GDPR — A Year in the Chair

Build a GDPR course that is a year-long job, not a regulation walkthrough. Six escalating crises across twelve months in the chair of a single DPO. The capstone — Module 6 — must read decisions made across all five preceding modules as evidence at a regulator's hearing. Then ship the same arc under both EU and UK regimes, with each capstone calibrated to the actual fining methodology the regulator uses. Audience: DPOs, Heads of Compliance, and CISOs at 250–2,500-employee firms.

The compliance market for GDPR is saturated with one shape of training: an annotated walk through the regulation, a quiz at the end. It teaches what the law says. It does not train what a DPO actually does, which is hold a portfolio of unresolved decisions across twelve months while regulators, board members, marketing, IT, and legal each pull in different directions. The skill that fails when the Irish DPC or the UK ICO opens an investigation is not vocabulary. It is *consistency under examination* — whether your decisions in March, June, and September read as a coherent privacy posture or as ad-hoc firefighting. The discovery brief was therefore unusual: build a course where the learner spends a year as one DPO at one mid-market company, and where the capstone is not a knowledge test but a regulatory hearing in which every prior choice they made is read back as evidence. Then ship the same course twice — adjudicated under EU GDPR + the Irish DPC's Article 83(2) methodology, and under UK GDPR + the DPA 2018 + the Data (Use and Access) Act 2025 + the ICO's Notice of Intent process — so the same character defending the same year's work walks into two different regulator's chairs and gets two different verdicts.

The course is structured as twelve months in one chair. Aisha is the new DPO at a 1,400-employee mid-market firm. She inherits the role mid-quarter, with no honeymoon period, and faces six escalating crises before her first annual review. The narrative is a year, not a syllabus. Design decisions that broke the GDPR-walkthrough mould: • **The capstone is the evidence, not a quiz.** Module 6 is a regulator's examination in which the examiner cites the learner's own prior choices back at them. This required a cross-module state machine — choices in Modules 1–5 are persisted, classified by axis (timeliness, lawfulness, data minimisation, transparency, accountability), and surfaced at the hearing as supporting or contradictory evidence depending on consistency. • **Two editions, one source-of-truth blueprint.** The EU and UK variants share narrative spine and character cast. The differences are surgical: substitute Irish DPC for ICO, Article 83(2) EU for Article 83(2) UK, Schrems-II for the UK adequacy regime, DUAA 2025 for the equivalent EU obligations. One narrative blueprint renders to two locale-specific products. This is the localisation discipline that distinguishes a real product line from a translated copy. • **Four visual styles, chosen per cognitive demand.** Cinematic for stakeholder confrontations, paper-scrapbook for evidence assembly, ops-center for the live breach window, editorial-documentary for the regulator's hearing. Style is functional — it primes the cognitive mode the screen demands. • **Eighteen voiced characters.** Aisha (DPO), the CTO, the Head of Marketing, the General Counsel, the breach reporter, the SAR requester, the DPC / ICO examiner, plus the supporting cast across customer-services, IT, and the board. Character count is a production claim — most off-the-shelf GDPR courses have one narrator and a handful of stock photos. • **Real fining methodology integrated into the score.** The Article 83(2) factors are not described in a sidebar — they are the scoring axes at the capstone. A learner who answered Module 2's breach notification well but undermined themselves in Module 3's DPIA gets a fine reduced by the cooperation factor and increased by the intent factor, exactly as the regulator would calculate it. Stack: native HTML/CSS/JS modules, SCORM 1.2 build pipeline, AI-assisted scene and character generation across both editions, multi-character TTS-driven voicework, automated browser QA across every decision path before ship. Both editions reviewed and signed off by qualified counsel in their jurisdiction (EU data protection, UK data protection) before release.

The shipped product covers what GDPR-as-vocabulary training does not: • **Six escalating crises across twelve months in one DPO's chair.** Module 1 is a Subject Access Request on Article 9 special-category health data. Module 2 is a 16:10 Friday data breach with a 72-hour notification clock. Module 3 is a pre-launch DPIA where the product team has already chosen the vendor. Module 4 is a Schrems-II international-transfer decision. Module 5 is a cookie-banner consent trap surfaced by a complainant. Module 6 is the regulator's examination, where every prior decision returns. • **Two editions, one DPO, two regulators.** The EU edition is adjudicated under EU GDPR with the Irish DPC's Article 83(2) fining methodology baked into the Module 6 score. The UK edition is adjudicated under UK GDPR + DPA 2018 + the Data (Use and Access) Act 2025, with the ICO's Notice of Intent process and Article 83(2) UK calculation. Same character, same year, same crises — different verdict. • **The capstone reads forward.** Module 6's hearing is built from the learner's actual choices in Modules 1–5. The DPC or ICO examiner cites the SAR response timing, the breach notification language, the DPIA mitigations, the transfer impact assessment, and the cookie-banner audit trail — *as the learner chose them*. There is no separate revision section. The hearing is the audit trail. • **Eighteen voiced characters across four visual styles.** Cinematic for the office scenes, paper-scrapbook for the audit-evidence assembly, ops-center for the breach window, editorial-documentary for the regulator's hearing. Style chosen per cognitive demand of the screen, not for visual consistency. • **Real fining methodology.** Module 6 calculates a hypothetical fine using the same Article 83(2) factors the actual regulator applies — gravity, intent, mitigation, cooperation, prior offences. Learners walk out with a calibrated number, not a pass/fail. • **2.75 hours total per edition.** SCORM 1.2 ready. Free playable demo from Module 1.