Certified General Data Protection Regulation (GDPR) Foundation And Practitioner - Hong Kong

Certified General Data Protection Regulation (GDPR) Foundation and Practitioner Course Outline

Module 1: Introduction to GDPR

• GDPR in a Nutshell
• Generate Customer Confidence
• Focus of GDPR
• What is Personal Information?
• Who has PII?
• Lawful Processing of Personal Data

Module 2: GDPR Terminology and Techniques

• Key Roles
• Data Set
• Subject Access Request (SAR)
• Data Protection Impact Assessments (DPIA)
• What Triggers a Data Protection Impact Assessment?
• A DPIA is Not Required in the Following Cases
• Processes to be Considered for a DPIA
• Responsibilities
• DPIA Decision Path
• DPIA Content
• How Do I Conduct A DPIA?
• Signing Off the DPIA
• Mitigating Risks Identified By the DPIA
• Privacy by Design and Default
• External Transfers
• Profiling
• Pseudonymisation
• Principles, User Rights, Obligations
• One Stop Shop

Module 3: Structure of the Regulation

• The Parts of the GDPR
• Format of the Articles
• Quick Quiz

Module 4: Principles and Rights

• Introduction
• Legality Principle
• How the Permissions Work Together
• Lawfulness of Processing Conditions
• Lawfulness for Special Categories of Data
• Criminal Offence Data
• Consent
• Transparency Principle
• Fairness Principle
• Rights of Data Subjects
• Purpose Limitation Principle
• Minimisation Principle
• Accuracy Principle
• Storage Limitation Principle
• Integrity & Confidentiality Principle

Module 5: Demonstrating Compliance

• Demonstrating Compliance with the GDPR
• Impact of Compliance Failure
• Administrative Fines
• What Influences the Size of an Administrative Fine?
• Joint Controllers
• Processor Liability Under GDPR
• Demonstrating Compliance
• Protecting PII is Only Half the Job!
• What must be Recorded?
• Additional Ways of Demonstrating Compliance
• Demonstrating a Robust Process
• PIMS (Personal Information Management System)
• Cyber Essentials
• ISO 27017 Code of Practice for Information Security Controls
• Risk Management

Module 6: Incident Response & Data Breaches

• What is a Personal Data Breach?
• Notification Obligations
• What Breaches Do I Need to Notify the Relevant Supervisory Authority About?
• What Information Must Be Provided to the SA?
• How Do I Report a Breach to the SA?
• Notifying Data Subjects
• What Should I do to Prepare for Breach Reporting?
• Updating Policies and Procedures
• Breach Reporting and Responses
• Ways to Minimise the Breach Impact

Module 7: Understanding the Principle Roles

• What the GDPR Makes Businesses Responsible For?
• Difference Between a Data Controller and a Data Processor
• How the Roles Split
• Controllers and Processors
• Controllers: Key Points
• Main Obligations of Data Controllers
• Demonstrate Compliance
• Joint Controllers
• Representative
• Controller-Processor Contract
• Maintain Records
• Keeping Records for Small Businesses
• Cooperation with Supervisory Authorities
• Keeping PII Secure
• Data Breach Transparency
• Role of the Data Processor
• Controller-Processor Contract
• Main Obligations of the Processor
• Perform Only the Data Processing Defined by the Data Controller
• Update the Data Controller
• Sub-Processor Appointment
• Keep PII Confidential
• Maintaining Records
• Cooperate with Supervisory Authorities
• Security
• Notify Breaches
• Appoint a DPO – If Necessary
• Transferring Data Outside
• Note: If You Have Staff You Will be a Data Controller
• Data Processors Key Points

Module 8: The Role of the DPO

• The Role of a Data Protection Officer
• Involvement of the DPO
• Main Responsibilities of the DPO
• Working Environment for the DPO
• Must We Have A DPO?
• Public Body
• What does Large Scale mean?
• Systematic Monitoring
• Who Can Perform the Role of DPO?
• Skills Required
• Training and Awareness
• Monitoring Compliance
• Data Protection Impact Assessments (DPIAs)
• Risk-Based Approach
• Business Support for the DPO
• DPO Independence
• DPO – Conflict of Interest

Module 9: UK Implementation

• Key Differences Between the Data Protection Act and the GDPR
• Definition of Controller
• Highlights from the Data Protection Bill
• Health, Social Work, Education, and Child Abuse
• Age of Consent
• Exemptions for Freedom of Expression
• Research and Statistics
• Archiving in the Public Interest

Module 10: Key Features

• Key Features of GDPR
• Specific Permission
• Privacy by Design
• Data Portability
• Right to be Forgotten
• Definitive Consent
• Information in Clear Readable Language
• Limits on the Use of Profiling
• Everyone Follows the Same Law
• Adopting Techniques

Module 11: Subject Access Requests and How to Deal with them?

