Our work

Case Study

EU GDPR Training

Regulatory training for a global insurance firm

Customer Challenge

A global insurance company needed to set up a privacy training programme to demonstrate full compliance with Art. 5(2) (the ‘accountability principle’) of the EU General Data Protection Regulation (GDPR).

Have a similar challenge?


This training needed to cover a very wide variety of role-based education, taking into account the variations in local legislation. The client’s staff regularly deal with sensitive personal data and therefore many business processes are, from a privacy perspective, considered to be vulnerable and of high-risk.

How Citihub Consulting Helped

Citihub Consulting was engaged for 6 months to develop a global privacy training programme, including course materials and trainers, and to produce regular privacy awareness communications.

Citihub Consulting’s data privacy consultants delivered:

  • Engagement with Privacy Champions (within business and technology operations) to determine privacy training requirements;
  • A privacy training approach & plan for high-risk areas;
  • Comprehensive recorded web-based training courses covering topics such as Privacy Impact Assessments and Data Subject Requests;
  • A series of live training workshops on Data Subject Requests for the global Human Resources team;
  • A series of live training courses for business units and country Data Protection Officers;
  • A full set of template responses for different types of Data Subject Rights Requests;
  • GPDR training tailored to roles within the firm (e.g. Marketing, Compliance, Insurance Broking) and also tailored for EU country-specific privacy legislation;
  • A regular privacy awareness communication as well as staff communication and education ‘reminders’ (e.g. posters, notices on intranet).

With input from Citihub Consulting and working collaboratively with the customer, training was created and distributed in line with regulatory requirements.

Customer Benefits

  • Established training to cover regulatory accountability alongside local legislation in other countries, taking into account planned future legislative requirements
  • The customer now has reusable, compliant templates for responding to all Data Subject Requests
  • Delivered training in multiple EU countries to cover a variety of role-based needs. This covered general awareness communications to role-based training workshops
  • The customer is now compliant from a regulatory perspective