Welcome to

General Data Protection Regulations

(GDPR)
with

© Cavity Training Ltd 2025

Course Details

Course Aims:
What is GDPR?
Understand GDPR Principals.
To ensure legal compliance is Course Objectives:
upheld. To empower individuals and
Protect personal data. companies to manage data
protection correctly and
Risks when a breach occurs. ensure all are compliant with
Stay updated with data the law.
protection laws.

© Cavity Training Ltd 2024

What is GDPR?
GDPR is there to make companies accountable for collecting, storing and
disposing of personal data information. It also gives us, the individuals more
control on how companies use our personal information.

GDPR
The General Data Protection Regulation is a comprehensive General Data Protection Regulation
data protection law enacted by the European Union to safeguard
individuals' personal data and privacy. It came into effect on May
25, 2018, replacing the 1995 Data Protection Directive (DPD).
GDPR applies to all organisations that process the personal data
of individuals within the EU, regardless of their location.

© Cavity Training Ltd 2025

Key Features of GDPR
Definition of Personal Data: Data Subject Rights
Protection of any information that can identify GDPR empowers individuals with rights over
an individual, such as names, addresses, their data, including:
email addresses, IP addresses, etc. Right to Access: Request access to their
Sensitive Data: data.
Includes racial or ethnic origin, health Right to Rectification: Correct inaccurate
information, genetic data, biometric data, and data.
political or religious beliefs. Right to Erasure: Request data deletion.
Right to Restrict Processing: Limit how
data is processed.
Right to Data Portability: Transfer data to
another service provider.
Right to Object: Object to data processing in
certain circumstances.

© Cavity Training Ltd 2025

Key Features of GDPR
Data Breach Notification
Companies must report data breaches to the relevant
supervisory authority within 72 hours and inform affected
individuals if the breach poses a high risk to their rights.

Consent and Transparency

Companies must obtain clear, informed, and explicit consent from
individuals before collecting and processing their data.

Global Reach
Companies within the EU.
Companies outside the EU that process data of EU residents.

© Cavity Training Ltd 2025

7 Key Principals to GDPR

• Lawfulness, Fairness, and Transparency: Data must be processed legally, fairly, and transparently.

• Purpose Limitation: Data should only be collected for specified, explicit purposes.

• Data Minimisation: Collect only the data necessary for the purpose.

• Accuracy: Ensure data is accurate and kept up to date.

• Storage Limitation: Do not store data for longer than necessary.

• Integrity and Confidentiality: Process data securely to protect against unauthorized access.

• Accountability: Organizations must demonstrate compliance with GDPR.

© Cavity Training Ltd 2025

Data Subject Rights
GDPR empowers individuals (data subjects) with rights over their data:

Right to Access: Request access to their data.

Right to Rectification: Correct inaccurate data.
Right to Erasure: Request data deletion.
Right to Restrict Processing: Limit how data is processed.
Right to Data Portability: Transfer data to another service provider.
Right to Object: Object to data processing in certain circumstances.

Data Breach Notification

Companies must report data breaches to the relevant supervisory
authority within 72 hours and inform affected individuals if the
breach poses a high risk to their rights.

Companies must obtain clear, informed, and explicit consent from

individuals before collecting and processing their data.

© Cavity Training Ltd 2025

Why is GDPR Important?

Reduces Risks: Fosters Trust:

Protects Privacy: Encourages Transparency:
Helps companies prevent Builds confidence
Safeguards individuals' Promotes ethical data
data breaches and between companies and
rights in the digital age. handling practices.
misuse. their customers.

© Cavity Training Ltd 2025

Penalties for Non-Compliance with UK GDPR

The UK GDPR enforces strict penalties for companies that fail to comply with its data protection standards. These penalties
are intended to promote accountability, safeguard personal data, and ensure individuals’ rights are protected.
Financial Penalties
Under UK GDPR, the Information Commissioner’s Office (ICO) can impose fines in two tiers based on the severity
of the breach:

Tier 1 – Higher-Level Fines

•Up to £17.5 million or 4% of annual global turnover, whichever is higher.
•Applied for serious breaches, such as:
• Failure to obtain valid consent.
• Inadequate response to data subject rights requests.
• Non-compliance with the basic principles of data processing (e.g., lawfulness, transparency).

