Home » Courses » GDPR Essentials Course

GDPR Online Training Course


This online GDPR course is ideal for all employees as part of their data protection awareness training – and it won’t make them yawn!

The course gives each trainee an overview of where GDPR came from, how it applies today in the UK and EU following Brexit, the principles of data protection that must be followed under GDPR, the lawful bases under which data can be processed and the rights that each data subject holds with examples of how they work in practice.

It also covers key common GDPR compliance risks such as recognising SARs (subject access requests), data security and data breaches. Situational questions improve data protection confidence throughout the course and help build confidence towards the final assessment.

  • 100% online
  • 1-2 hours
  • UK GDPR – DPA18 (🇬🇧) + EU GDPR (🇪🇺)
  • Included in Plus
  • Certificate


Why learn about GDPR?

  • Reduce your risk of financial penalties and prosecution for non-compliance
  • Delight your customers and colleagues with better respect for their privacy
  • Instead of worrying, feel confident using personal data in your day to day tasks
  • Demonstrate your commitment to ethical business practices – doing what’s right
  • Ensure that “GDPR myths” and outdated advice is not holding your business back

Warning! 🚩

Data privacy training red flags – what you need to avoid when picking a course.

1. The course that’s never updated.

GDPR has changed a lot since 2018. But many training courses haven’t. It’s the same old stuff repeated again and again. Following old guidance can be a big risk, make sure you get training materials which are kept up-to-date.

2. The really boring course.

GDPR training might never meet Netflix level production standards. But it is still possible to make it interactive and engaging. Steer clear of boring courses which make staff switch off – wasting time and leaving big knowledge gaps.

3. The course that’s too basic.

We get it, GDPR training isn’t the most fun use of anybody’s time. But if you choose a “super short” course it’s probably too basic – meaning it will leave knowledge gaps. And knowledge gaps can mean… poor compliance, which can lead to fines. Why not just spend a little bit more time and do it right from the start?

4. The course that doesn’t put anything into practice.

Knowing the GDPR rules off by heart is one thing but being able to actually apply it to your day to day work is another. Avoid training that doesn’t show you how you can apply what you’ve learnt through practical real-world examples.

Why was GDPR introduced training course slide
Scope of GDPR training course slide
Example of gdpr data retention policy for CVs
GDPR training course slide email newsletter sign-up
Why establishing a lawful basis for processing data is important right comparison GDPR training course slide

Course features


Nobody wants to be lectured to. Learners get the knowledge they need through concise and engaging videos. Then, they apply what they’ve learnt through situational questions.

Ticks every box

Aligns with the ICO’s accountability guidelines for data privacy training.

Kept up to date

How GDPR is applied can change overnight. Our team regularly reviews the latest developments in data privacy law. We build this knowledge into regular course updates and email alerts so you can keep ahead.


For awareness training, this course won’t leave any knowledge gaps. It gives staff exactly what they need to know and makes sure they can understand how it is applied in practice.

Learning with us

Client Logo - EV
Client Logo
Client Logo
Client Logo

Course information

Learning outcomes

  • Understand the key principles, data subject rights, legal basis for processing and implementation challenges of GDPR
  • Know how to handle personal data properly in compliance with GDPR 
  • Be aware of the biggest GDPR compliance risks that all employees face and how to mitigate their impact.
  • Feel confident applying GDPR in day to day tasks.

GDPR Training Recommendations

  • All employees should complete some GDPR training. Ideally, before they start processing personal data.
  • Employees who process significant volumes of data or who perform high risk data processing activities such as sales and marketing staff should receive additional training. Employees who make strategic decisions or product design decisions (which may concern the processing of personal data) may also benefit from additional training.
  • All employees should receive refresher training 1 or 2 times a year to ensure that they still have a good understanding of GDPR and to help them understand any changes to how GDPR is applied. This will also help organisations improve their compliance with the Accountability principle of GDPR.

This course is recommended for

  • All staff as part of GDPR awareness training.


There is no prerequisite for this GDPR training.

What do I need for this course?

This course is 100% online and delivered through our online learning platform. You will need a computer and a stable internet connection to access the video lessons and interactive assessments. Organisations can also access this content via their own LMS on request (different pricing and licensing terms will apply).

