GDPR for Beginners

By the end of this training, participants will be able to:

• Understand the legal foundations of GDPR by interpreting core principles (Art. 5) and real court rulings and decisions from data protection authorities.
• Identify and classify personal data — including special category and mixed data — using practical examples and legal definitions (Art. 4, 9).
• Apply data subject rights in practice (Art. 12–23) by drafting access, rectification, and erasure responses using AI-supported templates and real case examples.
• Differentiate the roles and responsibilities of data controllers, processors, and Data Protection Officers (DPOs), and understand liability and accountability mechanisms (Art. 24–28, 37).
• Build a GDPR-compliant Record of Processing Activities (RoPA) for a fictional organisation, covering data types, purposes, legal bases, transfers, and retention (Art. 30).
• Conduct a personal data risk assessment based on the RoPA and map the risks to appropriate legal, technical, and organisational safeguards (Art. 32, 35).
• Simulate a GDPR-style internal audit using real-world checklists, reporting structures, and team-based scenarios modelled after DPA expectations.
• Leverage AI tools responsibly to draft privacy policies, DPIA summaries, data handling procedures, and data subject request replies while maintaining human oversight.

Module 1: GDPR Principles in Action

What you’ll learn:

• The 7 core GDPR principles (Art. 5)
• Real cases demonstrating breaches and how authorities enforced them

Hands-on:

• Analyse 3 short case summaries (e.g., H&M, Google Spain, Clearview AI)
• Match each principle to the facts
• Use AI to paraphrase legalese into plain language explanations

Module 2: Personal, Special & Mixed Data – What You Hold and How You Handle It

What you’ll learn:

• Art. 4 definitions of personal, special category, and mixed personal data
• How to distinguish facts from opinion in performance reviews, HR records, etc.

Hands-on:

• Review 5 anonymised data samples
• Use AI to classify each one and suggest legal bases for processing

Module 3: Rights of the Data Subject

What you’ll learn:

• Overview of Art. 12–23: access, rectification, erasure, objection, portability
• When and how rights apply, with real enforcement examples

Hands-on:

• Use templates + AI to draft:
  • Access request reply
  • Erasure confirmation
  • Rectification notice

Module 4: Roles & Responsibilities – Controller, Processor, DPO

What you’ll learn:

• Art. 24–28 obligations
• What regulators look for in DPOs, contracts, and processor accountability

Hands-on:

• Work in pairs to assign responsibilities in a real scenario (e.g., a SaaS company using external HR tools)
• Use AI to review contract clauses and flag missing elements

Module 5: Build Your GDPR Register (RoPA)

What you’ll learn:

• Art. 30 register requirements
• How to document data subjects, purposes, legal bases, transfers, and retention

Hands-on:

• Use AI-assisted templates to build a RoPA for a fictional company
• Peer review another group’s RoPA for completeness and clarity

Module 6: Risk Assessment, Safeguards, & AI Governance

What you’ll learn:

• How to conduct a basic risk analysis
• Choosing proportionate safeguards (Art. 32, 35)
• When to perform a DPIA to identify risks.
• Manage high risks in compliance with EU-AI Act

Hands-on:

• Identify 3–5 risks in your RoPA
• Use AI to suggest suitable technical, legal, and organisational controls

Module 7: GDPR Audit Simulation

What you’ll learn:

• Internal audit structure: scope, findings, remediation
• Common findings in supervisory authority audits

Hands-on:

• Simulate a DPO-style audit of your fictional organisation:
  • Check data flows
  • Review documentation
  • Issue a mock audit report using templates

Module 8: Draft Key GDPR Documents with AI

What you’ll learn:

• AI-assisted policy generation: privacy notice, internal policy, DPIA summary
• Ensuring human oversight and GDPR-compliant outputs

Hands-on:

• Feed your RoPA or scenario into AI tools
• Draft:
  • Privacy notice
  • Data retention policy
  • DPIA summary
  • Subject Access Request (SAR) response
• Review outputs for compliance and clarity

• Key GDPR and EU AI Act concepts decoded using real-life court cases and enforcement actions from Data Protection Authorities.
• Identification and handling of different data types: personal, special category, and mixed personal data.
• Breakdown of all data subject rights (Art. 12–23) with practical, real-world examples and template-based exercises.
• Roles, responsibilities, and liability mapping for controllers, processors, and DPOs — including joint and third-party processing cases.
• Live, guided creation of a GDPR Record of Processing Activities (RoPA) from a fictional organisational context.
• A simple framework for personal data risk assessment, connected to appropriate safeguards and DPIA triggers.
• Use of checklists and audit tools to simulate a GDPR internal audit with peer review and role-based tasks.
• Introduction to AI-assisted compliance writing, including privacy notices, SAR responses, and internal data protection policies.
• Ready-to-use templates, AI prompt libraries, register samples, and compliance checklists for real-world deployment post-training.

Methodology based on Active Learning: 50% minimum practice. Each theoretical point is systematically followed by examples and exercises.

• Participants will complete small, practical assignments after each module.
• Progress will be continuously monitored through quick tasks and feedback.
• There will be no heavy exams - just simple hands-on practice to build confidence.

Certificate of completion