Tier 2 – Lower-Level Fines

•Up to £8.7 million or 2% of annual global turnover, whichever is higher.
•Applied for less severe breaches, such as:
• Failing to maintain records of processing activities.
• Not notifying the ICO or affected individuals of a data breach.
• Inadequate implementation of technical or organisational measures to ensure data security.

© Cavity Training Ltd 2025

Penalties for Non-Compliance with UK GDPR
Enforcement Notices and Corrective Measures
Before imposing a fine, the ICO may issue:
Warnings: Alert companies of non-compliance with time to rectify issues.
Reprimands: Highlight breaches without financial penalties, focusing on improvement.
Enforcement Notices: Require companies to take specific corrective actions.

Criminal Penalties
In cases of deliberate misconduct, such as unlawful access to personal data, criminal charges may be pursued under the
Data Protection Act 2018.

Compensation Claims
Individuals can claim compensation from companies if they suffer material or non-material damage (e.g. financial loss or
distress) due to GDPR breaches.

© Cavity Training Ltd 2025

Penalties for Non-Compliance with UK
GDPR
Examples of Common Violations
Processing data without a lawful basis.
Failing to report data breaches within 72 hours.
Ignoring data subjects’ rights requests, such as access or erasure.
Inadequate safeguards for cross-border data transfers.

How to Avoid Penalties

To stay compliant with UK GDPR, companies should:
Conduct regular risk assessments and audits.
Train staff on data protection best practices.
Implement robust technical and organizational measures to safeguard data.
Maintain clear and accurate records of processing activities.
Respond promptly to data breaches and data subject requests.

Non-compliance with UK GDPR can lead to severe financial and reputational damage. Organizations must prioritize data
protection and invest in compliance measures to mitigate risks and ensure the safety of personal data.

© Cavity Training Ltd 2025

Does the GDPR still apply to the UK?
The EU GDPR is an EU Regulation no longer applies to the UK.
If you operate inside the UK, you need to comply with the Data Protection Act 2018 (DPA 2018).

The provisions of the EU GDPR have been incorporated directly into UK law. Basically, there is little change to the core
data protection principles, rights and obligations.

On 28 June 2021, the EU approved adequacy decisions for the EU GDPR and the Law Enforcement Directive (LED).
This means data can continue to flow as it did before, in most circumstances.

Both decisions are expected to last until 27 June 2025.

The General Data Protection Regulation has been kept in UK law as the UK GDPR.
This guidance is aimed at UK businesses who receive data from or have offices in the EU and European Economic Area
(EEA). It gives a basic overview of the changes to data protection since the UK left the EU and now has an approved
adequacy decision.

© Cavity Training Ltd 2025

Why Were GDPR Rules Changed in the UK?

The GDPR rules in the UK were modified due to the country’s exit from the European Union, commonly known as Brexit.
When the UK left the EU on January 31, 2020, it ceased to be directly subject to EU laws, including the General Data
Protection Regulation. To maintain data protection standards and ensure continuity, the UK implemented changes to tailor
GDPR to its post-Brexit legal framework.

By implementing these changes, the UK ensured a smooth transition post-Brexit while maintaining robust data
protection standards and supporting international collaboration.

© Cavity Training Ltd 2025

Key Reasons for the Changes
Brexit Transition
The UK needed its own legislation to govern data protection after leaving the EU.
The EU GDPR was incorporated into UK law as the UK GDPR with modifications to reflect the UK’s independent status.

Maintaining Data Protection Standards

The UK GDPR ensures that the high standards of the EU GDPR are retained to protect individuals' personal data and privacy.
It aims to preserve public trust in data handling practices across various sectors.

