacy policies do not meet the standard. Regulators have imposed over EUR 400M in fines related to consent violations.
What is the GDPR 72-hour breach notification rule?
Under GDPR Article 33, organizations must notify their supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals. The notification must include the nature of the breach, approximate number of affected individuals, likely consequences, and measures taken. British Airways was fined GBP 20M partly for delayed and inadequate breach response.
What is privacy by design under GDPR?
Privacy by design, codified in GDPR Article 25, requires organizations to integrate data protection into the design of systems and processes from the start, not bolt it on afterward. This includes data minimization, purpose limitation, and privacy-protective default settings. The concept originated with Ann Cavoukian's seven foundational principles in the 1990s and became a legal obligation when the GDPR took effect in 2018.
What is a DSAR under GDPR?
A Data Subject Access Request (DSAR) is a right under GDPR Article 15 allowing any individual to request a copy of the personal data an organization holds about them. Organizations must respond within 30 days, provide the data in an accessible format, and include information about processing purposes, retention periods, and third-party recipients. Requests can arrive through any channel, including email, web forms, or verbal communication.
What does GDPR Article 28 require for data processors?
Article 28 requires a written contract, called a Data Processing Agreement (DPA), between the controller and every processor handling personal data. The DPA must specify the processing purpose, data types, duration, and security measures. Processors can only engage sub-processors with prior written authorization from the controller. The processor must assist with DSARs, breach notification, and data deletion, and submit to audits by the controller.
Deploy GDPR Training Across Your Organization
Roll out interactive GDPR compliance training to your entire workforce. SCORM-compatible, analytics-ready, and designed for enterprise deployment.