Certified EU General Data Protection Regulation (EU GDPR) Foundation And Practitioner - United States

Certified EU General Data Protection Regulation (EU GDPR) Foundation and Practitioner

Module 1: Introduction to the GDPR 

• GDPR in a Nutshell
• Generate Customer Confidence
• Focus of GDPR
• What is Personal Information?
• Who has PII?
• Lawful Processing of Personal Data

Module 2: Binding Corporate Rules 

• Introduction
• Scope
• UK ICO’s View of the Scope
• Processing GDPR Definition
• Who Processes PII?
• What is Special Data?
• Legal Framework
• Timeline and Derogations
• Some Key Areas for Derogation
• Data Breaches/Personal Data Breach
• Consequences of Failure
• Governance Framework

Module 3: GDPR Terminology and Techniques 

• Key Roles
• Data Set
• Subject Access Request (SAR)
• Data Protection Impact Assessments (DPIA)
• What Triggers a Data Protection Impact Assessment?
• DPIA is Not Required
• Processes to be Considered for a DPIA
• Responsibilities
• DPIA Decision Path
• DPIA Content
• How Do I Conduct a DPIA?
• Signing Off the DPIA
• Mitigating Risks Identified by the DPIA
• Privacy by Design and Default
• External Transfers
• Profiling
• Pseudonymization
• Principles, User Rights, and Obligations
• One Stop Shop

Module 4: Structure of the Regulation 

• Parts of the GDPR
• Format of the Articles
• Articles

Module 5: Principles and Rights 

• Introduction
• Legality Principle
• How the Permissions Work Together?
• Lawfulness of Processing Conditions
• Lawfulness for Special Categories of Data
• Criminal Offence Data
• Consent
• Transparency Principle
• Fairness Principle
• Rights of Data Subjects
• Purpose Limitation Principle
• Minimization Principle
• Accuracy Principle
• Storage Limitation Principle
• Integrity and Confidentiality Principle
• Accountability Principle

Module 6: Demonstrating Compliance 

• Demonstrating Compliance with the GDPR
• Impact of Compliance Failure
• Administrative Fines
• What Influences the Size of an Administrative Fine?
• Joint Controllers
• Processor Liability Under GDPR
• Demonstrating Compliance
• Protecting PII is Only Half the Job
• What must be Recorded?
• Additional Ways of Demonstrating Compliance
• Demonstrating a Robust Process
• PIMS (Personal Information Management System)
• Cyber Essentials
• ISO 27017 Code of Practice for Information Security Controls
• Risk Management

Module 7: Incident Response and Data Breaches 

• What is a Personal Data Breach?
• Notification Obligations
• What Breaches Do I Need to Notify the Relevant Supervisory Authority About?
• What Information Must Be Provided to the SA?
• How do I Report a Breach to the SA?
• Notifying Data Subjects
• What Should I do to Prepare for Breach Reporting?
• Updating Policies and Procedures
• Breach Reporting and Responses
• Ways to Minimize the Breach Impact

Module 8: Understanding the Principle Roles

• What does the GDPR Makes Businesses Responsible For?
• Difference Between a Data Controller and a Data Processor
• How the Roles Split?
• Controllers and Processors
• Main Obligations of Data Controllers
• Demonstrate Compliance
• Joint Controllers and EU Representative
• Controller-Processor Contract
• Maintain Records and Keeping Records for Small Businesses
• Cooperation with Supervisory Authorities
• Keeping PII Secure
• Data Breach Transparency
• Role of the Data Processor
• Controller-Processor Contract
• Main Obligations of the Processor
• Perform Only the Data Processing Defined by the Data Controller
• Update the Data Controller
• Sub-Process or Appointment
• Keep PII Confidential
• Maintaining Records
• Cooperate with Supervisory Authorities
• Security
• Appoint a DPO – If Necessary
• Transferring Data Outside the EU

Module 9: Role of the DPO

• Role of a Data Protection Officer
• Involvement of the DPO
• Main Responsibilities of the DPO
• Working Environment for the DPO
• Must We Have A DPO?
• Public Body
• What does Large Scale mean?
• Systematic Monitoring
• Who Can Perform the Role of DPO?
• Skills Required
• Monitoring Compliance
• Training and Awareness
• Data Protection Impact Assessments (DPIAs)
• Risk-Based Approach
• Business Support for the DPO
• DPO Independence
• DPO – Conflict of Interest

Module 10: UK Implementation

• Key Differences Between the Data Protection Act and the GDPR
• Highlights from the Data Protection Bill
• Definition of Controller
• Health, Social Work, Education, and Child Abuse
• Age of Consent
• Exemptions for Freedom of Expression
• Research and Statistics
• Archiving in the Public Interest

Module 11: Key Features

• Specific Permission
• Privacy by Design
• Data Portability
• Right to be Forgotten
• Definitive Consent
• Information in Clear Readable Language
• Limits on the Use of Profiling
• Everyone Follows the Same Law
• Adopting Techniques

Module 12: Subject Access Requests and How to Deal with them?