Cross-Border Data Transfers

The changes address how data is transferred between the UK and other countries, including EU member states.
The EU granted the UK an adequacy decision, allowing for the free flow of personal data between the UK and the EU.

UK-Specific Adjustments
References to EU institutions and legislation were replaced with UK equivalents (e.g., the Information Commissioner’s
Office (ICO) handles enforcement in the UK). Tailored rules were introduced to reflect the UK’s governance and legal system

Flexibility for Domestic Policy

By having its own version of GDPR, the UK gains flexibility to adjust data protection laws in response to national priorities,
technological advancements, and global trends

© Cavity Training Ltd 2025

Key Changes in UK GDPR

Adequacy Decisions:
The UK can independently establish adequacy
agreements with non-EU countries for secure data
Impact of the Changes
sharing.
For Individuals:
Minimal changes; personal data rights remain largely the same.
International Data Transfers:
Specific provisions govern data sharing with non-EU For Businesses:
countries. Companies must ensure compliance with both UK GDPR
and, where applicable, EU GDPR for cross-border
Legal Framework: operations.
The Data Protection Act 2018 (DPA 2018) works For Global Relations:
alongside the UK GDPR to regulate data protection The UK GDPR allows the UK to establish its own data protection
in the UK.
partnerships while aligning with global standards.

Supervisory Authority:
The ICO is responsible for enforcing the UK GDPR
instead of EU authorities.

© Cavity Training Ltd 2025

Example of a Company Breaking UK GDPR

Company: British Airways (BA)

Year: 2018
Issue: Data Breach

In June 2018, British Airways suffered a cyberattack that compromised the personal and financial information of approximately
400,000 customers.

Hackers redirected users from BA's official website to a fraudulent site, where customer data, including names, email
addresses, and payment card details (including CVV numbers), were harvested. The hackers used an unsecured administrator
password to escalate their account privileges.

The breach occurred because of inadequate security measures to protect customer data.

BA settled a legal claim with some of the affected customers, but did not admit liability.

© Cavity Training Ltd 2025

What happened next?
The ICO found that British Airways had failed to implement appropriate security measures, such as robust access controls and
encryption, which could have prevented the attack.
BA was criticised for not detecting the breach themselves and for the delay in informing affected customers and the ICO.

After considering mitigating factors, including BA’s cooperation during the investigation and the financial strain
caused by the COVID-19 pandemic, the fine was reduced to £20 million in 2020.

Despite the reduction, this remains one of the largest penalties issued under UK GDPR.

The ICO initially proposed a fine of £183 million, reflecting the severity of the breach and the impact on customers.

Lessons Learned due to this breach:

Enhanced Security: Organisations must ensure their systems are

regularly updated and safeguarded against cyberattacks.
Data Breach Reporting: Breaches must be reported to the ICO
and affected individuals promptly.
Accountability: Companies must take proactive steps to comply
with GDPR requirements and protect customer data

© Cavity Training Ltd 2025

Impact on British Airways

Reputational Damage: The breach led to significant public criticism and a loss of customer trust.
Financial Costs: In addition to the fine, BA faced legal action, and compensation claims from affected customers.
Operational Changes: The incident prompted BA to overhaul its cybersecurity measures to prevent future breaches.

This is a perfect example highlighting the

importance of robust cybersecurity and
compliance with GDPR. Companies that fail
to protect personal data risk not only hefty
fines but also long-term damage to their
reputation and customer trust

© Cavity Training Ltd 2025

Data Protection Act
The Data Protection Act (DPA) was The Data Protection Act is important as it ensures individuals'
passed by Parliament in 1998. It is data is handled securely and ethically. It promotes trust by
designed to regulate how personal data is encouraging confidence in companies’ data handling practices.
collected, used, stored, and shared by The DPA holds companies’ accountable for data misuse or
companies, ensuring the protection of breaches. It aligns with Global Standards ensuring compatibility
individuals' privacy. It works alongside the with international data protection laws, such as the EU GDPR.
UK GDPR to provide a comprehensive
data protection framework.

