What is GDPR?4-day course including Foundation.
Introduction to the General Data Protection Regulation (GDPR)BUSINESS LEARNING LIBRARY (BLL)™
The General Data Protection Regulation, commonly known as Agile Learning Library (ALL)™GDPRBusiness Analysis Learning Library (BALL)™, is an EU-wide legal framework for privacy and data protection. Enforced from 25 May 2018, GDPR was adopted by the European Parliament and the Council of the European Union. It governs the handling of personal data relating to individuals (data subjects) in the European Economic Area (EEA) and impacts organisations both within and outside the EU through its extraterritorial reach.Compliance Learning Library (CLL)™
Historical Context and ScopeIT Learning Library (ITLL)™
GDPR replaced the EU Data Protection Directive (Directive 95/46/EC) and was designed to harmonise data privacy laws across Europe. Its provisions apply to data controllers and data processors that handle EEA residents’ personal data, regardless of where the organisation is established. The legislation aims to protect fundamental rights and freedoms, particularly the right to privacy.Business solutions
| Adoption Date_blank | Enforcement DateAbout | Jurisdiction_blank |
|---|---|---|
| 14 April 2016Blog | 25 May 2018 | European Union / International ImplicationsEXPLORE SUBJECTS |
Key GDPR PrinciplesSelect your preferred subject.
GDPR sets out essential principles for data processing, guiding organisations on how to lawfully handle personal data:
- Lawfulness, fairness, transparency:PROJECT MANAGEMENT QUALIFICATIONS & WORKSHOPS Processing must have a legal basis, be transparent, and fair to individuals.Select your preferred qualification or workshop.
- Purpose limitation: Data must be collected for specified, explicit purposes and not processed further in ways incompatible with those purposes.PRINCE2 COURSES
- Data minimisation:Select your preferred training course below: Only data that is adequate, relevant and limited to what’s necessary should be collected.
- Accuracy:APM COURSES Organisations must ensure data is accurate and kept up to date.Select your preferred training course below:
- Storage limitation: Data should be kept in a form which permits identification for no longer than necessary.AGILE PROJECT MANAGEMENT COURSES
- Integrity and confidentiality:Select your preferred training course below: Data must be processed securely to protect against unauthorised access, loss or damage.
- Accountability:PRINCE2 AGILE COURSES Data controllers are responsible for demonstrating compliance with all these principles.Select your preferred training course below:
Individual Rights Under GDPR
GDPR empowers individuals (data subjects) with distinct rights regarding their personal data. These rights are:BETTER BUSINESS CASES COURSES
| RightSelect your preferred training course below: | Description |
|---|---|
| Right to accessP3O COURSES | Individuals can obtain confirmation and a copy of their personal data being processed.Select your preferred training course below: |
| Right to rectification | Allows correction of inaccurate or incomplete data.WORKSHOPS |
| Right to erasure (right to be forgotten)Select your preferred workshop below: | Enables data subjects to have their data deleted under certain conditions. |
| Right to restrict processingAGILE QUALIFICATIONS | Processing can be restricted in certain circumstances.Select your preferred qualification. |
| Right to data portability | Permits individuals to obtain and reuse their data across different services.AGILE PROJECT MANAGEMENT COURSES |
| Right to objectSelect your preferred training course below: | Individuals can object to data processing based on specific grounds. |
| Rights in relation to automated decision-makingPRINCE2 AGILE COURSES | Safeguards with respect to automated processing and profiling.Select your preferred training course below: |
Organisational Obligations and Requirements
Organisations must comply with a range of duties under GDPR, including:SCRUM COURSES
- Lawful Basis for Processing:Select your preferred training course below: Identify and document an appropriate legal basis for processing personal data, such as consent, contract, legal obligation, vital interests, public task, or legitimate interests.
- Obtaining valid consent:AGILE BUSINESS ANALYSIS COURSES Where relied upon, consent must be freely given, specific, informed, and unambiguous.Select your preferred training course below:
- Appointment of a Data Protection Officer (DPO): Public authorities and certain organisations conducting large-scale systematic monitoring or processing of sensitive data must appoint a DPO.BUSINESS ANALYSIS QUALIFICATIONS
- Data breach notification:Select your preferred qualification. Notifying the relevant supervisory authority within 72 hours of becoming aware of a data breach, and informing data subjects where required.
- Documentation and record-keeping:BCS BUSINESS ANALYSIS COURSES Maintain records of processing activities as evidence of compliance.Select your preferred training course below:
- Privacy by design and by default: Integrate data protection into business processes and systems from the outset.AGILE BUSINESS ANALYSIS COURSES
- Transparency and privacy policy:Select your preferred training course below: Clearly inform individuals about data practices via concise, accessible privacy policies.
