GDPR Online Training Course
Essentials
This online GDPR course is ideal for all employees as part of their data protection awareness training – and it won’t make them yawn!
The course gives each trainee an overview of where GDPR came from, how it applies today in the UK and EU following Brexit, the principles of data protection that must be followed under GDPR, the lawful bases under which data can be processed and the rights that each data subject holds with examples of how they work in practice.
It also covers key common GDPR compliance risks such as recognising SARs (subject access requests), data security and data breaches. Situational questions improve data protection confidence throughout the course and help build confidence towards the final assessment.
- 100% online
- 1-2 hours
- UK GDPR – DPA18 (🇬🇧) + EU GDPR (🇪🇺)
- Included in Plus
- Certificate
PREVIEW A LESSON FROM THIS COURSE
Why learn about GDPR?
Warning! 🚩
Data privacy training red flags – what you need to avoid when picking a course.
1. The course that’s never updated.
GDPR has changed a lot since 2018. But many training courses haven’t. It’s the same old stuff repeated again and again. Following old guidance can be a big risk, make sure you get training materials which are kept up-to-date.
2. The really boring course.
GDPR training might never meet Netflix level production standards. But it is still possible to make it interactive and engaging. Steer clear of boring courses which make staff switch off – wasting time and leaving big knowledge gaps.
3. The course that’s too basic.
We get it, GDPR training isn’t the most fun use of anybody’s time. But if you choose a “super short” course it’s probably too basic – meaning it will leave knowledge gaps. And knowledge gaps can mean… poor compliance, which can lead to fines. Why not just spend a little bit more time and do it right from the start?
4. The course that doesn’t put anything into practice.
Knowing the GDPR rules off by heart is one thing but being able to actually apply it to your day to day work is another. Avoid training that doesn’t show you how you can apply what you’ve learnt through practical real-world examples.






Course features
Engaging
Nobody wants to be lectured to. Learners get the knowledge they need through concise and engaging videos. Then, they apply what they’ve learnt through situational questions.
Ticks every box
Aligns with the ICO’s accountability guidelines for data privacy training.
Kept up to date
How GDPR is applied can change overnight. Our team regularly reviews the latest developments in data privacy law. We build this knowledge into regular course updates and email alerts so you can keep ahead.
Comprehensive
For awareness training, this course won’t leave any knowledge gaps. It gives staff exactly what they need to know and makes sure they can understand how it is applied in practice.
Learning with us
Course information
Learning outcomes
- Understand the key principles, data subject rights, legal basis for processing and implementation challenges of GDPR
- Know how to handle personal data properly in compliance with GDPR
- Be aware of the biggest GDPR compliance risks that all employees face and how to mitigate their impact.
- Feel confident applying GDPR in day to day tasks.
GDPR Training Recommendations
- All employees should complete some GDPR training. Ideally, before they start processing personal data.
- Employees who process significant volumes of data or who perform high risk data processing activities such as sales and marketing staff should receive additional training. Employees who make strategic decisions or product design decisions (which may concern the processing of personal data) may also benefit from additional training.
- All employees should receive refresher training 1 or 2 times a year to ensure that they still have a good understanding of GDPR and to help them understand any changes to how GDPR is applied. This will also help organisations improve their compliance with the Accountability principle of GDPR.
This course is recommended for
- All staff as part of GDPR awareness training.
Prerequisites
There is no prerequisite for this GDPR training.
What do I need for this course?
This course is 100% online and delivered through our online learning platform. You will need a computer and a stable internet connection to access the video lessons and interactive assessments. Organisations can also access this content via their own LMS on request (different pricing and licensing terms will apply).
Course content
Section 1: Intro and key definitions
What you’ll learn
In this section we’ll introduce GDPR and make sure you fully understand the key definitions. We’ll look at how this regulation fits into the overall data privacy law landscape. We’ll explain why GDPR was introduced and examine how it works across the UK and EU with particular focus on the small, but important differences that apply following Brexit.