• Subject Access Requests (SAR)
• Dealing with SAR
• Recognise the Request
• Understand the Time Limitations
• Dealing with Fees and Excessive Requests
• Identify, Search, and Gather the Requested Data
• What Information to Withhold?
• Developing and Sending a Response

Module 12: Data Subject Rights

• Must I Always Obey a Right?
• Rights and Third Parties
• Requests Made on Behalf of Other Data Subjects
• Guidelines for Children's Maturity
• Responding to a Rights Request
• What is a Month?
• Rights Request Flow Chart
• Right to Be Informed
• Right of Access
• Right to Rectification
• Right to Erasure
• Right to Restrict Processing
• Right to Data Portability
• Right to Object
• Rights Related to Automated Decision Making and Profiling

Module 13: Subject Access Requests

• Provenance
• Overview: SARs
• A SAR is an Activity, not a Title
• How Can a SAR be Submitted?
• What Information Should the Response to a SAR Contain?
• Additional Information
• Replying to a SAR
• Confirming a Data Subject’s Identity
• Scope
• Electronic Records
• Non-Electronic Records
• SARs involving 3rd Party PII
• Fees
• Refusing a Subject Access Request
• Access Requests from Employees
• Credit Reference Agencies
• Best Practice for SARs

Module 14: Lawful Processing

• Lawful Processing: A Reminder
• User Rights Change Depending on the Justification
• Lawfulness of Processing Conditions
• Lawfulness for Special Categories of Data
• UK ICO has a Tool
• Consent
• Other Key Points about Consent
• Affirmative Action & Explicit Consent
• What is not Affirmative Action?
• Examples of Affirmative Action from the ICO
• Explicit Consent
• The Explicit Statement
• Obtaining Explicit Consent
• ICOs View of a Poor Form of Explicit Consent
• Obtaining Consent for Scientific Research Purposes
• Getting Consent
• What Should go into the Consent Request?
• Consent Granularity
• Right to Withdraw Consent
• Children
• Consent Records
• ICOs Examples of Record Keeping
• Key Points when Establishing Consent
• Legitimate Interests
• Getting the Balance Right
• Consent or Legitimate Interest?
• What Lawful Basis can be used for Processing Marketing PII?

Module 15: Third Country Data Transfers

• Cross Border Transfers
• Transfer Mechanisms
• Derogations
• Adequacy
• Adequate Ways to Safeguard Transfers of PII
• Consent
• One-Off or Infrequent Transfers
• Who is Responsible?
• Transferring PII Between EEA Members
• Adequate Countries Outside of the EEA
• Binding Corporate Rules (BCR)
• What a BCR Must Cover
• Authorisation for BCRs
• Privacy Shield
• Privacy Shield Overview
• Privacy Shield: Mechanics
• Model Clauses
• Public Authority Agreements

Module 16: Introduction to Protecting Personal Data

• The Need to Secure
• What is Appropriate?
• Protecting PII – 3 Key Areas
• Coverage
• Defensive Design
• Single Point of Failure (SPOF)
• Incident Response
• Data Breach Reporting Requirements
• Incident Response Team

Module 17: Data Protection Impact Assessments (DPIA)

• Data Protection Impact Assessments
• What Triggers a Data Protection Impact Assessment?
• A DPIA is Not Required in the Following Cases
• Benefits of DPIA
• Processes to be Considered for a DPIA
• Responsibilities
• DPIA Decision Path
• DPIA Content
• How Do I Conduct A DPIA?
• Signing Off the DPIA
• Mitigating Risks Identified by The DPIA

Module 18: Need Want Drop

• Need-Want-Drop
• Need-Want-Drop: Concept Diagram
• Need/Want/Drop Methodology

Module 19: Dealing with Third Parties and Data in the Cloud

• What is Cloud Computing?
• The Myths of Cloud
• Cloud Challenges
• The Controller-Processor Contract
• Checklist
• Data Controller – Summary

