Certified EU General Data Protection Regulation (EU GDPR) Foundation And Practitioner Course Outline
Module 1: Introduction to the GDPR
- GDPR in a Nutshell
- Generate Customer Confidence
- Focus of GDPR
- What is Personal Information?
- Who has PII?
- Lawful Processing of Personal Data
Module 2: Binding Corporate Rules
- Introduction
- Scope
- UK ICO’s View of the Scope
- Processing GDPR Definition
- Who Processes PII?
- What is Special Data?
- Legal Framework
- Timeline and Derogations
- Some Key Areas for Derogation
- Data Breaches/Personal Data Breach
- Consequences of Failure
- Governance Framework
Module 3: GDPR Terminology and Techniques
- Key Roles
- Data Set
- Subject Access Request (SAR)
- Data Protection Impact Assessments (DPIA)
- What Triggers a Data Protection Impact Assessment?
- DPIA is Not Required
- Processes to be Considered for a DPIA
- Responsibilities
- DPIA Decision Path
- DPIA Content
- How Do I Conduct a DPIA?
- Signing Off the DPIA
- Mitigating Risks Identified by the DPIA
- Privacy by Design and Default
- External Transfers
- Profiling
- Pseudonymisation
- Principles, User Rights, and Obligations
- One Stop Shop
Module 4: Structure of the Regulation
- Parts of the GDPR
- Format of the Articles
- Articles
Module 5: Principles and Rights
- Introduction
- Legality Principle
- How the Permissions Work Together?
- Lawfulness of Processing Conditions
- Lawfulness for Special Categories of Data
- Criminal Offence Data
- Consent
- Transparency Principle
- Fairness Principle
- Rights of Data Subjects
- Purpose Limitation Principle
- Minimisation Principle
- Accuracy Principle
- Storage Limitation Principle
- Integrity and Confidentiality Principle
- Accountability Principle
Module 6: Demonstrating Compliance
- Demonstrating Compliance with the GDPR
- Impact of Compliance Failure
- Administrative Fines
- What Influences the Size of an Administrative Fine?
- Joint Controllers
- Processor Liability Under GDPR
- Demonstrating Compliance
- Protecting PII is Only Half the Job
- What must be Recorded?
- Additional Ways of Demonstrating Compliance
- Demonstrating a Robust Process
- PIMS (Personal Information Management System)
- Cyber Essentials
- ISO 27017 Code of Practice for Information Security Controls
- Risk Management
Module 7: Incident Response and Data Breaches
- What is a Personal Data Breach?
- Notification Obligations
- What Breaches Do I Need to Notify the Relevant Supervisory Authority About?
- What Information Must Be Provided to the SA?
- How do I Report a Breach to the SA?
- Notifying Data Subjects
- What Should I do to Prepare for Breach Reporting?
- Updating Policies and Procedures
- Breach Reporting and Responses
- Ways to Minimise the Breach Impact
Module 8: Understanding the Principle Roles
- What does the GDPR Makes Businesses Responsible For?
- Difference Between a Data Controller and a Data Processor
- How the Roles Split?
- Controllers and Processors
- Main Obligations of Data Controllers
- Demonstrate Compliance
- Joint Controllers and EU Representative
- Controller-Processor Contract
- Maintain Records and Keeping Records for Small Businesses
- Cooperation with Supervisory Authorities
- Keeping PII Secure
- Data Breach Transparency
- Role of the Data Processor
- Controller-Processor Contract
- Main Obligations of the Processor
- Perform Only the Data Processing Defined by the Data Controller
- Update the Data Controller
- Sub-Process or Appointment
- Keep PII Confidential
- Maintaining Records
- Cooperate with Supervisory Authorities
- Security
- Appoint a DPO – If Necessary
- Transferring Data Outside the EU
Module 9: Role of the DPO
- Role of a Data Protection Officer
- Involvement of the DPO
- Main Responsibilities of the DPO
- Working Environment for the DPO
- Must We Have A DPO?
- Public Body
- What does Large Scale mean?
- Systematic Monitoring
- Who Can Perform the Role of DPO?
- Skills Required
- Monitoring Compliance
- Training and Awareness
- Data Protection Impact Assessments (DPIAs)
- Risk-Based Approach
- Business Support for the DPO
- DPO Independence
- DPO – Conflict of Interest
Module 10: UK Implementation
- Key Differences Between the Data Protection Act and the GDPR
- Highlights from the Data Protection Bill
- Definition of Controller
- Health, Social Work, Education, and Child Abuse
- Age of Consent
- Exemptions for Freedom of Expression
- Research and Statistics
- Archiving in the Public Interest
Module 11: Key Features
- Specific Permission
- Privacy by Design
- Data Portability
- Right to be Forgotten
- Definitive Consent
- Information in Clear Readable Language
- Limits on the Use of Profiling
- Everyone Follows the Same Law
- Adopting Techniques
Module 12: Subject Access Requests and How to Deal with them?
- Subject Access Requests (SAR)
- Dealing with SAR
- Recognise the Request
- Understand the Time Limitations
- Dealing with Fees and Excessive Requests
- Identify, Search, and Gather the Requested Data
- Learn about What Information to Withhold
- Developing and Sending a Response
Module 13: Data Subject Rights
- Must I Always Obey a Right?