While the UK GDPR governs general data

protection in the UK, the DPA 2018
complements it by providing UK-specific
exemptions and clarifications. It addresses
areas like law enforcement, national
security, and public interest.
Together, they create a robust framework
for protecting personal data in the UK.

© Cavity Training Ltd 2025

Technology
Technology
•Since DPA was introduced, technology has changed.
• How often do we write letters or communicate by calling a friend or family member on a landline?
• How many people still have a landline telephone? And would even know your own telephone number?
•How many of us have swapped from physically going into a supermarket or high street boutiques to now converting to online shopping?

Technology nowadays takes over most of our daily activities:

• Internet browsing
• Mobile phones
• Online banking
• Online shopping
• Social media
Every time we log into our computers, we become susceptible to hacking. When we input any personal information into any websites, we become vulnerable again. We must therefore take
extra care as there are dangers associated with modern technology and the way our personal data can be misused.
To be as safe as possible we need to enlist measures:
• Encrypted software
• Anti virus software
• Use strong passwords and keep them safe – DO NOT WRITE THEM DOWN

© Cavity Training Ltd 2025

Cyber Attacks
In 2024, the UK experienced a notable increase in cyber attacks, including phishing scams, ransomware attacks,
and data breaches. The UK government's Cyber Security Breaches Survey 2024 provides statistics on cyber
attacks in the UK. The National Cyber Security Centre (NCSC) reported handling 430 significant incidents
between September 1, 2023, and August 31, 2024, up from 371 in the previous year.

Data indicates that approximately 22% of UK businesses experienced cybercrime within the past year. This
impact was more pronounced among larger organizations, with about 58% of large companies reporting
cybercrime incidents.

Number of attacks: In 2023-24, UK businesses experienced about 7.78 million cyber attacks.
Type of attacks: Phishing scams were the most common type of cyber attack, accounting for 84% of all
incidents. Ransomware attacks also increased by 70%.
Impact on businesses: Over 50% of UK businesses experienced a cyber attack, and the average cost was
£3,230.
Impact on consumers: UK residents received over 208 million scam emails.
Impact on education: There was a 55% increase in cyber incidents in education.

© Cavity Training Ltd 2025

ICO – Information Commissioners Office
The Information Commissioner’s Office (ICO) is the UK’s independent
authority responsible for upholding information rights and promoting good
data protection practices. It ensures that individuals’ personal information is
handled lawfully, securely, and transparently by companies.

Enforcing Data Protection By promoting privacy The ICO gives guidance and Regulating Freedom of
Laws by overseeing rights, it protects support by offering advice and Information (FOI) ensures
compliance with the UK individuals' rights, such as resources to help companies public authorities comply
GDPR and Data Protection the right to access, correct, comply with data protection with the Freedom of
Act 2018. It investigates or erase their personal Information Act 2000,
laws. It publishes codes of
breaches and ensures data. It offers guidance on granting public access to
practice, toolkits, and FAQs to certain information held
companies handle personal how individuals can
data responsibly. exercise these rights. simplify complex regulations. by public organisations.

© Cavity Training Ltd 2025

ICO – Information Commissioners Office
Monitoring Marketing Practices it enforces laws on unsolicited
marketing communications, including texts, emails, and calls,
under the Privacy and Electronic Communications Regulations
(PECR).

Cybersecurity and Data Breach Management provides guidance

on managing and reporting data breaches. Investigates serious
breaches and can impose fines for non-compliance.
Powers of the ICO
•Conduct audits and investigations into data handling
practices.

•Issue fines for non-compliance, which can reach up

to £17.5 million or 4% of global annual turnover,
whichever is higher.

•Requires companies to take corrective actions, such

as improving data security measures.

•Publish public reprimands for companies that breach

regulations.

