21 free interactive exercises across 2 structured courses covering GDPR compliance and OWASP privacy risks.
Every exercise is free, runs in your browser, and requires no sign-up. Prepare your team for the privacy requirements auditors actually check.
11 exercises
Build compliant opt-in flows that regulators accept.
Triage a breach and meet the 72-hour notification clock.
Evaluate a product feature through a privacy-first lens.
Process a data subject access request end to end.
Redact personal data from documents before disclosure.
Spot fake data access requests used for social engineering.
Evaluate a vendor's data processing controls before signing.
Coordinate security and privacy teams during a live breach.
Navigate transfer mechanisms for data leaving the EEA.
Run a DPIA for a high-risk data processing activity.
Build an Article 30 processing register from scratch.
10 exercises
Discover a web application vulnerability that silently leaks personal data through error messages and insecure API responses.
Contain a data leakage incident where customer PII reaches unauthorized vendors through misconfigured file sharing.
Manage a data breach where your organization must contain the leak, notify regulators, and inform affected individuals under tight deadlines.
Fix a sign-up form that bundles multiple consent purposes into a single checkbox, violating granular consent requirements.
Audit a corporate privacy policy that uses legal jargon to obscure how personal data is actually collected, stored, and shared.
Trace a user's deletion request across backups, analytics systems, and third-party integrations to ensure no personal data persists.
Investigate how outdated and incorrect personal data in a CRM causes real harm through wrong credit decisions and misdirected communications.
Discover that a shared workstation retains full access to a previous user's personal accounts and medical records due to missing session expiration.
Fulfill a data subject access request by locating personal data scattered across fragmented systems before the regulatory deadline expires.
Audit a registration form and analytics implementation that collect far more personal data than the service actually needs.
Privacy and compliance training teaches employees to handle personal data according to regulations like GDPR and industry frameworks like the OWASP Top 10 Privacy Risks. GDPR applies to any organization processing personal data of EU residents, with fines up to EUR 20 million or 4% of annual global turnover for non-compliance.
This catalogue covers 21 exercises across 2 courses. The GDPR Compliance course covers breach notification, data subject access requests, privacy by design, cross-border transfers, and processor vetting. The OWASP Top 10 Privacy Risks course covers application vulnerabilities that leak personal data, operator-sided data leakage, breach response failures, consent dark patterns, non-transparent policies, insufficient data deletion, data quality issues, session expiration gaps, blocked access requests, and excessive data collection.
Every exercise simulates real compliance scenarios employees encounter in their daily work, from handling DSARs to auditing consent forms.
Common questions about GDPR compliance, OWASP privacy risks, and our data protection training exercises.
GDPR Article 7 requires that consent be freely given, specific, informed, and unambiguous. Organizations must use clear affirmative action like unticked checkboxes, keep records proving when and how consent was obtained, and make withdrawal as easy as opting in.
Pre-ticked boxes, bundled consent, and vague privacy policies do not meet the standard. Regulators have imposed over EUR 400M in fines related to consent violations.
Under GDPR Article 33, organizations must notify their supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals.
The notification must include the nature of the breach, approximate number of affected individuals, likely consequences, and measures taken. British Airways was fined GBP 20M partly for delayed and inadequate breach response.
Privacy by design, codified in GDPR Article 25, requires organizations to integrate data protection into the design of systems and processes from the start, not bolt it on afterward. This includes data minimization, purpose limitation, and privacy-protective default settings.
The concept originated with Ann Cavoukian's seven foundational principles in the 1990s and became a legal obligation when the GDPR took effect in 2018.
A Data Subject Access Request (DSAR) is a right under GDPR Article 15 allowing any individual to request a copy of the personal data an organization holds about them.
Organizations must respond within 30 days, provide the data in an accessible format, and include information about processing purposes, retention periods, and third-party recipients. Requests can arrive through any channel, including email, web forms, or verbal communication.
Article 28 requires a written contract, called a Data Processing Agreement (DPA), between the controller and every processor handling personal data. The DPA must specify the processing purpose, data types, duration, and security measures.
Processors can only engage sub-processors with prior written authorization from the controller. The processor must assist with DSARs, breach notification, and data deletion, and submit to audits by the controller.
The OWASP Top 10 Privacy Risks is an industry framework that identifies the ten most common ways organizations mishandle personal data.
It covers web application vulnerabilities that leak PII, operator-sided data leakage, insufficient breach response, bundled consent, non-transparent policies, failed data deletion, poor data quality, missing session expiration, blocked data subject access, and excessive data collection. The framework helps organizations assess and mitigate privacy risks beyond regulatory compliance.
The OWASP Top 10 Privacy Risks overlaps significantly with GDPR requirements. For example, OWASP P3 (Insufficient Data Breach Response) maps to GDPR Article 33 breach notification, P4 (Consent on Everything) maps to Article 7 consent requirements, P6 (Insufficient Deletion) maps to Article 17 right to erasure, and P9 (Inability to Access Data) maps to Article 15 data subject access rights.
Training on both frameworks gives teams a complete picture of privacy obligations.
Roll out interactive privacy and compliance training to your entire workforce. SCORM-compatible, analytics-ready, and designed for enterprise deployment.