Course content

Section 1: Intro and key definitions

What you’ll learn

In this section we’ll introduce GDPR and make sure you fully understand the key definitions. We’ll look at how this regulation fits into the overall data privacy law landscape. We’ll explain why GDPR was introduced and examine how it works across the UK and EU with particular focus on the small, but important differences that apply following Brexit.


  • What is GDPR?
  • The data privacy law landscape – Data Protection Act 2018
  • Why GDPR matters
  • UK GDPR and EU GDPR – What’s the difference?
  • GDPR enforcement and penalties
  • Defining personal data
  • Defining data controllers, data processors and data subjects
  • Mini-assessment

How good is your current knowledge?

Section 2: Principles of GDPR

What you’ll learn

In this section we’ll dive deep into the principles of GDPR. We’ll explain how a solid understanding of these principles can help you achieve full compliance with GDPR. And we’ll look at how you can use your knowledge of these principles to tackle different situations that currently lack specific guidance – so your projects will never be stuck at a GDPR roadblock again.


  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability
  • Mini-assessment

How good is your current knowledge?

Section 3: Establishing a lawful basis for processing

What you’ll learn

In this section we’ll look at the different lawful bases for processing data. For brevity, we’ll keep our explanations of the least useful legal bases light. We’ll use plenty of examples from organisations big and small of the right way and the wrong way to apply these lawful bases. We’ll also bust some common GDPR myths.


  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests
  • Mini-assessment

How good is your current knowledge?

Section 4: Data subject’s rights

What you’ll learn

In this section we’ll look at the different rights that data subjects have. We’ll explore how they can exercise their rights and how you can support these rights in order to improve GDPR compliance by bringing in some practical examples.


  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling
  • Mini-assessment

How good is your current knowledge?

Section 5: Key topics & GDPR in-practice

What you’ll learn

In this section we’ll wrap up everything that we’ve learned. We’ll look at some of the biggest issues that organisations face with GDPR. We’ll also provide some practical measures that each staff member can apply to improve compliance in their day to day tasks.


  • The role of data protection officers
  • International data transfers (restricted transfers)
  • Data security
    • Physical
    • Cybersecurity
  • Data breaches
  • The future of GDPR – how to stay up to date
  • End of course assessment

How good is your current knowledge?

Recent course updates

December 2022 Update
We’ve updated this course to cover the latest developments with the Data Protection and Digital Information Bill. And to briefly introduce the ICO’s IDTA and Restricted Transfer Assessment tool.

Our team regularly reviews the latest developments in data privacy law. We build this knowledge into regular course updates and email alerts so you can stay ahead.

Why I started Measured Collective

Founder – Scott Dooley

I know what it feels like to worry about getting data privacy law wrong. About getting a huge fine or being the subject of an investigation. A few years ago when GDPR was coming into force I was working in tech, managing a marketing team in London. 

I’d heard that GDPR was coming into force and that it would change how we processed data. 

For a marketer this was worrying, we had huge databases full of customers and we’d just started to analyse all the data we were collecting across our website to understand how people were interacting with our products. We even had projects in the pipeline that would help us split customers into groups based on their previous interactions with our products, and then allow us to send them targeted communications by email.

Rumours were going around that most of the data we’d collected would need to go. I didn’t want to lose this valuable data. And I didn’t want to be the reason why the company I worked for got a GDPR fine or became the subject of an investigation.

I realised we’d need to get compliant. And found out shortly afterwards that the budget for outside help was almost non-existent.

So I set out to learn a lot about GDPR myself. Along the way I found a lot of confusing information.

There were junk articles written by companies trying to sell you their legal services or cookie consent software – which were full of bad advice which seemed to just be a copy and paste job from the last article.

There were myths spread by people with only a vague understanding of the GDPR rules, who had likely never even read the legal text.

And there were (some) lawyers who appeared to be scrambling to catch up, they seemed only capable of repeating the same poor quality advice we were getting from the regulators at the time.

They also didn’t seem to understand how any business actually operated day to day. Getting to what GDPR actually meant in practice and how it would affect our day to day work was a nightmare.

My priorities were to get our entire operations compliant under GDPR and to keep up with my targets. I also needed to get my whole team up to speed with this new legislation so that we could stop putting in place processes that made our compliance worse.

To get the information I needed, I studied closely what the regulators said, I studied the law (yawn), and I spoke to as many experts as I could.

I ended up delivering my own company wide training seminar to help the company get up to speed with GDPR. 