Lessons
- What is GDPR?
- The data privacy law landscape – Data Protection Act 2018
- Why GDPR matters
- UK GDPR and EU GDPR – What’s the difference?
- GDPR enforcement and penalties
- Defining personal data
- Defining data controllers, data processors and data subjects
- Mini-assessment
How good is your current knowledge?
Section 2: Principles of GDPR
What you’ll learn
In this section we’ll dive deep into the principles of GDPR. We’ll explain how a solid understanding of these principles can help you achieve full compliance with GDPR. And we’ll look at how you can use your knowledge of these principles to tackle different situations that currently lack specific guidance – so your projects will never be stuck at a GDPR roadblock again.
Lessons
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
- Mini-assessment
How good is your current knowledge?
Section 3: Establishing a lawful basis for processing
What you’ll learn
In this section we’ll look at the different lawful bases for processing data. For brevity, we’ll keep our explanations of the least useful legal bases light. We’ll use plenty of examples from organisations big and small of the right way and the wrong way to apply these lawful bases. We’ll also bust some common GDPR myths.
Lessons
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
- Mini-assessment
How good is your current knowledge?
Section 4: Data subject’s rights
What you’ll learn
In this section we’ll look at the different rights that data subjects have. We’ll explore how they can exercise their rights and how you can support these rights in order to improve GDPR compliance by bringing in some practical examples.
Lessons
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
- Mini-assessment
How good is your current knowledge?
Section 5: Key topics & GDPR in-practice
What you’ll learn
In this section we’ll wrap up everything that we’ve learned. We’ll look at some of the biggest issues that organisations face with GDPR. We’ll also provide some practical measures that each staff member can apply to improve compliance in their day to day tasks.
Lessons
- The role of data protection officers
- International data transfers (restricted transfers)
- Data security
- Physical
- Cybersecurity
- Data breaches
- The future of GDPR – how to stay up to date
- End of course assessment
How good is your current knowledge?
Recent course updates
December 2022 Update
We’ve updated this course to cover the latest developments with the Data Protection and Digital Information Bill. And to briefly introduce the ICO’s IDTA and Restricted Transfer Assessment tool.
Our team regularly reviews the latest developments in data privacy law. We build this knowledge into regular course updates and email alerts so you can stay ahead.
Why I started Measured Collective

I know what it feels like to worry about getting data privacy law wrong. About getting a huge fine or being the subject of an investigation. A few years ago when GDPR was coming into force I was working in tech, managing a marketing team in London.
I’d heard that GDPR was coming into force and that it would change how we processed data.
For a marketer this was worrying, we had huge databases full of customers and we’d just started to analyse all the data we were collecting across our website to understand how people were interacting with our products. We even had projects in the pipeline that would help us split customers into groups based on their previous interactions with our products, and then allow us to send them targeted communications by email.
Rumours were going around that most of the data we’d collected would need to go. I didn’t want to lose this valuable data. And I didn’t want to be the reason why the company I worked for got a GDPR fine or became the subject of an investigation.
I realised we’d need to get compliant. And found out shortly afterwards that the budget for outside help was almost non-existent.
So I set out to learn a lot about GDPR myself. Along the way I found a lot of confusing information.
There were junk articles written by companies trying to sell you their legal services or cookie consent software – which were full of bad advice which seemed to just be a copy and paste job from the last article.
There were myths spread by people with only a vague understanding of the GDPR rules, who had likely never even read the legal text.
And there were (some) lawyers who appeared to be scrambling to catch up, they seemed only capable of repeating the same poor quality advice we were getting from the regulators at the time.
They also didn’t seem to understand how any business actually operated day to day. Getting to what GDPR actually meant in practice and how it would affect our day to day work was a nightmare.
My priorities were to get our entire operations compliant under GDPR and to keep up with my targets. I also needed to get my whole team up to speed with this new legislation so that we could stop putting in place processes that made our compliance worse.
To get the information I needed, I studied closely what the regulators said, I studied the law (yawn), and I spoke to as many experts as I could.
