Certified EU General Data Protection Regulation (EU GDPR) Foundation And Practitioner - Cameroon

Certified EU General Data Protection Regulation (EU GDPR) Foundation And Practitioner Course Outline

Module 1: Introduction to the GDPR​

• GDPR in a Nutshell​
• Generate Customer Confidence​
• Focus of GDPR​
• What is Personal Information? ​
• Who has PII? ​
• Lawful Processing of Personal Data​

Module 2: Binding Corporate Rules ​

• Introduction
• Scope​
• UK ICO’s View of the Scope​
• Processing GDPR Definition​
• Who Processes PII? ​
• What is Special Data? ​
• Legal Framework​
• Timeline​ and Derogations​
• Some Key Areas for Derogation​
• Data Breaches/Personal Data Breach​
• Consequences of Failure​
• Governance Framework​

Module 3: GDPR Terminology and Techniques ​

• Key Roles​
• Data Set​
• Subject Access Request (SAR)​
• Data Protection Impact Assessments (DPIA) ​
• What Triggers a Data Protection Impact Assessment? ​
• DPIA is Not Required
• Processes to be Considered for a DPIA​
• Responsibilities​
• DPIA Decision Path​
• DPIA Content​
• How Do I Conduct a DPIA? ​
• Signing Off the DPIA​
• Mitigating Risks Identified by the DPIA​
• Privacy by Design and Default​
• External Transfers​
• Profiling​
• Pseudonymisation​
• Principles, User Rights, and Obligations​
• One Stop Shop​

Module 4: Structure of the Regulation​

• Parts of the GDPR​
• Format of the Articles​
• Articles​

Module 5: Principles and Rights​

• Introduction
• Legality Principle​
• How the Permissions Work Together​?
• Lawfulness of Processing Conditions​
• Lawfulness for Special Categories of Data
• Criminal Offence Data​
• Consent
• Transparency Principle​
• Fairness Principle​
• Rights of Data Subjects​
• Purpose Limitation Principle​
• Minimisation Principle​
• Accuracy Principle​
• Storage Limitation Principle​
• Integrity and Confidentiality Principle​
• Accountability Principle​

Module 6: Demonstrating Compliance​

• Demonstrating Compliance with the GDPR ​
• Impact of Compliance Failure​
• Administrative Fines​
• What Influences the Size of an Administrative Fine?
• Joint Controllers​
• Processor Liability Under GDPR​
• Demonstrating Compliance
• Protecting PII is Only Half the Job
• What must be Recorded? ​
• Additional Ways of Demonstrating Compliance​
• Demonstrating a Robust Process​
• PIMS (Personal Information Management System) ​
• Cyber Essentials​
• ISO 27017 Code of Practice for Information Security Controls​
• Risk Management​

Module 7: Incident Response and Data Breaches​

• What is a Personal Data Breach? ​
• Notification Obligations​
• What Breaches Do I Need to Notify the Relevant Supervisory Authority About? ​
• What Information Must Be Provided to the SA? ​
• How do I Report a Breach to the SA? ​
• Notifying Data Subjects​
• What Should I do to Prepare for Breach Reporting? ​
• Updating Policies and Procedures​
• Breach Reporting and Responses ​
• Ways to Minimise the Breach Impact​

Module 8: Understanding the Principle Roles

• What does the GDPR Makes Businesses Responsible For?
• Difference Between a Data Controller and a Data Processor
• How the Roles Split?
• Controllers and Processors
• Main Obligations of Data Controllers
• Demonstrate Compliance
• Joint Controllers and EU Representative
• Controller-Processor Contract
• Maintain Records and Keeping Records for Small Businesses
• Cooperation with Supervisory Authorities
• Keeping PII Secure
• Data Breach Transparency
• Role of the Data Processor
• Controller-Processor Contract
• Main Obligations of the Processor
• Perform Only the Data Processing Defined by the Data Controller
• Update the Data Controller
• Sub-Process or Appointment
• Keep PII Confidential
• Maintaining Records
• Cooperate with Supervisory Authorities
• Security
• Appoint a DPO – If Necessary
• Transferring Data Outside the EU

Module 9: Role of the DPO

• Role of a Data Protection Officer
• Involvement of the DPO
• Main Responsibilities of the DPO
• Working Environment for the DPO
• Must We Have A DPO?
• Public Body
• What does Large Scale mean?
• Systematic Monitoring
• Who Can Perform the Role of DPO?
• Skills Required
• Monitoring Compliance
• Training and Awareness
• Data Protection Impact Assessments (DPIAs)
• Risk-Based Approach
• Business Support for the DPO
• DPO Independence
• DPO – Conflict of Interest

Module 10: UK Implementation

• Key Differences Between the Data Protection Act and the GDPR
• Highlights from the Data Protection Bill
• Definition of Controller
• Health, Social Work, Education, and Child Abuse
• Age of Consent
• Exemptions for Freedom of Expression
• Research and Statistics
• Archiving in the Public Interest

Module 11: Key Features

• Specific Permission
• Privacy by Design
• Data Portability
• Right to be Forgotten
• Definitive Consent
• Information in Clear Readable Language
• Limits on the Use of Profiling
• Everyone Follows the Same Law
• Adopting Techniques

Module 12:  Subject Access Requests and How to Deal with them?