I got a few laughs and to my surprise a round of applause at the end… I realised it was possible to teach something “boring” but still make it engaging.

This experience is what led me to start Measured Collective. My initial plan was to teach everyone about how to use data to design better business processes and to understand their customers better, but we kept running into the same roadblock in our discussions with our first clients. They had the data, but they hadn’t done the compliance work required to use it legally under GDPR.

So I pivoted to focus on data privacy training.

I started by looking at what training was already available on the market and found the same red flags again and again:

  • The slides for each course looked like they had travelled here from 1998.
  • The content was too basic, just repeating the bare bones GDPR knowledge.
  • There were hardly any examples or explanations of how to actually apply GDPR in practice.
  • The same old course was being resold again and again without any updates.

So with the help of some data privacy experts and the input of people who were working across HR, marketing and operations in businesses at the time I set out to make something different.

Data privacy training which was engaging – so trainees stay focussed. Comprehensive – so that trainees don’t have knowledge gaps which can put you at risk of fines. Full of examples – so trainees can understand how to apply what they’ve just learned. Regularly updated – so trainees don’t waste time learning out of date guidance, and companies can keep ahead with their compliance efforts.

It’s been a tough but rewarding experience (with more changes to data privacy law than we were expecting over the last few years). Now, three years in we get regular positive feedback from our clients in our end of course surveys and directly by email.

Hopefully we can get a chance to help you and your team out too – please let me know what you think.

How it works

Step 1

Buy course seats

Purchase online using your credit or debit card. Or contact us directly to pay by bank transfer. Our onboarding team will be in touch to help you invite staff members to take up their seats. They’ll receive an invite to join our learning platform by email.

Step 2

Start learning

Each team member will have access to the learning materials, interactive assessments and quizzes. On completion of the course team members will be issued with a certificate.

Step 3

Keep ahead

You’ll receive periodic updates by email covering changes to GDPR, enforcement cases and what they mean for your compliance efforts. We’ll also let you know how we’ve used this information to update the course, trainees can review any updated lesson materials on the learning platform.

What’s included


  • Distraction-free online learning platform
  • Mini quizzes & end of course assessment


  • Access to all course material updates and enhancements for the length of your access period
  • Alerts about how changes to DPA18/GDPR may impact your organisation for the length of your access period


  • Certificate on completion 🎉


Will I get a certificate?

Yes, on completion of the course you will be issued with a digital certificate. It will be issued by our team shortly after completion of Sections 1-5 of the course including the end of course quiz. You can add this to your LinkedIn profile.

Can I buy multiple seats?

Yes, simply state a team name, for example “ABC GDPR Team”, then select the number of seats required. Next indicate whether you will be taking a seat yourself, or simply will be the administration contact for the purchase. Once you have completed payment you will be prompted to invite your team to join the course. They will then receive emails with their own access details.

Is there a money back guarantee?

Yes, you can cancel your order for a full refund within 14 calendar days of purchase. Any certificates issued within this time will be voided. This does not affect your statutory rights.

Ask us about this course

Ask a question and our friendly team will get back to you asap.

    Data processing subject to our privacy policy.

    About GDPR

    What is the Data Protection Act 2018?

    The Data Protection Act 2018 (DPA18) is a data protection law that governs the use of data in the UK. The DPA18 writes the EU GDPR into UK Law, after Brexit this part of the law is now referred to as UK GDPR. Many sections are copied word for word. But there are some differences that you need to be aware of if you are based in the UK or are processing the personal data of UK citizens.

    What are the fines under UK GDPR?

    Lower-tier violations can lead to a fine of up to £8.7 million or 2% of the organisation’s worldwide annual turnover, whichever is higher. More serious violations can lead to a fine of up to £17.5 million or 4% of the organisation’s worldwide annual turnover, whichever is higher. The tier applied depends on what provisions of UK GDPR have been breached.

    What are the fines under EU GDPR?

    There are two tiers of fines under EU GDPR. The upper maximum, allows fines of upto 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. The standard maximum, allows fines of upto 10 million Euros (or equivalent in sterling) or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher. The tier applied depends on what provisions of EU GDPR have been breached.

    How is GDPR enforced?

    Local enforcement agencies exist in each country of the EEA(European Economic Area) and in the UK. For example in the UK, it’s the ICO, in France it’s the CNIL, in Spain it’s the AEPD. These are public bodies that work independently of the state. These agencies are required to enforce the application of GDPR and provide assistance to individuals and organisations to ensure that data subjects’ rights are upheld. These agencies lead investigations into non-compliance, they have the power to audit organisations data practices and have the power to issue fines for non-compliance.