I ended up delivering my own company wide training seminar to help the company get up to speed with GDPR.
I got a few laughs and to my surprise a round of applause at the end… I realised it was possible to teach something “boring” but still make it engaging.
This experience is what led me to start Measured Collective. My initial plan was to teach everyone about how to use data to design better business processes and to understand their customers better, but we kept running into the same roadblock in our discussions with our first clients. They had the data, but they hadn’t done the compliance work required to use it legally under GDPR.
So I pivoted to focus on data privacy training.
I started by looking at what training was already available on the market and found the same red flags again and again:
- The slides for each course looked like they had travelled here from 1998.
- The content was too basic, just repeating the bare bones GDPR knowledge.
- There were hardly any examples or explanations of how to actually apply GDPR in practice.
- The same old course was being resold again and again without any updates.
So with the help of some data privacy experts and the input of people who were working across HR, marketing and operations in businesses at the time I set out to make something different.
Data privacy training which was engaging – so trainees stay focussed. Comprehensive – so that trainees don’t have knowledge gaps which can put you at risk of fines. Full of examples – so trainees can understand how to apply what they’ve just learned. Regularly updated – so trainees don’t waste time learning out of date guidance, and companies can keep ahead with their compliance efforts.
It’s been a tough but rewarding experience (with more changes to data privacy law than we were expecting over the last few years). Now, three years in we get regular positive feedback from our clients in our end of course surveys and directly by email.
Hopefully we can get a chance to help you and your team out too – please let me know what you think.
How it works
Step 1
Buy course seats
Purchase online using your credit or debit card. Or contact us directly to pay by bank transfer. Our onboarding team will be in touch to help you invite staff members to take up their seats. They’ll receive an invite to join our learning platform by email.
Step 2
Start learning
Each team member will have access to the learning materials, interactive assessments and quizzes. On completion of the course team members will be issued with a certificate.
Step 3
Keep ahead
You’ll receive periodic updates by email covering changes to GDPR, enforcement cases and what they mean for your compliance efforts. We’ll also let you know how we’ve used this information to update the course, trainees can review any updated lesson materials on the learning platform.
What’s included
Training
- Distraction-free online learning platform
- Mini quizzes & end of course assessment
Updates
- Access to all course material updates and enhancements for the length of your access period
- Alerts about how changes to DPA18/GDPR may impact your organisation for the length of your access period
Certification
- Certificate on completion 🎉
FAQs
Yes, on completion of the course you will be issued with a digital certificate. It will be issued by our team shortly after completion of Sections 1-5 of the course including the end of course quiz. You can add this to your LinkedIn profile.
Yes, simply state a team name, for example “ABC GDPR Team”, then select the number of seats required. Next indicate whether you will be taking a seat yourself, or simply will be the administration contact for the purchase. Once you have completed payment you will be prompted to invite your team to join the course. They will then receive emails with their own access details.
Yes, you can cancel your order for a full refund within 14 calendar days of purchase. Any certificates issued within this time will be voided. This does not affect your statutory rights.
Ask us about this course
Ask a question and our friendly team will get back to you asap.
About GDPR
The Data Protection Act 2018 (DPA18) is a data protection law that governs the use of data in the UK. The DPA18 writes the EU GDPR into UK Law, after Brexit this part of the law is now referred to as UK GDPR. Many sections are copied word for word. But there are some differences that you need to be aware of if you are based in the UK or are processing the personal data of UK citizens.
Lower-tier violations can lead to a fine of up to £8.7 million or 2% of the organisation’s worldwide annual turnover, whichever is higher. More serious violations can lead to a fine of up to £17.5 million or 4% of the organisation’s worldwide annual turnover, whichever is higher. The tier applied depends on what provisions of UK GDPR have been breached.
There are two tiers of fines under EU GDPR. The upper maximum, allows fines of upto 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. The standard maximum, allows fines of upto 10 million Euros (or equivalent in sterling) or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher. The tier applied depends on what provisions of EU GDPR have been breached.
