GDPR Onlines

Short, punchy courses delivered at your desk (or in your home wearing pyjamas, I won’t know the difference) – one or two hours, full materials available, and everything you would expect from a 2040 course. Listen and learn, ask questions and get answers.


One hour courses are £50 + VAT.
Two hour courses are £80 + VAT
The GDPR and Photography course is a special offer at £30 + VAT
DPIA bundle (2 x 2 hrs) is £140 + VAT
Courses start at 9.30am or 10am: check start time when you book! 
2 hour courses include a 5 minute break


Your booking is for one person, and you agree when you book that only one person will view the course. Discounts are available if you want more people to attend; contact for more information.
You can cancel your attendance up to one week before the course; after that, no refunds are available. You will get access to a recorded version of the course if you cannot attend on the day.

To book, click on the link by your chosen course:

GDPR and Photography (2 hrs)

28th August 2020
What happens when you take out your camera and start taking pictures of people? Can you do what you like? Can you take pictures of strangers? What happens if you want to use your images commercially? What happens if you’re making art? A lot of nonsense has been spoken and written about the issue of photography; this straightforward, plain English course will give you all the answers you need to reduce your risk and take all the pictures you need.

Data Sharing Masterclass (2 hrs)

3rd September 2020
Data sharing is often perceived to be the most complex and difficult of DP issues, but the legislation doesn’t see disclosure as being any different to other forms of processing. There are pitfalls, especially if the data will be re-purposed or where you might need to disclose confidential or sensitive data. This a practical, plain English guide to ensuring that disclosures are lawful and justified – as well as details of how the DPA exemptions apply and what the rules are for special categories data, the course also covers data sharing agreements, data processors and disclosures across International boundaries.

SARs: searching, redaction and exemptions (2 hrs)

September 7th 2020
Once you have a valid subject access request, what then? How do you search for information? What can you legitimately exclude from a request? How do you deal with information about other people, or staff members, especially if they don’t want to be identified? If you’re dealing with a difficult or angry applicant, what do you have to tell them about the information you’ve withheld? This practical, no-nonsense course will answer all these questions and more. I’ve been dealing with subject access requests since 2002, and I have a lot to tell you!

GDPR Rights (2 hrs)

September 9th 2020
Everyone in Data Protection is obsessed by subject access (and rightly so, it’s the right that people are most likely to use), but the GDPR contains multiple rights including rectification, access to portable data and the notorious right to be forgotten – which weirdly, isn’t a right to be forgotten at all. This plain-English course will give you an overview of all of the rights, including previous cases, advice from regulators, and practical tips to deal with them efficiently and fairly.

DPO Essentials (2 hrs)

September 11th 2020
Who should be a Data Protection Officer? What skills and knowledge are required? When you’re doing the job, what do you need to tackle? What do you need to know about your organisation? What are the best techniques to help your colleagues to achieve a balance between data protection compliance and effective working? All these questions are more will be answered on this practical and entertaining course.

Marketing and Data Protection (2 hrs)

21st September 2020
Especially in the current environment, organisations need to promote their products and services effectively and intelligently. Too many people think only of GDPR in terms of the law’s effects and people’s rights, and while it’s important, you also have to think about the Privacy and Electronic Communications Regulations (also know as PECR). Unlike the GDPR, which is largely about principles and judgment, PECR has rules, and there are subtle differences depending on how you obtained your data and who you’re sending your marketing to (B2C is very different to B2B). Whatever questions you have, this detailed and entertaining course will answer them.

DPIAs and DP by Design: the basics (2 hrs)

September 23rd 2020
This practice, no-nonsense two hour course covers the basics of introducing a Data Protection by Design approach, including techniques to make GDPR compliance easier and more routine and steps to building a practical and effective DP culture. In particular, how do you use Data Protection impact assessments to get to grips with the GDPR / DPA requirements? What is a DPIA? When is a DPIA mandatory? Who should carry them out? All these questions and more will be answered on this practical and plain English online course.
This course works in conjunction with DPIAs in practice, which is running on September 30th 2020. A discount is available if you book both.

DPIAs in Practice (2 hrs)

September 30th 2020
This is a practical two-hour session which deals with carrying out a DPIA on a specific project. We look at each stage of the process: When should you get started? How do you address the GDPR principles? How do you identify risks and what methodologies can you follow to assess them properly? When should you change the project, and when can you accept that some risks are essential to the business? What is prior consultation? Including examples of templates and processes that work well (and also some approaches that will sink you), this practical and entertaining course will set you up to get more out of the DPIA than just a tick in a box.
This course works in conjunction with DPIAs and DP by Design: the basics, which is running on September 23rd 2020. A discount is available if you book both.

Controllers vs Processors (1 hr)

5th October 2020
One of the areas that causes the greatest confusion in Data Protection (and always has) is the definition of a data controller as opposed to a processor. Controllers can use personal data for whatever they choose, as long as this does not infringe GDPR, whereas processors just do as they are told. Any time spent in the DP world will throw up examples of controllers claiming to be processors and vice versa. This no-nonsense, plain English course will show how to negotiate this difficult territory – tips to spot a processor, risks when contracting out data processing and when you’re likely to be infringing the GDPR but you’ll do it anyway.


SAR Basics (1 hr)

Dealing with a subject access request is a tricky business and this no-nonsense course will teach you what you need to do when a SAR arrives. Checking ID, dealing with requests made via solicitors and other third parties and deciding whether the request is complex will all be dealt with, as well as the thorny issues of when a request might be unfounded or vexatious. GDPR SARs are not the same as subject access used to be, and this course will teach you how to negotiate the challenges.

CCTV Essentials (2 hrs)

When can we use CCTV? Can we use it in secret? What do you need to consider when using CCTV? Who can you share images with? What happens if someone makes a subject access request for CCTV data? All of these questions and more will be answered in this entertaining and practical course.

GDPR Essentials (2 hr)

GDPR is two years old, and an awful lot of nonsense has been written and said about how it works. Listen to the wrong person, and you’ll be convinced that you’re going to be inundated with access requests, fined 4% of your turnover and forced to get consent for everything. This course will set you right. You can’t learn everything in two hours, but this practical, entertaining course will get you started. What are the basic requirements of GDPR? What rights do people have over their data? When do you need consent? What breaches do you need to report to the ICO? Ideal for small organisations, but also with some surprises for the biggest – book now for the perfect crash course in all things GDPR.

GDPR and HR (1 hr)

Recruitment, references, grievances, monitoring, marketing to staff: GDPR has implications for all these and more. In the current crisis, we also have the complications of working from home, health testing and monitoring. This practical update will highlight the tricky issues and how to deal with them.