UK GDPR & DPA 2018 · DUAA 2025 · PECR
A Year in the Chair
Twelve months as a DPO. Six decisions that determine whether you are an exhibit or an example.
You are Dr Aisha Khan, Data Protection Officer at Cerulith Health Ltd. Across six interlocking modules — a Subject Access Request, a 72-hour breach, a DPIA on Art 9 health data + automated decision-making, a Schrems II vendor migration, a PECR-edge re-engagement campaign, and an ICO investigation — you make the decisions that decide what Helena Brandt finds in her binder when she arrives at Bishopsgate on 19 January 2027.
Course progress:Loading…
1M1
The Request
Sam Chen files an Article 15 SAR. Eighteen thousand data points across three years across three processors. Rachel wants to refuse it. The clock starts at receipt.
2M2
72 Hours
Friday 16:10. Imran walks in with a ransom note. 428,302 records, 39,241 health-data subjects. Three decisions before Monday's deadline. The Art 33 clock does not stop for weekends.
3M3
The Register
Six weeks to launch. Pulse Clinic AI: triage on Art 9 health data, automated decision-making, no human in the loop. ROPA, DPIA, Art 36 — what gets logged, what gets shipped.
4M4
The Transfer
Quarter-end vendor switch to a US analytics processor. DPF on the cover sheet, Palisade Compute on page 14. Three transfer-basis decisions. Schrems II is alive in your inbox.
5M5
The Consent Trap
Wednesday 16:42. James Okafor's Slack DM lands. Operation Pulse Back — 310k re-engagement, a redesigned cookie banner, a Voxly data-append. Recital 47 vs PECR Reg 22. The two-layer test.
6M6
The Room
Monday 19 January 2027, 09:42. Helena Brandt arrives at Bishopsgate with the binder. Three decisions across the morning. Everything from M1–M5 is in the binder. You defend it.