Module 20: Practical Implications: GDPR

• Brexit and its Impact on the GDPR
• One-Stop Shop

Module 21: Legal Requirements of the GDPR

• Legal Requirements
• Lawful, Fair, and Transparent Processing
• Limitation of Purpose, Data and Storage
• Data Subject Rights
• Consent
• Personal Data Breaches
• Privacy by Design
• Data Protection Impact Assessment 
• Data Transfers
• Data Protection Officer
• Awareness and Training

Module 22: Privacy Principles in GDPR

• Privacy Principles in the GDPR
• Lawfulness, Fairness, and Transparency
• Purpose Limitation is the Second Principle
• One Should Refer to Data Minimisation
• Accuracy is the Fourth Principle
• The Fifth Principle is the Storage Limitation
• Sixth Principle of Integrity and Confidentiality

Module 23: Common Data Security Failures, Consequences, and Lessons to be Learnt

• Common Data Security Failures
• Consequences
• Lesson Learned

Who Should Attend this General Data Protection Regulation Foundation and Practitioner Training Course?

This General Data Protection Regulation Foundation and Practitioner Training Course is designed for professionals who handle, manage, or oversee personal data and are responsible for ensuring compliance with data protection regulations. It is particularly beneficial for:

• Data Protection Officer (DPO)
• Compliance Manager
• Information Security Analyst
• Privacy Consultant
• Legal and Regulatory Advisor
• IT Risk and Governance Specialist
• Data Governance Manager

Prerequisites for the General Data Protection Regulation Foundation and Practitioner Training Course

There are no formal prerequisites to attend this General Data Protection Regulation Foundation and Practitioner Training Course.

Certified General Data Protection Regulation Foundation and Practitioner Course Overview

The Certified General Data Protection Regulation (GDPR) Foundation and Practitioner course provides comprehensive knowledge of data protection principles, legal requirements, and practical implementation of GDPR. This course is important as it ensures organisations understand and comply with data protection laws while safeguarding personal data.

It benefits organisations by reducing compliance risks, improving data governance, and strengthening customer trust. It benefits individuals by enhancing their understanding of data protection responsibilities and practical compliance approaches. It supports career development by building expertise in data privacy, governance, and regulatory compliance roles.

Certified General Data Protection Regulation (GDPR) Foundation and Practitioner Course Objectives

• To understand the fundamentals of GDPR legislation
• To comprehend the rights and responsibilities of data controllers and processors
• To learn how to conduct data protection impact assessments (DPIAs)
• To develop expertise in data subject consent and management
• To gain insights into GDPR compliance and risk assessment
• To master cross-border data transfer regulations
• To learn best practices for data breach management and reporting
• To acquire practical skills for implementing GDPR compliance within your organisation

After successfully completing this General Data Protection Regulation Foundation And Practitioner, delegates will possess a comprehensive understanding of GDPR regulations and adherence. They will acquire the abilities necessary to evaluate, execute, and sustain GDPR conformity within their respective companies, guaranteeing the fulfilment of data protection and privacy criteria.

What’s Included in this Certified General Data Protection Regulation (GDPR) Foundation and Practitioner Course?

• Certified General Data Protection Regulation (GDPR) Foundation and Practitioner Examination
• World-Class Training Sessions from Experienced Instructors
• Certified General Data Protection Regulation (GDPR) Foundation and Practitioner Certificates
• Digital Delegate Pack

GDPR Foundation Exam Information

To achieve the Certified General Data Protection Regulation (GDPR) Foundation, candidates will need to sit for an examination. The exam format is as follows: 

• Question Type: Multiple Choice 
• Total Questions: 45 
• Total Marks: 45 Marks 
• Pass Mark: 65%, or 29/45 Marks 
• Duration: 60 Minutes 
• Open Book/ Closed Book: Closed Book

GDPR Practitioner Exam Information

To achieve the Certified General Data Protection Regulation (GDPR) Practitioner, candidates will need to sit for an examination. The exam format is as follows: 

• Question Type: Multiple Choice 
• Total Questions: 30 
• Total Marks: 30 Marks 
• Pass Mark: 57%, or 17/30 Marks 
• Duration: 90 Minutes
• Open Book/ Closed Book: Closed Book