• Subject Access Requests (SAR)
• Dealing with SAR
• Recognize the Request
• Understand the Time Limitations
• Dealing with Fees and Excessive Requests
• Identify, Search, and Gather the Requested Data
• Learn about What Information to Withhold
• Developing and Sending a Response

Module 13: Data Subject Rights

• Must I Always Obey a Right?
• Rights and Third Parties
• Requests Made on Behalf of Other Data Subjects
• Guidelines for Children's Maturity
• Responding to a Rights Request
• What is a Month?
• Rights Request Flow Chart
• Right to be Informed

• When Should Information Be Provided?
• Best Practice Guidance

• Right of Access
• Right to Rectification
• Right to Erasure

• When can I Refuse to Comply with a Request for Erasure?
• Erasing Children's Data

• Right to Restrict Processing

• When Processing Should be Restricted?
• Protecting PII
• Other Issues about Restricting Processing

• Right to Data Portability
• Right to Object

• Complying with the Right to Object
• Rejecting the Right to Object
• Processing for Direct Marketing Purposes
• Processing for Research Purposes

• Rights Related to Automated Decision Making and Profiling

• When does the Right not apply?

Module 14: Subject Access Requests

• Provenance
• Overview: SARs
• SAR is an Activity, Not a Title
• How can a SAR be Submitted?
• What Information Should the Response to a SAR Contain?
• Additional Information
• Replying to a SAR
• Confirming a Data Subject’s Identity
• Scope
• Electronic Records
• Non-Electronic Records
• SARs Involving 3rd Party PII
• Fees
• Refusing a Subject Access Request
• Access Requests from Employees
• Credit Reference Agencies
• Best Practice for SARs

Module 15: Lawful Processing

• Lawful Processing: A Reminder
• User Rights Change Depending on the Justification
• Lawfulness of Processing Conditions
• Lawfulness for Special Categories of Data
• UK ICO Tool
• Consent
• Key Points About Consent
• Affirmative Action and Explicit Consent
• Introduction of Affirmative Action
• What is Not Affirmative Action?
• Examples of Affirmative Action from the ICO
• Introduction of Explicit Consent
• Explicit Statement
• Obtaining Explicit Consent
• ICOs View of a Poor Form of Explicit Consent
• Obtaining Consent for Scientific Research Purposes
• Getting Consent
• What Should Go into the Consent Request?
• Consent Granularity
• Right to Withdraw Consent
• Children
• Consent Records
• ICOs Examples of Record Keeping
• Key Points When Establishing Consent
• Legitimate Interests
• Getting the Balance Right
• Consent or Legitimate Interest?
• What Lawful Basis Can be Used for Processing Marketing PII?

Module 16: Third Country Data

• Cross Border Transfers
• Transfer Mechanisms
• Derogations
• Adequacy
• Adequate Ways to Safeguard Transfers of PII
• Consent
• One-Off or Infrequent Transfers
• Who is Responsible?
• Transferring PII Between EEA Members
• Adequate Countries Outside of the EEA
• Binding Corporate Rules (BCR)
• What a BCR Must Cover?
• Authorization for BCRs
• EU-US Privacy Shield
• Privacy Shield Overview
• Privacy Shield: Mechanics
• Model Clauses
• Public Authority Agreements

Module 17: Introduction to Protecting Personal Data

• Need to Secure
• What is Appropriate?
• Protecting PII – 3 Key Areas
• Coverage
• Defensive Design
• Single Point of Failure (SPOF)
• Incident Response
• Data Breach Reporting Requirements
• Incident Response Team

Module 18: Data Protection Impact Assessments (DPIA)

• Introduction
• What Triggers a Data Protection Impact Assessment?
• Cases Where DPIA is Not Required
• Benefits of DPIA
• Processes to be Considered for a DPIA
• Responsibilities
• DPIA Decision Path
• DPIA Content
• How Do I Conduct A DPIA?
• Signing Off the DPIA
• Mitigating Risks Identified by the DPIA

Module 19: Need Want Drop

• Overview
• Need-Want-Drop: Concept Diagram
• Need-Want-Drop: Categorizing Data
• Need/Want/Drop Methodology

Module 20: Dealing with Third Parties and Data in the Cloud

• What is Cloud Computing?
• Myths of Cloud
• Cloud Challenges
• Controller-Processor Contract
• Checklist
• Data Controller - Summary

Module 21: Practical Implications: GDPR

• Brexit and its Impact on the GDPR
• Adequacy
• What does this Mean in Practice?
• EU and UK Representatives
• Exemption Rule
• One-Stop Shop

Module 22: Legal Requirements of the GDPR

• Lawful, Fair, and Transparent Processing
• Limitation of Purpose, Data and Storage
• Data Subject Rights
• Consent
• Personal Data Breaches
• Privacy by Design
• Data Protection Impact Assessment
• Data Transfers
• Data Protection Officer
• Awareness and Training

Module 23: Privacy Principles in GDPR

• Lawfulness, Fairness, and Transparency
• Purpose Limitation
• Data Minimization
• Accuracy
• Storage Limitation
• Integrity and Confidentiality

Module 24: Common Data Security Failures, Consequences, and Lessons to be Learnt

• Common Data Security Failures
• Consequences

• Fines Relating to Data Breaches
• Litigation from Customers Relating to Data Breaches
• Directors, Officers, and Professional Advisors
• Reputational Damage

• Lesson Learned

• Knowing When and How to Communicate with Affected Individuals is Not Easy
• GDPR is Important, as are Other Legal Frameworks