Our training and briefings are delivered by lawyers and data protection and privacy specialists that includes lawyers who have extensive experience in court as well as other privacy experts who have proven experience in helping organisations understand, plan and deliver on their GDPR challenges

We’ve seen a lot of misinformation in the public domain on what GDPR is and how to approach managing your obligations

Our briefings and awareness service provides you with information on how to address your privacy and GDPR challenges effectively and is delivered by a multidisciplinary team of lawyers and legal specialists, privacy experts, specialists in business operations, procurement and contract management as well as experienced IT and enterprise architects

Contact us to hear more about our executive briefings, awareness sessions and panel representation and discussions can help you

    I'm interested in the following:
    Workshops and Training
    GDPR Briefings
    GDPR Health Check
    GDPR Data and Purpose Review and Remediation
    GDPR Notifications Review and Remediation
    GDPR Data Subject Rights Review and Remediation
    EPA - Financial and Criminal Risk Quantification
    Partnering with gdpr360 as a reseller or white-labelling your services
    other ...

    Our objective is to encourage you to become competent. For a generous period after the course, you may re-take the test ‘for free’.

    Candidates are given feedback on incorrect answers, specifically referring to material GDPR Articles and/or course slides as relevant.

    Each course module references specific Articles and other documents that are examinable but too large or unwieldy to include within the course slides.

    No – this might enable gaming or unequal preparation, as well as excessive invigilation.

    That said, the exam context itself is designed to assist people in the workplace. Therefore we may provide each candidate with identical reference materials, such as a printed copy of the GDPR, and perhaps take-away aides memoire designed to save time in a business environment when required as an ‘expert’ to come up with a quick response.

    An average of circa 45 seconds is permitted per question, though this may vary.

    Accordingly, some ‘homework’ during (or even before!) the course is strongly recommended.

    You wouldn’t be much of a lawyer if you agreed with us on everything. So just do as you would in Court with a Supreme Court judge who thinks your masterfully crafted submission is of less value than what the judge masterfully crafts when going to the bathroom. Pretend to agree and move on, because there’s no appellate jurisdiction.

    Each exam is approximately 40 multiple-choice questions ‘randomly’ (with weighting) chosen by computer from a bank of circa 400 questions. Most of these, including the EPA and DPO courses, relate to the GDPR. Approximately 60% of these are tied directly to the text of the GDPR. The remainder are ‘problem-solving’ questions (such as ‘select the one of four presented scenarios for which a particular obligation does or does not apply’), or applications of analyses set out in the course (such as which data subject rights are ‘stackable’ or ‘prerequisites’ for each other).

    A sample certification question is presented and discussed at the end of each material module, along with the likely proportion of exam questions associated with the module, and specific references to any examinable material that is not on the course slides.

    It is more probable than not, that one of the sample questions will be on the exam.

    During the course, the course presenter will not know which questions (sample or otherwise) will be in the exam.

    All correct answers are scored 1. All incorrect answers are scored zero.

    The aggregate pass mark currently is 50%, equating to ‘competent’.

    An aggregate mark of 65% currently equates to ‘very competent’.

    An aggregate mark of 75% currently equates to ‘outstanding’.

    The standard of most questions is that of the Bar exams to which the course designer once was subject. Therefore the grade standard may be moderated/relaxed in the future (particularly as the designer has not yet scored better than 91% when tested against his own questions).

    So far as we are aware, nobody in the world can accredit GDPR certifications. We will secure accreditation as and when it becomes available.

    Nobody in the world, except for ourselves, can accredit EPA (Enterprise Privacy Architecture) certifications, but eventually (with our permission) that may change.

    The EPA is a technology as well as a methodology and is discussed during the 4 day GDPR Masterclass.

    Our courses are the only ones that teach EPA methodology.

    Our courses are the only ones that incorporate EPA methodology.

    Other courses are created and often presented by lawyers.

    Our courses are also created and presented by lawyers: but lawyers who are also very experienced IT or business managers from a former life. The EPA course eventually may be presented by non-practising lawyers or technical architects who have passed the GDPR course.

    Currently all of our courses are created by an international lawyer who also created the backend software engine used by the EPA PIA service.

    The course cost does not include any accommodation fees, however we have secured discounted rates at our Wyboston venue, details of how to book at this hotel will be sent within 48 hours of your order.

