Certified EU General Data Protection Regulation (EU GDPR) Practitioner - Belgium

GDPR Practitioner Course Outline

Module 1: Data Subject Rights

• Rights of the Data Subject
• Must I Always Obey a Right?
• Rights and Third Parties
• Requests Made on Behalf of Other Data Subjects
• Guidelines for Children's Maturity
• Responding to a Rights Request
• What is a Month?
• Rights Request Flow Chart
• Right to Be Informed
• Best Practice Guidance
• Right of Access
• Right to Rectification
• Right to Erasure
• When Can I Refuse to Comply with a Request for Erasure?
• Erasing Children's Data
• Right to Restrict Processing
• When Processing Should be Restricted?
• Protecting PII
• Issues about Restricting Processing
• Right to Data Portability
• Right to Object
• Complying with the Right to Object
• Rejecting the Right to Object
• Right to Object
• Rights Related to Automated Decision Making and Profiling
• When Does the Right Not Apply?

Module 2: Subject Access Requests

• Provenance
• SARs
• SAR is an Activity, not a Title
• How Can a SAR be submitted?
• What Information Should the Response to a SAR Contain?
• Replying to a SAR
• Confirming a Data Subject’s Identity
• Scope
• Electronic Records
• Non-Electronic Records
• SARs involving 3rd Party PII
• Fees
• Refusing a Subject Access Request
• Access Requests from Employees
• Credit Reference Agencies
• Best Practice for SARs

Module 3: Lawful Processing

• Lawful Processing
• User Rights Change Depending on the Justification
• Lawfulness of Processing Conditions
• Lawfulness for Special Categories of Data
• Consent
• Specific
• Informed
• Key Points about Consent
• Affirmative Action and Explicit Consent
• What is not Affirmative Action?
• Explicit Consent
• Explicit Statement
• Obtaining Explicit Consent
• ICOs View of a Poor Form of Explicit Consent
• Obtaining Consent for Scientific Research Purposes
• Getting Consent
• What should go into the Consent Request?
• Consent Granularity
• Right to Withdraw Consent
• Children
• Consent Records
• Key Points When Establishing Consent
• Legitimate Interests
• Getting the Balance Right
• Consent or Legitimate Interest?
• What Lawful Basis Can Be Used for Processing Marketing PII?

Module 4: Third-Country Data Transfers

• Cross Border Transfers
• Transfer Mechanisms
• Derogations
• Adequacy
• Adequate Ways to Safeguard Transfers of PII
• One-Off or Infrequent Transfers
• Who is Responsible?
• Transferring PII Between EEA Members
• Adequate Countries Outside of the EEA
• Binding Corporate Rules (BCR)
• What a BCR Must Cover?
• Authorisation for BCRs
• Privacy Shield Overview
• Model Clauses
• Public Authority Agreements

Module 5: Introduction to Protecting Personal Data

• Need to Secure
• What is Appropriate?
• Protecting PII
• Coverage
• Defensive Design
• Single Point of Failure (SPOF)
• Incident Response
• Data Breach Reporting Requirements
• Incident Response Team

Module 6: Data Protection Impact Assessments (DPIA)

• Data Protection Impact Assessments Overview
• What Triggers a Data Protection Impact Assessment?
• Benefits of DPIA
• Processes to Be Considered for a DPIA
• Responsibilities
• DPIA Decision Path
• DPIA Content
• How Do I Conduct a DPIA?
• Signing Off the DPIA
• Mitigating Risks Identified By the DPIA

Module 7: Need Want Drop

• Need to Want Drop Overview
• Concept Diagram
• Need/Want/Drop Methodology

Module 8: Dealing with Third Parties and Data in the Cloud

• What is Cloud Computing?
• Myths of Cloud
• Cloud Challenges
• Controller-Processor Contract
• Checklist
• Data Controller

Module 9: Practical Implications: GDPR

• Brexit and Its Impact on the GDPR
• One-Stop Shop

Module 10: Legal Requirements of the GDPR

• Legal Requirements of the GDPR Overview

Module 11: Privacy Principles in GDPR

• Principles found in Article 5(1) GDPR

Module 12: Common Data Security Failures, Consequences, and Lessons to be Learnt

• Common Data Security Failures
• Consequences
• Lesson Learned