Skip to content
CityLearning
Data & operational

Data Protection (UK GDPR)

Data protection training for UK firms — a practical grasp of the UK GDPR, lawful processing, data subject rights and breach response.

Duration: ~20 min Accreditation: CPD accredited (CII) Last updated: March 2026 Reviewed by: Margaret Hassett
Request a demo

What is data protection and why does it matter?

Data protection governs how your firm collects, uses and safeguards information about people. In the UK the rules come from the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, overseen by the Information Commissioner’s Office (ICO). Together they set the principles for lawful processing, individuals’ rights over their data, and the duty to keep it secure — and financial firms hold especially sensitive data.

What are the consequences of getting data protection wrong?

A poorly handled data subject access request, an unlawful basis for processing or an unreported breach can expose your firm to ICO enforcement, fines of up to £17.5 million or 4% of global turnover, and lasting reputational harm. The risk rarely comes from the systems alone — it comes from everyday decisions by people unsure what the rules require, which is why workforce-wide awareness matters.

What does data protection training cover?

This course gives your team a clear, jargon-free grasp of the essentials. Learners explore the data protection principles, recognise personal and special category data, and practise responding correctly to requests including data subject access requests (DSARs). They also learn to spot a personal data breach and report it within the 72-hour window the rules demand, grounded in realistic scenarios.

Who needs data protection training?

Because almost everyone in a regulated firm handles personal data at some point, UK GDPR training is designed for all staff — effectively the whole organisation. The UK GDPR’s accountability principle requires firms to demonstrate compliance, and documented, role-relevant training is a recognised way to evidence that staff understand their obligations. We keep the content current as UK guidance evolves.

What your team will learn

  • Identify the data protection principles under UK GDPR
  • Recognise personal and special category data
  • Respond correctly to data subject rights requests
  • Identify and report a personal data breach within 72 hours

What's included

  • ~20 min of focused, scenario-based learning
  • CPD accredited (CII)
  • Built-in quiz with a configurable pass mark
  • Reviewed and kept current with UK regulation
  • Time-stamped completion records for your audit trail

How it works

  1. Assign it in seconds

    Enrol a team, a role or your whole firm from the CityREPORTS dashboard, with automated reminders that chase completion for you.

  2. Your team completes it

    Learners work through the course at their own pace on any device, finishing with a short assessment that demonstrates understanding.

  3. Evidence it to the regulator

    Every completion is time-stamped and retained, so you can prove the right people did the right training at any moment.

Frequently asked questions

What is UK GDPR training and who needs it?
UK GDPR training gives staff a practical grasp of the UK General Data Protection Regulation and the Data Protection Act 2018 — lawful processing, data subject rights and breach response. Because almost everyone in a regulated firm handles personal data at some point, it is designed for all staff, effectively the whole organisation.
What is the difference between UK GDPR and the Data Protection Act 2018?
The UK GDPR sets out the core principles and obligations for processing personal data. The Data Protection Act 2018 sits alongside it, tailoring and supplementing those rules for the UK — for example on exemptions, special category data and law-enforcement processing. The Information Commissioner's Office (ICO) regulates both.
How quickly must a personal data breach be reported?
Where a personal data breach is likely to risk people's rights and freedoms, the firm must notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. If the risk to individuals is high, affected people must also be told without undue delay. Staff must recognise and escalate breaches promptly.
What is a DSAR?
A data subject access request (DSAR) is a request from an individual to see the personal data a firm holds about them. Under the UK GDPR, firms must usually respond within one month, free of charge. Front-line staff need to recognise a DSAR however it arrives, as the clock starts when the request is received.
What are the consequences of a UK GDPR breach?
The ICO can issue enforcement notices and fines of up to £17.5 million or 4% of global annual turnover, whichever is higher, for serious infringements. Beyond regulatory penalties, breaches can trigger compensation claims, reputational damage and loss of customer trust — and in financial services, FCA interest where data failings affect customer outcomes.
What are the data protection principles under UK GDPR?
There are seven principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. The accountability principle requires firms not only to comply but to demonstrate compliance — through records, policies and training — which is why staff awareness is central.
What lawful basis is needed to process personal data?
UK GDPR requires a lawful basis for every processing activity. The six bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests. Firms must identify and document the appropriate basis before processing, and special category data needs an additional condition. Staff should understand why a basis matters in their work.