The first module refers to EEA (page 13), which you need to click on to find out what it stands for. It does not explain how it is formed nor does it lists those countries outside of the EU as opposed to page 14 which lists all the countries under the data-regime adequacy for transfers. The role of the ICO is not clear. It mentions that it ‘retains the same powers as under the EU GDPR’ (which assumes one knows which powers), and that ‘consequently, if there is a data breach or issue involving an EU citizen’s data from 1 Jan 2021, the relevant authority to refer to will be the equivalent of the ICO in the country whose citizens have been affected by the breach’. Should one be an EU citizen but legally living in the UK, where one's data is stored and breached, who does one complain to? The same applies in a later module, where it mentions the refusal to provide personal information when the person cannot be identified and that one can complain to the ICO, which is only relevant to UK citizens. Under non-compliance, it mentions the investigatory power under the GDPR, but it does not specify who.