- Rights and Third Parties
- Requests Made on Behalf of Other Data Subjects
- Guidelines for Children's Maturity
- Responding to a Rights Request
- What is a Month?
- Rights Request Flow Chart
- Right to be Informed
- When Should Information Be Provided?
- Best Practice Guidance
- Right of Access
- Right to Rectification
- Right to Erasure
- When can I Refuse to Comply with a Request for Erasure?
- Erasing Children's Data
- Right to Restrict Processing
- When Processing Should be Restricted?
- Protecting PII
- Other Issues about Restricting Processing
- Right to Data Portability
- Right to Object
- Complying with the Right to Object
- Rejecting the Right to Object
- Processing for Direct Marketing Purposes
- Processing for Research Purposes
- Rights Related to Automated Decision Making and Profiling
- When does the Right not apply?
Module 14: Subject Access Requests
- Provenance
- Overview: SARs
- SAR is an Activity, Not a Title
- How can a SAR be Submitted?
- What Information Should the Response to a SAR Contain?
- Additional Information
- Replying to a SAR
- Confirming a Data Subject’s Identity
- Scope
- Electronic Records
- Non-Electronic Records
- SARs Involving 3rd Party PII
- Fees
- Refusing a Subject Access Request
- Access Requests from Employees
- Credit Reference Agencies
- Best Practice for SARs
Module 15: Lawful Processing
- Lawful Processing: A Reminder
- User Rights Change Depending on the Justification
- Lawfulness of Processing Conditions
- Lawfulness for Special Categories of Data
- UK ICO Tool
- Consent
- Key Points About Consent
- Affirmative Action and Explicit Consent
- Introduction of Affirmative Action
- What is Not Affirmative Action?
- Examples of Affirmative Action from the ICO
- Introduction of Explicit Consent
- Explicit Statement
- Obtaining Explicit Consent
- ICOs View of a Poor Form of Explicit Consent
- Obtaining Consent for Scientific Research Purposes
- Getting Consent
- What Should Go into the Consent Request?
- Consent Granularity
- Right to Withdraw Consent
- Children
- Consent Records
- ICOs Examples of Record Keeping
- Key Points When Establishing Consent
- Legitimate Interests
- Getting the Balance Right
- Consent or Legitimate Interest?
- What Lawful Basis Can be Used for Processing Marketing PII?
Module 16: Third Country Data
- Cross Border Transfers
- Transfer Mechanisms
- Derogations
- Adequacy
- Adequate Ways to Safeguard Transfers of PII
- Consent
- One-Off or Infrequent Transfers
- Who is Responsible?
- Transferring PII Between EEA Members
- Adequate Countries Outside of the EEA
- Binding Corporate Rules (BCR)
- What a BCR Must Cover?
- Authorisation for BCRs
- EU-US Privacy Shield
- Privacy Shield Overview
- Privacy Shield: Mechanics
- Model Clauses
- Public Authority Agreements
Module 17: Introduction to Protecting Personal Data
- Need to Secure
- What is Appropriate?
- Protecting PII – 3 Key Areas
- Coverage
- Defensive Design
- Single Point of Failure (SPOF)
- Incident Response
- Data Breach Reporting Requirements
- Incident Response Team
Module 18: Data Protection Impact Assessments (DPIA)
- Introduction
- What Triggers a Data Protection Impact Assessment?
- Cases Where DPIA is Not Required
- Benefits of DPIA
- Processes to be Considered for a DPIA
- Responsibilities
- DPIA Decision Path
- DPIA Content
- How Do I Conduct A DPIA?
- Signing Off the DPIA
- Mitigating Risks Identified by the DPIA
Module 19: Need Want Drop
- Overview
- Need-Want-Drop: Concept Diagram
- Need-Want-Drop: Categorising Data
- Need/Want/Drop Methodology
Module 20: Dealing with Third Parties and Data in the Cloud
- What is Cloud Computing?
- Myths of Cloud
- Cloud Challenges
- Controller-Processor Contract
- Checklist
- Data Controller - Summary
Module 21: Practical Implications: GDPR
- Brexit and its Impact on the GDPR
- Adequacy
- What does this Mean in Practice?
- EU and in Stavanger Representatives
- Exemption Rule
- One-Stop Shop
Module 22: Legal Requirements of the GDPR
- Lawful, Fair, and Transparent Processing
- Limitation of Purpose, Data and Storage
- Data Subject Rights
- Consent
- Personal Data Breaches
- Privacy by Design
- Data Protection Impact Assessment
- Data Transfers
- Data Protection Officer
- Awareness and Training
Module 23: Privacy Principles in GDPR
- Lawfulness, Fairness, and Transparency
- Purpose Limitation
- Data Minimisation
- Accuracy
- Storage Limitation
- Integrity and Confidentiality
Module 24: Common Data Security Failures, Consequences, and Lessons to be Learnt
- Common Data Security Failures
- Consequences
- Fines Relating to Data Breaches
- Litigation from Customers Relating to Data Breaches
- Directors, Officers, and Professional Advisors
- Reputational Damage
- Lesson Learned
- Knowing When and How to Communicate with Affected Individuals is Not Easy
- GDPR is Important, as are Other Legal Frameworks