Prepare your team for the privacy and AI governance obligations auditors actually check.
37 interactive exercises across 3 courses on GDPR, the EU AI Act, and OWASP privacy risks. Free to play, no sign-up required.
11 exercises
Build compliant opt-in flows that regulators accept.
Triage a breach and meet the 72-hour notification clock.
Evaluate a product feature through a privacy-first lens.
Process a data subject access request end to end.
Redact personal data from documents before disclosure.
Spot fake data access requests used for social engineering.
Evaluate a vendor's data processing controls before signing.
Coordinate security and privacy teams during a live breach.
Navigate transfer mechanisms for data leaving the EEA.
Run a DPIA for a high-risk data processing activity.
Build an Article 30 processing register from scratch.
16 exercises
Earn the AI literacy required by Article 4 before touching company AI tools.
Sort real AI deployments into the four EU AI Act risk tiers.
Stop banned AI deployments before they go live.
Block a high-risk AI launch with compliance gaps in any of seven areas.
A compliant vendor product does not make your deployment compliant.
Label AI chatbots and synthetic media correctly under Article 50.
Override an AI loan recommendation when the evidence does not match.
Block AI training that uses a leaky, biased, or oversharing dataset.
Run a healthcare AI through both EU AI Act and GDPR at once.
Investigate proxy variables hiding inside a resume-screening model.
Run a FRIA before a social housing AI ever assigns a benefit decision.
Report a discriminatory AI rejection pattern under Article 62.
Build an AI registry and shut down shadow AI in your company.
Map GPAI provider and downstream deployer duties for systemic-risk models.
Make compliant AI choices through a normal working day.
Map the three-tier penalty structure to real enforcement scenarios.
10 exercises
Discover a web application vulnerability that silently leaks personal data through error messages and insecure API responses.
Contain a data leakage incident where customer PII reaches unauthorized vendors through misconfigured file sharing.
Manage a data breach where your organization must contain the leak, notify regulators, and inform affected individuals under tight deadlines.
Fix a sign-up form that bundles multiple consent purposes into a single checkbox, violating granular consent requirements.
Audit a corporate privacy policy that uses legal jargon to obscure how personal data is actually collected, stored, and shared.
Trace a user's deletion request across backups, analytics systems, and third-party integrations to ensure no personal data persists.
Investigate how outdated and incorrect personal data in a CRM causes real harm through wrong credit decisions and misdirected communications.
Discover that a shared workstation retains full access to a previous user's personal accounts and medical records due to missing session expiration.
Fulfill a data subject access request by locating personal data scattered across fragmented systems before the regulatory deadline expires.
Audit a registration form and analytics implementation that collect far more personal data than the service actually needs.
GDPR Article 7 requires that consent be freely given, specific, informed, and unambiguous. Organizations must use clear affirmative action like unticked checkboxes, keep records proving when and how consent was obtained, and make withdrawal as easy as opting in.
Pre-ticked boxes, bundled consent, and vague privacy policies do not meet the standard. Regulators have imposed over EUR 400M in fines related to consent violations.
Under GDPR Article 33, organizations must notify their supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals.
The notification must include the nature of the breach, approximate number of affected individuals, likely consequences, and measures taken. British Airways was fined GBP 20M partly for delayed and inadequate breach response.
Privacy by design, codified in GDPR Article 25, requires organizations to integrate data protection into the design of systems and processes from the start, not bolt it on afterward. This includes data minimization, purpose limitation, and privacy-protective default settings.
The concept originated with Ann Cavoukian's seven foundational principles in the 1990s and became a legal obligation when the GDPR took effect in 2018.
A Data Subject Access Request (DSAR) is a right under GDPR Article 15 allowing any individual to request a copy of the personal data an organization holds about them.
Organizations must respond within 30 days, provide the data in an accessible format, and include information about processing purposes, retention periods, and third-party recipients. Requests can arrive through any channel, including email, web forms, or verbal communication.
Article 28 requires a written contract, called a Data Processing Agreement (DPA), between the controller and every processor handling personal data. The DPA must specify the processing purpose, data types, duration, and security measures.
Processors can only engage sub-processors with prior written authorization from the controller. The processor must assist with DSARs, breach notification, and data deletion, and submit to audits by the controller.
The OWASP Top 10 Privacy Risks is an industry framework that identifies the ten most common ways organizations mishandle personal data.
It covers web application vulnerabilities that leak PII, operator-sided data leakage, insufficient breach response, bundled consent, non-transparent policies, failed data deletion, poor data quality, missing session expiration, blocked data subject access, and excessive data collection. The framework helps organizations assess and mitigate privacy risks beyond regulatory compliance.
The OWASP Top 10 Privacy Risks overlaps significantly with GDPR requirements. For example, OWASP P3 (Insufficient Data Breach Response) maps to GDPR Article 33 breach notification, P4 (Consent on Everything) maps to Article 7 consent requirements, P6 (Insufficient Deletion) maps to Article 17 right to erasure, and P9 (Inability to Access Data) maps to Article 15 data subject access rights.
Training on both frameworks gives teams a complete picture of privacy obligations.
Article 4 of the EU AI Act mandates that every employee who interacts with AI systems must have sufficient AI literacy. The requirement became enforceable on February 2, 2025, and applies regardless of role or department. Organizations must ensure staff understand how AI generates outputs, its limitations including hallucinations, and the data privacy implications of using AI tools.
Articles 14 and 26 add competency requirements for human oversight of high-risk AI systems, and Article 50 requires transparency disclosure for AI chatbots and AI-generated content. Failure to train staff on these requirements creates direct exposure to enforcement actions.
The two frameworks are independent but overlapping. When an AI system processes personal data, both apply simultaneously. GDPR Article 22 grants individuals the right not to be subject to automated decisions with legal effects, and that right attaches regardless of how the EU AI Act classifies the system.
For high-risk AI systems processing personal data, organizations may need both a GDPR Data Protection Impact Assessment (DPIA) under Article 35 and a Fundamental Rights Impact Assessment (FRIA) under Article 27 of the EU AI Act. One does not replace the other.
Tier 1 covers Article 5 prohibited AI practices and reaches 35 million euros or 7% of global annual turnover, whichever is higher. Tier 2 covers high-risk AI obligations and GPAI provider obligations and reaches 15 million euros or 3%. Tier 3 covers supplying incorrect, incomplete, or misleading information to authorities and reaches 7.5 million euros or 1.5%.
Beyond fines, national market surveillance authorities can suspend non-compliant systems, require market withdrawal, publicly disclose violations, and mandate corrective measures. Individual employees can face personal liability for knowingly enabling non-compliance or obstructing investigations.
Try the free exercises or book a demo to see analytics, SCORM export, SSO, and custom content in your environment.