Data Protection (UK GDPR)
Data protection training for UK firms: a practical grasp of the UK GDPR, lawful processing, data subject rights and breach response.
Want this course for your team?
See it in action and get pricing tailored to your firm and learner numbers.
Request a demoWhat is data protection and why does it matter?
Data protection governs how your firm collects, uses and safeguards information about people. In the UK the rules come from the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, overseen by the Information Commissioner’s Office (ICO). Together they set the principles for lawful processing, individuals’ rights over their data, and the duty to keep it secure. Financial firms hold especially sensitive data.
What are the consequences of getting data protection wrong?
A poorly handled data subject access request, an unlawful basis for processing or an unreported breach can expose your firm to ICO enforcement, fines of up to £17.5 million or 4% of global turnover, and lasting reputational harm. The risk rarely comes from the systems alone. It comes from everyday decisions by people unsure what the rules require, which is why workforce-wide awareness matters.
What does data protection training cover?
This course gives your team a clear, practical grasp of data protection essentials. Learners explore the core principles, understand the rights individuals hold over their personal data, and learn how to handle requests and secure valid consent correctly. The course also clarifies accountability, distinguishing the data controller’s role in determining how personal data is processed from the data processor’s role in handling it securely on the controller’s behalf. Grounded in realistic scenarios, learners finish understanding exactly what data protection looks like in their own day-to-day role.
Who needs data protection training?
Because almost everyone in a regulated firm handles personal data at some point, UK GDPR training is designed for all staff, effectively the whole organisation. The UK GDPR’s accountability principle requires firms to demonstrate compliance, and documented, role-relevant training is a recognised way to evidence that staff understand their obligations. We keep the content current as UK guidance evolves.
What your team will learn
- Apply the core data protection principles in everyday decisions
- Distinguish personal data from special category data
- Handle data subject rights requests with confidence
- Recognise a personal data breach and know how to report it
What's included
- ~20 min of focused, scenario-based learning
- CPD accredited (CII)
- Built-in quiz with a configurable pass mark
- Reviewed and kept current with UK regulation
- Time-stamped completion records for your audit trail
How it works
-
Assign it in seconds
Enrol a team, a role or your whole firm from the CityREPORTS dashboard, with automated reminders that chase completion for you.
-
Your team completes it
Learners work through the course at their own pace on any device, finishing with a short assessment that demonstrates understanding.
-
Evidence it to the regulator
Every completion is time-stamped and retained, so you can prove the right people did the right training at any moment.
Frequently asked questions
- What is UK GDPR training and who needs it?
- UK GDPR training gives staff a practical grasp of the UK General Data Protection Regulation and the Data Protection Act 2018: lawful processing, data subject rights and breach response. Because almost everyone in a regulated firm handles personal data at some point, it is designed for all staff, effectively the whole organisation.
- What is the difference between UK GDPR and the Data Protection Act 2018?
- The UK GDPR sets out the core principles and obligations for processing personal data. The Data Protection Act 2018 sits alongside it, tailoring and supplementing those rules for the UK, for example on exemptions, special category data and law-enforcement processing. The Information Commissioner's Office (ICO) regulates both.
- How quickly must a personal data breach be reported?
- Where a personal data breach is likely to risk people's rights and freedoms, the firm must notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. If the risk to individuals is high, affected people must also be told without undue delay. Staff must recognise and escalate breaches promptly.
- What is a DSAR?
- A data subject access request (DSAR) is a request from an individual to see the personal data a firm holds about them. Under the UK GDPR, firms must usually respond within one month, free of charge. Front-line staff need to recognise a DSAR however it arrives, as the clock starts when the request is received.
- What are the consequences of a UK GDPR breach?
- The ICO can issue enforcement notices and fines of up to £17.5 million or 4% of global annual turnover, whichever is higher, for serious infringements. Beyond regulatory penalties, breaches can trigger compensation claims, reputational damage and loss of customer trust, and in financial services they can attract FCA interest where data failings affect customer outcomes.
- What are the data protection principles under UK GDPR?
- There are seven principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. The accountability principle requires firms both to comply and to demonstrate compliance, through records, policies and training, which is why staff awareness is central.
- What lawful basis is needed to process personal data?
- UK GDPR requires a lawful basis for every processing activity. The six bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests. Firms must identify and document the appropriate basis before processing, and special category data needs an additional condition. Staff should understand why a basis matters in their work.
Related courses
Cyber Security Awareness
Cyber security training for UK financial services that equips staff to be the first line of defence against phishing, ransomware and social engineering.
Operational Resilience
Operational resilience training for UK firms covering the FCA/PRA framework, important business services, impact tolerances and each team's role.