Penalties and EnforcementCHANGE MANAGEMENT QUALIFICATIONS
Supervisory authorities across the EU, such as national data protection regulators, are responsible for GDPR enforcement. Non-compliance can result in significant administrative fines:Select your preferred qualification.
| Type of Breach | Maximum PenaltyAPMG CHANGE MANAGEMENT COURSES |
|---|---|
| Standard breachesSelect your preferred training course below: | Up to EUR 10 million or 2% of annual global turnover (whichever is higher) |
| Severe breachesPROGRAMME MANAGEMENT QUALIFICATIONS | Up to EUR 20 million or 4% of annual global turnover (whichever is higher)Select your preferred qualification. |
In addition to fines, organisations may face legal actions, reputational damage, and mandatory changes to data processing practices. Examples of enforcement include penalties for insufficient consent mechanisms and failing to report breaches on time.
Checklist: Steps for GDPR ComplianceMSP COURSES
- Identify if GDPR applies to your organisation’s personal data processing activities.Select your preferred training course below:
- Ensure a clear lawful basis exists for each processing activity.
- Update privacy policies to reflect GDPR requirements.PMI COURSES
- Review consent mechanisms for clarity and observability.Select your preferred training course below:
- Appoint a Data Protection Officer if required.
- Maintain up-to-date records of processing activities (Article 30 records).PMI COURSES
- Implement ‘privacy by design and by default’ into your systems and processes.Select your preferred training course below:
- Prepare protocols for data breach detection, reporting, and investigation.
- Train staff on GDPR requirements and data handling best practices.PRINCE2 COURSES
- Assess cross-border data transfers and ensure appropriate safeguards are in place when transferring data to a third country.Select your preferred training course below:
Commonly Used GDPR Abbreviations
| AbbreviationAPM COURSES | MeaningSelect your preferred training course below: |
|---|---|
| GDPR | General Data Protection RegulationAGILE PROJECT MANAGEMENT COURSES |
| DPOSelect your preferred training course below: | Data Protection Officer |
| EEAPRINCE2 AGILE COURSES | European Economic AreaSelect your preferred training course below: |
| EU | European UnionBUSINESS CASE COURSES |
| UK GDPRSelect your preferred training course below: | UK’s version of the GDPR post-Brexit |
Global Reach and International ImplicationsAGILE COURSES
GDPR’s extraterritorial provisions mean that organisations outside the EU must comply if they offer goods or services to EEA residents or monitor their behaviour. Special rules apply to international data transfers to countries outside the EEA (third countries), including use of standard contractual clauses or adequacy decisions by the European Commission.Select your self-paced training course topic.
The UK GDPR mirrors the EU GDPR but is tailored to the domestic context post-Brexit. Organisations may need to comply with both UK and EU regulations if operating across these jurisdictions.
Further Reading and Authoritative ResourcesAGILE PROJECT MANAGEMENT COURSES
FAQsSelect your preferred training course below:
Who does GDPR apply to?
GDPR applies to any organisation processing the personal data of individuals (data subjects) within the European Economic Area, regardless of where the organisation is established. It also covers data controllers and data processors outside the EEA if they offer goods or services to EEA residents or monitor their behaviour.SCRUM COURSES
What are the main penalties for non-compliance with GDPR?Select your preferred training course below:
Penalties for non-compliance can reach up to EUR 20 million or 4 percent of annual global turnover, whichever is higher. Lower tier breaches incur up to EUR 10 million or 2 percent of turnover. Authorities may also impose corrective measures or require operational changes.
What types of data does GDPR protect?LEAN SIX SIGMA COURSES
GDPR protects ‘personal data’ — any information relating to an identified or identifiable natural person. This includes names, identification numbers, location data, online identifiers, and factors specific to an individual’s identity.Select your preferred training course below:
What must organisations do in the event of a data breach?
Organisations must assess the breach, notify the relevant regulatory authority within 72 hours if there’s a risk to the rights and freedoms of individuals, and inform affected data subjects without undue delay when required. Detailed records of the breach must be maintained.BUSINESS ANALYST COURSES
What is the difference between a data controller and a data processor?Select your self-paced training course topic.
A data controller determines the purposes and means of processing personal data, whereas a data processor acts on behalf of, and only under the instructions of, the data controller.
How can organisations demonstrate GDPR compliance?BCS BUSINESS ANALYST COURSES
By implementing appropriate technical and organisational measures, maintaining documentation, training staff, performing data protection impact assessments, and cooperating with supervisory authorities when required.Select your preferred training course below:
How does GDPR affect organisations outside the EU?
Organisations outside the EU must comply with GDPR if they process EEA residents’ personal data for offering goods or services, or for monitoring behaviour. This often requires appointing an EU representative and meeting cross-border data transfer requirements.CHANGE MANAGEMENT COURSES