Data Protection and Confidentiality Training Course

Data Protection is a legal requirement for every business and organisation which must be able to demonstrate measures have been taken to ensure confidentiality and the safe handling of information. This is a legal duty on all sectors who collect and store any kind of information. GDPR has updated the current act and it's now time to refresh what we know on both Data Protection and the changes GDPR has invoked from the 25th May 2018 when it became law.

This online guide will help you to learn the importance of confidentiality issues in the workplace.

Data Protection Confidentiality Guide

Guidelines for Dealing with Confidential Information


1. Safeguard your username, password and any other access credentials you have for systems and applications that deal with confidential information.

2. Protect mobile devices such as smartphones, tablets and USB drives that contain confidential information.

3. Never leave your computer unattended when confidential information is on the screen.

4. Before transmitting confidential information to others, be sure that:

  • The transmission complies with the law and privacy and security policies;
  • The recipient has a legitimate business purpose for the information;
  • You're sending no more information than is needed by the recipient; 
  • You're sending the information in a protected manner (e.g., encrypted) when called for by the company policies or the law.

5. Retain or destroy confidential information contained in your records in accordance with your record-management policy.

6. Report any security incidents or privacy breaches that you observe or become aware of as soon as possible.

Which one of the following shows respect for confidentiality of information?

  • Discussing confidential information over the telephone.
  • Disclosing confidential information only to authorised individuals.
  • Uploading confidential information to a shared web site.
  • Emailing confidential information to a colleague.

How should confidential information be sent using an unsecured network?

  • In an encrypted format.
  • In a compressed format.
  • In an attachment.

Mark the following statements as true or false.

  • Because you work in a secure building, you can discuss confidential information in an open work area.
  • The Information Security Policy and related policies only apply to electronic and hardcopy records and does not apply to verbal discussions.
  • You should always lock your computer when you are away from your desk.

How to Keep Your Password Safe

How can you keep your password secure?

  • Write it in your notebook.
  • Memorise it.
  • Tell a person who you know you can trust.

What is an example of a strong password?

  • 1234567890
  • G*rbea8$e
  • qwerty123
  • johndoe

Mark the following statements as true or false.

  • Your password should be changed regularly.
  • Whenever possible avoid using password managers.
  • It is OK to share your password with your colleagues.


Breaches of workplace confidentiality can result in a range of problems. Customers tend not to work with companies they think are untrustworthy, and consumers may specifically warn people away from companies that have mishandled private information.

This course has been produced so that employees are aware of the ways dealing with confidential information and keeping company data safe. 

Introduction to the General Data Protection Regulation

GDPR Introduction

Introduction to GDPR

Here we have a short video explaining the summarised regulatory requirements of the new General Data Protection guidelines. Listen carefully as a number of questions will follow shortly........


The GDPR Compliance Cycle 

Above we have an example of a GDPR Compliance Lifecycle. It explains the process journey of a data controller / processor when handling PII (Personal Identifiable Information) data. 

  • 1. Segment covers the ordering of data into risk categories. The data is identified and documented for auditing purposes and also allows the Data Controller to manage the type of processing a Data processor is allowed to do on PII data by Third Parties. 
  • 2. Control Assessment covers the risk evaluation of PII data held within the Data Controllers organisation. The Data Privacy Impact Assessment (DPIA) assists in identifying the risk of a data breach either by a system, process, project or third party processing PII data. 
  • 3. Remediation covers the actions required after the Control Assessment has identified a possibility for a system, process, project or third party company high risk breach. A change to one of these processes or supplier may need to be actioned to mitigate the risk.
  • 4. Ongoing Monitoring covers the day to day management of the security / risk compliance within the organisation. Nearly all organisations change on a daily basis so changes will need to be managed alongside the risk analysis. 

What is PII or Personal Identifiable Information? Select all that apply.

  • Name, Address, Telephone Number
  • Credit Card Number
  • Anything that identifies a living person or Information grouped together to identify a living person.
  • Employee ID
  • Cookies and IP addresses
  • All of the above

Automated and manual operations performed on personal data is better known as?

  • Filtering
  • Initiating
  • Profiling
  • Processing

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain person aspects relating to a person is better known as?

  • Filtering
  • Initiating
  • Profiling
  • Collecting

What is the name of the Supervisory Authority in the UK?

  • ODPC
  • ICO (Information Commissioners Office)
  • Ofsted
  • British Standards Institute

What is the maximum fine if found in breach of GDPR guidelines?

  • 4% of Gross turnover
  • 25 Million
  • 4 % of Global turnover plus 25 Million
  • 4 % of Global turnover or 25 Million whichever is the greater

Name or list the types of information grouped together or individually can make someone personally identifiable?

Name, Address, Postcode, DOB, NI Number, Pin Number, Credit Card, Phone Number, Login details, Email, Any ID Card, Physical Attributes, Ethnicity, Religion.

List 3 items that are PII on there own:

List 11 items that are not PII on there own from the list above.

GDPR Principles, Rights and Confidentiality

The Data Protection Act vs General Data Protection Regulation 

Above are the principle guidelines set out for both the DPA and GDPR. As you can see the update to the principles are similar in some cases and in others the principle is more specific. Work is still ongoing to update the principles or rules surrounding Big Data use within Financial institutions although the above should cover a vast majority of Big Data and automated profiling within these institutes. 

GDPR and Confidential Data 

Take a look at the video which covers more on confidentiality rights, and principles of the regulation. The fines and impact of a data breach if found by the Data Controller, Processor or user.

Can you match the 7 definitions to each of the 7 GDPR principles.

  • Consent
    Must be freely given, clear, unambiguous and positive.
  • Contract
    Processing requiring you to enter into and including ‘Agreed Terms and Conditions'
  • Legal Obligation
    HMRC must keep records for up to 7 years
  • Vital Interest
    Data processed to preserve life for example: NHS or a Doctors medical records on a patient.
  • Public Interest
    Authorities in the scope of public duties
  • Legitimate Interest
    If you are using this as a reason you should have a legitimate reasons why it should be used legally.
  • Lawful
    Must have a legal requirement to hold sensitive data on someone without any consent being given.

GDPR Scenarios

A local shop has CCTV installed outside the front door in the event that a criminal act takes place e.g. someone tries to break into the shop keeps the CCTV footage for 365 days before it is erased.