Local enforcement agencies exist in each country of the EEA(European Economic Area) and in the UK. For example in the UK, it’s the ICO, in France it’s the CNIL, in Spain it’s the AEPD. These are public bodies that work independently of the state. These agencies are required to enforce the application of GDPR and provide assistance to individuals and organisations to ensure that data subjects’ rights are upheld. These agencies lead investigations into non-compliance, they have the power to audit organisations data practices and have the power to issue fines for non-compliance.
The definition of personal data under the GDPR is broad. In Art. 4 (1). of the GDPR, Personal data is defined as any information related to an identified or identifiable natural person. It does not matter if it is not possible to fully identify the individual solely from the personal data concerned. If the personal data can be combined with other data to identify an individual then it still must be afforded protections under GDPR. Some examples of personal data could include a name, email address, date of birth, bank account details, ID card number, location history or metadata such as the time of access to a specific service or product.
GDPR affects any organisation processing the personal data of EU residents (EU GDPR) or UK residents (UK GDPR). An organisation could be a sole trader, a registered business, a non-profit/charity or a club/membership organisation. Only natural persons processing data for non-commercial means would be exempt, or the processing of data by non-automated means which was not intended to be stored in a filing system later. For example, an individual storing their friend’s mobile number in their mobile phone would not be subject to GDPR. Neither would a Barista writing your name on a coffee cup. However, an individual working for a company, storing a client’s mobile phone number in a database would be. Similarly, an individual running a group class at a non-profit community centre who stores attendance lists containing personal data such as names and contact details would be subject to GDPR. The scope is wide.
Yes. There are no “b2b” exemption under GDPR. Even if you are processing data about your suppliers, customers or competitors, for example the names and email address of senior managers that work in these organisations – you still need to afford that data GDPR level protections.
The ICO recognises there are many different ways to make employees aware of their responsibilities with personal data under GDPR. They generally suggest a multi layered approach, a mixture of training and reminders (for example email updates, posters or other notices) to communicate with employees about GDPR. They recommend GDPR training as part of their accountability framework. Specifically the accountability framework recommends induction and refresher training for all staff that process personal data. And specialised training for staff with key data protection responsibilities (such as DPOs, subject access and records management teams).
Our free GDPR course covers very basic GDPR content. It is not recommended for organisations to use the free course for awareness training because some knowledge gaps will exist. The free GDPR course is aimed towards people who are looking for an opportunity to improve their CV or who are from organisations with zero budget for GDPR training, for example companies pre-formation or non-profit groups without an official legal wrapper who may be concerned about GDPR can affect their data processing activities. The Essentials GDPR Course offered on this page is far more comprehensive than the free GDPR course. It features more real-life examples and goes into further detail on some of the biggest compliance risks.
Course resources
FREE DOWNLOAD
GDPR documentation requirements guide
An overview of the documents mentioned in UK GDPR. What they are, the legal basis for preparing them and who should prepare them.
FREE DOWNLOAD
GDPR legitimate interests assessment
A template to assist you in making a legitimate interests assessment.
Benefits of Measured Collective Plus
What is Measured Collective Plus?
An annual subscription that gives you and your team access to all our online courses.*
*Does not include live courses delivered online, in-person classroom training or customised training
What are the benefits?
- Includes updates for the length of your subscription. So when the law or guidance changes, your staff stay informed. No need to buy another course.
- Incredible value. Save up to £2,021 compared to buying course seats for 20 people separately.
- One invoice. Less administration hassle compared to returning to add on refresher training or other courses at a later date.
Other courses
Join our mailing list
Get email alerts about GDPR and our take on the latest guidance. With a little bit of gossip too.
Join this course
Single Course
Access to this course only. 6 months access.
Measured Collective Plus +
Unlimited access to all online courses and updates for the length of your subscription. Save up to £2,021 compared to buying course seats separately. See all benefits.
Got a bigger team or want to host the content on your own LMS? Speak with sales.