    Yes of course, if you are unable to pay via the site, we can issue a VAT invoice for the course, please just provide company details, address and a PO number if required to and we issue an invoice for payment. All payments must be received before the course begins.

    Unfortunately not, however if you can’t make a course date please let us know and we would be happy to offer you an alternative date.

    Yes, we offer discounts for group bookings. Please contact us at with details of how many students and the course dates and we can offer a discount code via the website or issue an invoice with a discount.

    FAQs from the EPA discussion during the 4-day GDPR Masterclass

    Its longer name is ‘Enterprise Privacy Architecture’ (EPA) ‘Privacy Impact Assessment’ (aka EPA PIA).

    EPA is a technology as well as a methodology, both of which are protected by a US patent.

    It reads and validates your own Enterprise Privacy Architecture (EPA), as specified and submitted by you to the service. It then produces one or several Data Protection Impact Assessments (DPIA), also known interchangeably as Privacy Impacy Assessment (PIA). PIAs/DPIAs are mandatory risk assessment documents required by the GDPR.

    Your EPA is a document stating, in formal language, your self-evaluation of what your company does with personal data. It also formally sets out your accepted risk policies and your legal advice in respect of jurisdictional risks and specific risks previously identified by the service.

    You don’t have to, the EPA service abstracts Brexit automatically.

    The UK jurisdictions will be within the EU for two years after Article 50 is triggered. After that they will be treated as outside the EU.

    Currently the service legal architecture metadata is configured so that for scenario dates (set by you in your Profile worksheet) up to and including March 31, 2019 (the UK PM’s deadline for Article 50 notification), the four jurisdictions will be treated as within the EU and EEA.

    From April 1, 2019 the four UK jurisdictions will be treated as outwith the EU and EEA.

    Similarly, the former Duchess of Normandy’s jurisdictions will be treated as remaining within the EEA and subject to GDPR Article 3(3) (or not) as per standard tests such as OCTA, the UN Non-Self-Governing List, and autonomy (more details available in the GDPR/EPA course).


    Note that Brexit will affect non-UK controllers as much as it affects UK controllers, insofar as they may deal in dataflows to or from the UK jurisdictions. Therefore, if you are planning your EPA to handle potentially Brexit-sensitive data flows to or from the UK’s jurisdictions, it is recommended the EPA service always be run twice for any and all such dataflows: once for a date after May 2018 but prior to Brexit, and once for April 1, 2019 or later.

    There are four worksheets in an EPA document:

    1. The ‘Enterprise Profile’ (Profile) sheet;
    2. The ‘Dataflows’ sheet;
    3. The ‘AcceptedRisks’ sheet; and
    4. The ‘CustomRules’ sheet.

    All of these worksheets are held, and submitted, within a single spreadsheet file in Excel 97-2003 format.

    A sample, unpopulated template for this spreadsheet may be found in xls

    An EPA similar to that of Use Case 1 may be found in xls

    First you set up your EPA worksheets;

    Then you submit your EPA to the service;

    Then you examine the service’s responses to your submission;

    Finally you follow the EPA methodology flow-chart, or a variant as appropriate to your enterprise, to determine how to deal to any new information discovered in respect of your IT projects, the supervisory authorities, your cyber-insurers, your DPO, your auditors, your Board, etc.

    Each cell of each EPA worksheet you submit to the service is tested for data quality, in respect of its own data format, its relationship to other data you have submitted, and data integrity. If any error is detected, no matter how harmless, the service cannot be sure of what you mean. Accordingly, instead of producing PIAs, thes service will respond to your submission with a context-sensitive ‘data quality error’. Such erroneous data is often replicated, so the service tries to evaluate every cell of every worksheet before reporting a complete list of data quality issues.

    Service users will not be charged for an erroneous submission or our data quality response. Instead, depending on your subscription level, a limit on erroneous submissions may be imposed.

    An error-free submission therefore is a submission in which no data quality issues have been raised by the service and the service therefore can succeed in producing PIAs for your dataflows.

    When you submit your EPA worksheets to the service, it considers your general enterprise profile, your risk profiles, and your legal advice. Against that background, for each of your specified processes (“data flows”) it then evaluates some of your prima facie business risks (quantified in local and group currency and in maximum custodial sentences for executives) in each jurisdiction material to the data flow.