In 2024, 50% of UK businesses reported experiencing a cyber security breach or attack in the previous 12 months, according to the Department for Science, Innovation and Technology’s Cyber Security Breaches Survey. For medium and large businesses, that figure climbed to over 70%. The most common attack type? Phishing.
Cyber security is often treated as the IT department’s problem. It is not. A receptionist clicking a phishing link, a finance officer emailing card data to the wrong recipient, a manager reusing the same password across six systems: these are the incidents that lead to data breaches, regulatory fines, and lost customer trust. The people who cause most breaches are not hackers. They are employees who were never trained.
This post covers three courses that together give your workforce the knowledge to handle digital threats, personal data, and payment card information properly: Cyber Security, Data Protection and UK GDPR, and PCI DSS.
Phishing is the UK’s biggest cyber threat
Phishing is a type of social engineering attack where criminals impersonate trusted organisations or individuals to trick people into revealing sensitive information, clicking malicious links, or transferring money. It arrives by email, text message (smishing), phone call (vishing), and increasingly through messaging apps and social media.
The 2024 Cyber Security Breaches Survey found that of all UK businesses reporting a breach, 84% identified phishing as the attack type. That makes it by far the most common vector.
Phishing works because it targets human behaviour, not technical vulnerabilities. A well-crafted phishing email can bypass spam filters, mimic a genuine supplier invoice, and pressure a staff member into clicking before thinking. The signs are often subtle: a slightly misspelled domain name, an unusual sense of urgency, a request to “verify your account” via a link that leads to a spoofed login page.
The Cyber Security course dedicates an entire module to recognising phishing and social engineering attacks. It takes one hour to complete and covers common cyber threats, password security and multi-factor authentication, safe browsing and email practices, protecting devices and data, and how to respond to a cyber incident. Every employee who uses a computer, phone, or tablet at work should complete it.
UK GDPR: the seven principles and the 72-hour rule
The UK General Data Protection Regulation and the Data Protection Act 2018 govern how organisations collect, store, use, and dispose of personal data. The Information Commissioner’s Office (ICO) enforces these rules and can impose fines of up to £17.5 million or 4% of annual global turnover, whichever is greater.
UK GDPR is built on seven principles: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. These apply to every organisation that processes personal data, whether that is customer booking details, employee payroll records, or supplier contact lists.
The 72-hour rule matters most in practice. When a personal data breach occurs (a misdirected email, a lost laptop, a ransomware attack exposing customer records), the organisation must report it to the ICO within 72 hours of becoming aware of it. That clock starts when any employee notices the breach, not when it reaches a manager or DPO. Staff who do not know what a data breach looks like, or who to report it to, put the whole organisation at risk of missing that deadline.
The Data Protection and UK GDPR course runs through the legal framework in detail across 2-3 hours. It covers the seven principles, lawful bases for processing, individual rights under UK GDPR, data handling and retention, consent and privacy notices, and how to recognise and report breaches. It is designed for anyone who handles personal data, which in practice means almost everyone.
PCI DSS: protecting payment card data
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements created by Visa, Mastercard, American Express, Discover, and JCB to protect cardholder data. Any organisation that accepts, processes, stores, or transmits card payment data must comply. That includes restaurants, hotels, retailers, and any business with a card terminal or online payment system.
PCI DSS has 12 core requirements, grouped into six categories: build and maintain a secure network, protect cardholder data, maintain a vulnerability management programme, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. Non-compliance can result in fines from card brands, increased transaction fees, and in serious cases, losing the ability to process card payments entirely.
Staff do not need to memorise all 12 requirements. But they do need to understand the basics: never write down card numbers, never send card data by email, never store card details in spreadsheets, and report anything suspicious immediately.
The PCI DSS course covers these requirements in one hour. It is designed for finance staff, retail employees, managers, and anyone who handles or has access to card payment data.
How these three courses work together
Cyber threats, data protection law, and payment security overlap in ways that make training in just one area insufficient.
A phishing email that tricks a staff member into entering their login credentials is a cyber security incident. If the compromised account contains personal data, it is also a GDPR breach that may need to be reported to the ICO within 72 hours. If card payment data is exposed as a result, it triggers PCI DSS obligations too.
The Cyber Security course teaches employees to spot and avoid the attack. The Data Protection and UK GDPR course teaches them what to do when personal data is compromised. The PCI DSS course covers the specific rules around payment card information. Together, they give staff a practical understanding of digital security that covers their legal obligations from multiple angles.
For hospitality businesses in particular, all three are relevant. Hotels handle guest booking data (GDPR), process card payments (PCI DSS), and rely on email and booking systems that are targets for phishing (cyber security). The same applies to restaurants, care homes, retail outlets, and any business with both customer data and a card terminal.
How to get certified
All three courses are available through Chefs Bay Academy. A single licence costs £29 and gives access to the Cyber Security, Data Protection and UK GDPR, and PCI DSS courses, along with 130+ other courses in the library.
Each course is online and self-paced, so staff can fit it around shifts and other commitments. There are no classrooms to book and no fixed schedules. Learners work through the modules, pass an end-of-course assessment, and receive a CPD accredited certificate immediately. The Cyber Security and PCI DSS courses each take about one hour. The Data Protection and UK GDPR course takes 2-3 hours.
For employers training a team, this is a practical way to cover cyber security, data protection, and payment compliance in one go, without paying for each course separately.
Related guides
If this post was useful, you might also want to read:
- GDPR Training for Employees: Why It Matters and What to Cover for a deeper look at UK GDPR obligations, ICO enforcement, and common workplace mistakes
- Compliance Certificates Every Hospitality Worker Needs for the full list of training requirements across hospitality roles
All these courses are included in your Chefs Bay Academy licence — £29 for instant access to 130+ courses.