    What counts as personal data under GDPR?

    The definition of personal data under the GDPR is broad. In Art. 4 (1). of the GDPR, Personal data is defined as any information related to an identified or identifiable natural person. It does not matter if it is not possible to fully identify the individual solely from the personal data concerned. If the personal data can be combined with other data to identify an individual then it still must be afforded protections under GDPR. Some examples of personal data could include a name, email address, date of birth, bank account details, ID card number, location history or metadata such as the time of access to a specific service or product.

    Who does GDPR affect?

    GDPR affects any organisation processing the personal data of EU residents (EU GDPR) or UK residents (UK GDPR). An organisation could be a sole trader, a registered business, a non-profit/charity or a club/membership organisation. Only natural persons processing data for non-commercial means would be exempt, or the processing of data by non-automated means which was not intended to be stored in a filing system later. For example, an individual storing their friend’s mobile number in their mobile phone would not be subject to GDPR. Neither would a Barista writing your name on a coffee cup. However, an individual working for a company, storing a client’s mobile phone number in a database would be. Similarly, an individual running a group class at a non-profit community centre who stores attendance lists containing personal data such as names and contact details would be subject to GDPR. The scope is wide.

    If personal data is processed for “b2b” purposes is it covered by GDPR?

    Yes. There are no “b2b” exemption under GDPR. Even if you are processing data about your suppliers, customers or competitors, for example the names and email address of senior managers that work in these organisations – you still need to afford that data GDPR level protections.

    What does the ICO say about “GDPR training”?

    The ICO recognises there are many different ways to make employees aware of their responsibilities with personal data under GDPR. They generally suggest a multi layered approach, a mixture of training and reminders (for example email updates, posters or other notices) to communicate with employees about GDPR. They recommend GDPR training as part of their accountability framework. Specifically the accountability framework recommends induction and refresher training for all staff that process personal data. And specialised training for staff with key data protection responsibilities (such as DPOs, subject access and records management teams).

    How does this course differ from the free GDPR course offered?

    Our free GDPR course covers very basic GDPR content. It is not recommended for organisations to use the free course for awareness training because some knowledge gaps will exist. The free GDPR course is aimed towards people who are looking for an opportunity to improve their CV or who are from organisations with zero budget for GDPR training, for example companies pre-formation or non-profit groups without an official legal wrapper who may be concerned about GDPR can affect their data processing activities. The Essentials GDPR Course offered on this page is far more comprehensive than the free GDPR course. It features more real-life examples and goes into further detail on some of the biggest compliance risks.

    Course resources


    GDPR documentation requirements guide

    An overview of the documents mentioned in UK GDPR. What they are, the legal basis for preparing them and who should prepare them.


    GDPR legitimate interests assessment

    A template to assist you in making a legitimate interests assessment.

    Benefits of Measured Collective Plus

    What is Measured Collective Plus?

    An annual subscription that gives you and your team access to all our online courses.*

    *Does not include live courses delivered online, in-person classroom training or customised training

    What are the benefits?

    • Includes updates for the length of your subscription. So when the law or guidance changes, your staff stay informed. No need to buy another course.
    • Incredible value. Save up to £2,021 compared to buying course seats for 20 people separately.
    • One invoice. Less administration hassle compared to returning to add on refresher training or other courses at a later date.

    Other courses

    gdpr refresher course preview

    GDPR Refresher Training Course

    Included in PLUS

    A short interactive online GDPR refresher course that will keep your knowledge of GDPR sharp and help you reduce your risk of subsequent financial penalties.

    PECR for Marketers Training Course

    PECR – ePrivacy
    Included in PLUS

    Specialist training for sales and marketing teams that will teach them how to comply with PECR (Privacy and Electronic Communications Regulations) and the incoming ePrivacy regulation.

    Join our mailing list

    Get email alerts about GDPR and our take on the latest guidance. With a little bit of gossip too.

      Join this course

      Single Course

      Access to this course only. 6 months access.

      Measured Collective Plus +

      Unlimited access to all online courses and updates for the length of your subscription. Save up to £2,021 compared to buying course seats separately. See all benefits.

      Got a bigger team or want to host the content on your own LMS? Speak with sales.