© Cavity Training Ltd 2025

ICO – Information Commissioners Office
Examples of ICO Actions

•British Airways: Fined £20 million in 2020 for failing to protect customer data during a cyberattack.

•TikTok: Fined £12.7 million in 2023 for mishandling children’s data.

•Public Sector: Regularly advises government bodies on FOI compliance and transparency.

Why Is the ICO Important?

•Protects Individual Privacy: Ensures companies respect personal data rights.

•Promotes Trust: Encourages ethical data practices, fostering public trust.

•Supports Businesses: Offers practical guidance to help companies meet compliance standards.
•Enhances Accountability: Holds companies accountable for poor data protection practices.

© Cavity Training Ltd 2025

11 Steps to Prepare for GDPR
Review Consent Practices
If you rely on consent for processing, make sure it is specific, informed, freely given. Provide easy ways for individuals to
withdraw their consent.

Strengthen Data Security Measures

Implement appropriate technical and organisational measures to protect personal data, including encryption, access
controls, and regular security audits.

Raise Awareness
Educate all staff, about GDPR requirements and their impact on the company. Ensure they understand the importance of
protecting personal data.

Establish a Legal Basis for Processing

Ensure all personal data processing has a valid legal basis, such as consent, contractual necessity, or compliance with legal
obligations.

Audit Data Processing Activities

Identify and document the personal data you collect, process, and store. Record where it comes from, how it’s used, and
where it’s shared.

© Cavity Training Ltd 2025

11 Steps to Prepare for GDPR
Update Privacy Policies and Notices
Review and revise your policies to ensure they are transparent and provide clear, concise information about how personal
data is processed. Include the legal basis for processing, retention periods, and individual rights.

Enable Data Subject Rights

Ensure processes are in place to handle requests from individuals to exercise their rights under GDPR, such as access,
rectification, erasure, and data portability.

Appoint a Data Protection Officer (DPO)

Appoint a DPO to monitor GDPR compliance, provide advice, and act as a point of contact for data subjects and regulators.

Conduct Data Protection Impact Assessments (DPIAs)

For high-risk processing activities, carry out DPIAs to identify and mitigate potential risks to personal data and privacy.

Prepare for Data Breaches

Develop a plan for detecting, reporting, and managing data breaches. GDPR requires notification of certain breaches to
authorities within 72 hours.

Maintain Documentation and Compliance Records

Keep detailed records of your data processing activities, risk assessments, and compliance efforts. Regulators may request
these during audits or investigations.
© Cavity Training Ltd 2025
The Role of a Data Controller Officer -
DCO
The Data Compliance Officer (DCO) is responsible for ensuring a company adheres to legal and regulatory requirements
concerning data protection and privacy. While not explicitly mentioned in GDPR the role of a DCO often overlaps with or
complements that of a DPO in companies focused on compliance.

Ensure Regulatory Compliance

Monitor compliance with applicable data protection laws, including GDPR. Stay updated on changes to data privacy
regulations and advise the company on necessary adjustments.

Data Subject Requests Manage and respond to requests from individuals exercising their rights under data protection
laws, such as access, rectification, or deletion.

Develop and Implement Policies

Draft and enforce data protection policies and procedures ensuring these policies are communicated effectively across
the company.

Training and Awareness

Train employees on data protection policies and best practices. Promote a culture of compliance within the company.

© Cavity Training Ltd 2025

The Role of a Data Controller Officer - DCO
Risk Assessment and Mitigation
Conduct risk assessments to identify vulnerabilities in data processing activities and if needed recommend and implement
measures to mitigate identified risks.

Data Protection Impact Assessments (DPIAs)

Oversee the execution of DPIAs for high-risk data processing activities. Providing recommendations to reduce privacy risks
identified during DPIAs.

Incident Response and Breach Management

Develop and manage procedures for responding to data breaches. Ensure timely notification to regulatory authorities and affected
individuals when required.

Liaison with Regulators

Act as the primary point of contact for data protection authorities. Assist with audits or investigations conducted by regulatory
bodies.

