UK GDPR + DUAA 2025 training methodology
How NureComp's GDPR refresher maps to the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025 — including the mandatory complaints procedure live from 19 June 2026.
Self-authored v1.0 — pending DPO-practitioner review and UK data protection law solicitor sign-off.
1. Statutory anchor
- UK GDPR + DPA 2018 — controllers and processors must ensure staff are trained on data protection (UK GDPR Article 39(1)(b) for DPOs; Article 32 for security; Article 5(2) accountability).
- Data (Use and Access) Act 2025 — adds: complaints procedure (s. mandatory from 19 June 2026), automated decision-making transparency, scientific-research grounds.
- PECR — cookies, e-marketing, soft opt-in nuance.
- ICO guidance — age-appropriate design code, AI guidance 2024, recruitment guidance.
2. Module structure
| Module | Audience | Duration |
|---|---|---|
| Foundations — what UK GDPR + DUAA requires | All staff | 25 min · 0.5 CPD |
| DPO overlay — Article 39 obligations + DUAA complaints | DPOs only | 20 min · 0.5 CPD |
| Processor overlay — handling personal data day-to-day | High data-handling roles | 12 min · 0.25 CPD |
| Special-category overlay — Article 9 data | Health/HR/biometric handlers | 15 min · 0.25 CPD |
| Marketing & PECR overlay — cookies, consent, e-marketing | Marketing / customer-facing | 12 min · 0.25 CPD |
| Sector overlay — sector-specific scenarios | All staff | 10-15 min · 0.25 CPD |
| Final assessment — 20 scenario questions | All staff | 15 min · 0.5 CPD |
3. Role-mapping algorithm
- Foundations module (always)
- DPO overlay if learner is the org's DPO (manual flag)
- Processor overlay if
handles_personal_data - Special-category overlay if
handles_special_category_data - Marketing overlay if profile flags marketing/e-marketing/cookies responsibility
- One sector overlay based on
sector_id - Final scenario assessment (always)
4. DUAA complaints procedure
From 19 June 2026, every controller must have a procedure for data subjects to complain to the controller (not just the ICO). NureComp documents the procedure shape in the foundations module + DPO overlay, and the evidence pack captures: procedure documentation, staff training records on the procedure, ICO escalation route, statutory timeframes.
5. Privacy posture
GDPR survey responses are visible to customer admin individually by default (Doc 30 §7.6) so the platform can target overlays (DPO, special-category, marketing) accurately. Customer admin can tighten to aggregate-only via /dashboard/settings/domains.
See also: Article 4 methodology · CPD methodology · Harassment methodology