• Subject Access Requests (SAR)
• Dealing with SAR
• Recognise the Request
• Understand the Time Limitations
• Dealing with Fees and Excessive Requests
• Identify, Search, and Gather the Requested Data
• Learn about What Information to Withhold
• Developing and Sending a Response

Module 13: Data Subject Rights

• Must I Always Obey a Right?
• Rights and Third Parties
• Requests Made on Behalf of Other Data Subjects
• Guidelines for Children's Maturity
• Responding to a Rights Request
• What is a Month?
• Rights Request Flow Chart
• Right to be Informed
  • When Should Information Be Provided?
  • Best Practice Guidance
• Right of Access
• Right to Rectification
• Right to Erasure
  • When can I Refuse to Comply with a Request for Erasure?
  • Erasing Children's Data
• Right to Restrict Processing
  • When Processing Should be Restricted?
  • Protecting PII
  • Other Issues about Restricting Processing
• Right to Data Portability
• Right to Object
  • Complying with the Right to Object
  • Rejecting the Right to Object
  • Processing for Direct Marketing Purposes
  • Processing for Research Purposes
• Rights Related to Automated Decision Making and Profiling
  • When does the Right not apply?

Module 14: Subject Access Requests

• Provenance
• Overview: SARs
• SAR is an Activity, Not a Title
• How can a SAR be Submitted?
• What Information Should the Response to a SAR Contain?
• Additional Information
• Replying to a SAR
• Confirming a Data Subject’s Identity
• Scope
• Electronic Records
• Non-Electronic Records
• SARs Involving 3rd Party PII
• Fees
• Refusing a Subject Access Request
• Access Requests from Employees
• Credit Reference Agencies
• Best Practice for SARs

Module 15: Lawful Processing

• Lawful Processing: A Reminder
• User Rights Change Depending on the Justification
• Lawfulness of Processing Conditions
• Lawfulness for Special Categories of Data
• UK ICO Tool
• Consent
• Key Points About Consent
• Affirmative Action and Explicit Consent
• Introduction of Affirmative Action
• What is Not Affirmative Action?
• Examples of Affirmative Action from the ICO
• Introduction of Explicit Consent
• Explicit Statement
• Obtaining Explicit Consent
• ICOs View of a Poor Form of Explicit Consent
• Obtaining Consent for Scientific Research Purposes
• Getting Consent
• What Should Go into the Consent Request?
• Consent Granularity
• Right to Withdraw Consent
• Children
• Consent Records
• ICOs Examples of Record Keeping
• Key Points When Establishing Consent
• Legitimate Interests
• Getting the Balance Right
• Consent or Legitimate Interest?
• What Lawful Basis Can be Used for Processing Marketing PII?

Module 16: Third Country Data

• Cross Border Transfers
• Transfer Mechanisms
• Derogations
• Adequacy
• Adequate Ways to Safeguard Transfers of PII
• Consent
• One-Off or Infrequent Transfers
• Who is Responsible?
• Transferring PII Between EEA Members
• Adequate Countries Outside of the EEA
• Binding Corporate Rules (BCR)
• What a BCR Must Cover?
• Authorisation for BCRs
• EU-US Privacy Shield
• Privacy Shield Overview
• Privacy Shield: Mechanics
• Model Clauses
• Public Authority Agreements

Module 17: Introduction to Protecting Personal Data

• Need to Secure
• What is Appropriate?
• Protecting PII – 3 Key Areas
• Coverage
• Defensive Design
• Single Point of Failure (SPOF)
• Incident Response
• Data Breach Reporting Requirements
• Incident Response Team

Module 18: Data Protection Impact Assessments (DPIA)

• Introduction
• What Triggers a Data Protection Impact Assessment?
• Cases Where DPIA is Not Required
• Benefits of DPIA
• Processes to be Considered for a DPIA
• Responsibilities
• DPIA Decision Path
• DPIA Content
• How Do I Conduct A DPIA?
• Signing Off the DPIA
• Mitigating Risks Identified by the DPIA

Module 19: Need Want Drop

• Overview
• Need-Want-Drop: Concept Diagram
• Need-Want-Drop: Categorising Data
• Need/Want/Drop Methodology

Module 20: Dealing with Third Parties and Data in the Cloud

• What is Cloud Computing?
• Myths of Cloud
• Cloud Challenges
• Controller-Processor Contract
• Checklist
• Data Controller - Summary

Module 21: Practical Implications: GDPR

• Brexit and its Impact on the GDPR
• Adequacy
• What does this Mean in Practice?
• EU and in Cameroon Representatives
• Exemption Rule
• One-Stop Shop

Module 22: Legal Requirements of the GDPR

• Lawful, Fair, and Transparent Processing
• Limitation of Purpose, Data and Storage
• Data Subject Rights
• Consent
• Personal Data Breaches
• Privacy by Design
• Data Protection Impact Assessment
• Data Transfers
• Data Protection Officer
• Awareness and Training

Module 23: Privacy Principles in GDPR

• Lawfulness, Fairness, and Transparency
• Purpose Limitation
• Data Minimisation
• Accuracy
• Storage Limitation
• Integrity and Confidentiality

Module 24: Common Data Security Failures, Consequences, and Lessons to be Learnt

• Common Data Security Failures
• Consequences
  • Fines Relating to Data Breaches
  • Litigation from Customers Relating to Data Breaches
  • Directors, Officers, and Professional Advisors
  • Reputational Damage
• Lesson Learned
  • Knowing When and How to Communicate with Affected Individuals is Not Easy
  • GDPR is Important, as are Other Legal Frameworks