© Cavity Training Ltd 2025

The Role of a Data Controller Officer - DCO
Monitoring Data Handling Practices
Regularly review and audit data collection, storage, and processing practices to ensure compliance.

Documentation and Reporting

Maintain detailed records of data processing activities, privacy impact assessments, and compliance measures.
Report compliance status to senior management or the board.

The Difference Between DCO and DPO is the DPO is a role

mandated by GDPR for certain companies, focusing on
ensuring compliance with GDPR specifically.
The DCO may have a broader scope, addressing data
compliance across multiple regulatory frameworks beyond
GDPR, depending on the companies needs.
Both roles are vital for ensuring that a company respects
individuals' privacy rights and handles personal data
responsibly.

© Cavity Training Ltd 2025

The Role of a Data Processor
A data processor is an individual that processes personal data on behalf of a data controller under the instructions
provided by the controller. The role of a data processor is defined under the GDPR. They do not own or control the data but
act solely based on the data controller’s directives.

Under GDPR, processors can be held directly liable for breaches of the regulation. If a processor fails to meet its
obligations or acts outside the controller’s instructions, it may face regulatory fines and legal claims from affected
individuals.

Follow the Data

Engage Sub-Processors Keep Processing Notify the Controller
Controller's
Only with Consent Records of Data Breaches
Instructions

Avoid Using Data for

Support Accountability Maintain Data Security
Personal Purposes

Comply with Cross-

Assist the Data
Delete or Return Data Border Data Transfer
Controller
Rules

© Cavity Training Ltd 2025

Personal Data
Within the Dental Practice the information
collected would be:

• Name
• Gender
• Address
• DOB
• GP name and address

Special data collected could include:

• Medical History
• Medical & Dental records
• Ethnic origin
• Religion
• Health
• Sexual orientation
• Hep B status

© Cavity Training Ltd 2025

Personal Data
Personal data should only be seen by those that need to and should not be shared with a 3rd party unless required to by law
or to refer the patient to an outside medic for treatment or finance companies.

If you are an NHS practice and use their portholes you will be safe to send electronically.

If a member of staff breaches GDPR but fails to inform the Data Protection Officer, they can face disciplinary and dismissal
procedures

Send date anonymously by giving the patient a unique number and sending the name of the patient separately.

Emails can be hacked so if use this method and GDPR is breached you will need to report it to the ICO within 72 hours.

Before referring you must inform the patient you are doing so. You will need their consent to share their data with the 3rd
party. The individual must also be informed who the 3rd party is and the reason you will be sharing their data.

Processing personal data means to use, store, share and destroy.

Most of the time, sharing data will be sent electronically. Patients can transport the data themselves and personally give it to
the 3rd party. If you send data electronically you need to ensure protection is in place. Via an encrypted service.

© Cavity Training Ltd 2025

Privacy Rights for the Individual
The DCO can refuse the GDPR allows an individual to object to processing
individual access to their personal information for marketing, sales, or non-
records, but it must be lawful and service-related purposes. This means the data
unfounded. The DCO must controller must allow an individual the right to stop or
demonstrate why they have prevent the controller from processing their personal
refused. data.

There is also now NO charge levied to

the person requesting access to their
records, or even for any copies.

According to GDPR 2018 when an

induvial requests access to their
records the company must respond
with 1 month. The Data Protection Act
in 1998 set their timescale within 40
days response.

© Cavity Training Ltd 2025

Privacy Rights for the Individual
The right to object

Rights in relation to automated decision making and profiling

The right to data portability

The right of access

The right to be informed

The right to rectification

The right to restrict processing

The right to erasure

© Cavity Training Ltd 2025

Your Responsibilities
There should be a person in your practice who is there to monitor, inform and advise. They will be responsible for the
changes in data protection law and make all staff aware of the changes.

Annual updates and training should be advised.

Personal data information should be stored for 11 years for Adults.

For children it will be till they are 25 years old or 11 years whichever is the longer.
According to NHS staff data should be kept for 6 years.

Your practice should also conduct risk assessments. These will highlight any risk of GDPR being breached.
Some things to consider:
• What data is collected?
• How is it stored?
• How is it destroyed?
• How long do you store it for?
• Who has access to the information?

© Cavity Training Ltd 2025

How does AI affect GDPR?
The use of Artificial Intelligence (AI) is becoming more popular. It introduces unique challenges and considerations under the
General Data Protection Regulation (GDPR). AI systems often involve processing large volumes of personal data, which
must comply with GDPR principles to protect individuals' privacy and rights.

Transparency and Explainability

GDPR requires companies to be transparent about how personal data is processed. AI systems, particularly complex ones
like machine learning models, often operate as "black boxes," making it difficult to explain their decisions or predictions.

Challenge: Explaining how an AI system makes decisions in a way that users can understand.

Solution: Implement interpretable AI models or provide clear documentation about how data is processed, and decisions are
made.

© Cavity Training Ltd 2025

How does AI affect GDPR?
Data Minimisation
GDPR mandates that only the necessary data should be collected for a specific purpose. AI systems often require large
datasets for training, which may conflict with this principle.

Challenge: Balancing the need for extensive data to improve AI models with the requirement to limit data collection.

Solution: Use techniques like synthetic data generation or anonymisation.

Fairness and Non-Discrimination

GDPR prohibits discriminatory or biased data processing. AI models can inadvertently perpetuate or amplify biases present
in the training data.

Challenge: Ensuring AI decisions do not lead to unfair discrimination, particularly in sensitive areas like hiring, credit
scoring, or law enforcement.

Solution: Conduct bias audits and adopt fairness-aware machine learning techniques.

© Cavity Training Ltd 2025

How does AI affect GDPR?
Lawfulness of Processing and Consent
AI systems must have a lawful basis for processing personal data, such as consent or legitimate interest.

Challenge: Obtaining meaningful consent for data used in AI, especially when data may be reused for different purposes.

Solution: Be explicit about how data will be used and provide options for users to withdraw consent.

Data Subject Rights

Individuals have rights under GDPR, such as access, rectification, erasure, and portability of their data.

Challenge: Ensuring AI systems can accommodate requests like erasing data or modifying inaccurate information.

Solution: Design AI systems with built-in mechanisms to facilitate compliance with data subject rights.

© Cavity Training Ltd 2025

Best Practices for AI and GDPR
Compliance
Conduct Data Protection Impact Assessments (DPIAs)
Assess potential risks to individuals’ privacy before implementing AI systems.

Anonymise or Pseudonymise Data

Reduce the risks associated with data breaches or unauthorised access.

Maintain Accountability
Document AI processing activities and demonstrate compliance with GDPR principles.

Regular Auditing and Monitoring

Periodically review AI systems for fairness, transparency, and compliance with GDPR.

Adopt Privacy-by-Design
Embed data protection into the development and deployment of AI systems.

© Cavity Training Ltd 2025

How does AI affect GDPR?
AI amplifies the importance of GDPR by raising complex ethical, legal,
and technical issues related to data protection. Companies using AI
must adopt proactive measures to align with GDPR principles, ensuring
that AI systems respect individuals' rights and fosters trust.

© Cavity Training Ltd 2025

Key Things to Remember
Data Protection Officer is accountable & responsible

Safety measures installed in all software

Keep up to date with any changes regarding GDPR

Any breaches must be reported to the ICO

Data Processor processes data on behalf of the DPO

© Cavity Training Ltd 2025

Links
https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024

https://www.ncsc.gov.uk/information/gdpr

https://ico.org.uk.

https://www.gov.uk/data-protection

https://gdpr-info.eu/

© Cavity Training Ltd 2025

Thank You
for taking
part in this course
Written by

Cavity Dental Staff

Created in 2025
© Cavity Training Ltd 2025 Reviewed Bi-annually