Certified EU General Data Protection Regulation (EU GDPR) Foundation - United States

Certified EU General Data Protection Regulation (EU GDPR) Foundation Course Outline

Module 1: Introduction to the GDPR 

• GDPR in a Nutshell
• Generate Customer Confidence
• Focus of GDPR
• What is Personal Information?
• Who has PII?
• Lawful Processing of Personal Data

Module 2: Binding Corporate Rules 

• Introduction
• Scope
• UK ICO’s View of the Scope
• Processing GDPR Definition
• Who Processes PII?
• What is Special Data?
• Legal Framework
• Timeline and Derogations
• Some Key Areas for Derogation
• Data Breaches/Personal Data Breach
• Consequences of Failure
• Governance Framework

Module 3: GDPR Terminology and Techniques 

• Key Roles
• Data Set
• Subject Access Request (SAR)
• Data Protection Impact Assessments (DPIA)
• What Triggers a Data Protection Impact Assessment?
• DPIA is Not Required
• Processes to be Considered for a DPIA
• Responsibilities
• DPIA Decision Path
• DPIA Content
• How Do I Conduct a DPIA?
• Signing Off the DPIA
• Mitigating Risks Identified by the DPIA
• Privacy by Design and Default
• External Transfers
• Profiling
• Pseudonymization
• Principles, User Rights, and Obligations
• One Stop Shop

Module 4: Structure of the Regulation 

• Parts of the GDPR
• Format of the Articles
• Articles

Module 5: Principles and Rights 

• Introduction
• Legality Principle
• How the Permissions Work Together?
• Lawfulness of Processing Conditions
• Lawfulness for Special Categories of Data
• Criminal Offence Data
• Consent
• Transparency Principle
• Fairness Principle
• Rights of Data Subjects
• Purpose Limitation Principle
• Minimization Principle
• Accuracy Principle
• Storage Limitation Principle
• Integrity and Confidentiality Principle
• Accountability Principle

Module 6: Demonstrating Compliance 

• Demonstrating Compliance with the GDPR
• Impact of Compliance Failure
• Administrative Fines
• What Influences the Size of an Administrative Fine?
• Joint Controllers
• Processor Liability Under GDPR
• Demonstrating Compliance
• Protecting PII is Only Half the Job
• What must be Recorded?
• Additional Ways of Demonstrating Compliance
• Demonstrating a Robust Process
• PIMS (Personal Information Management System)
• Cyber Essentials
• ISO 27017 Code of Practice for Information Security Controls
• Risk Management

Module 7: Incident Response and Data Breaches 

• What is a Personal Data Breach?
• Notification Obligations
• What Breaches Do I Need to Notify the Relevant Supervisory Authority About?
• What Information Must Be Provided to the SA?
• How do I Report a Breach to the SA?
• Notifying Data Subjects
• What Should I do to Prepare for Breach Reporting?
• Updating Policies and Procedures
• Breach Reporting and Responses
• Ways to Minimize the Breach Impact

Module 8: Understanding the Principle Roles

• What the GDPR Makes Businesses Responsible For?
• Difference Between a Data Controller and a Data Processor
• How the Roles Split?
• Controllers and Processors
• Main Obligations of Data Controllers
• Demonstrate Compliance
• Joint Controllers and EU Representative
• Controller-Processor Contract
• Maintain Records and Keeping Records for Small Businesses
• Cooperation with Supervisory Authorities
• Keeping PII Secure
• Data Breach Transparency
• Role of the Data Processor
• Controller-Processor Contract
• Main Obligations of the Processor
• Perform Only the Data Processing Defined by the Data Controller
• Update the Data Controller
• Sub-Process or Appointment
• Keep PII Confidential
• Maintaining Records
• Cooperate with Supervisory Authorities
• Security
• Appoint a DPO – If Necessary
• Transferring Data Outside the EU

Module 9: Role of the DPO

• Role of a Data Protection Officer
• Involvement of the DPO
• Main Responsibilities of the DPO
• Working Environment for the DPO
• Must We Have A DPO?
• Public Body
• What does Large Scale mean?
• Systematic Monitoring
• Who Can Perform the Role of DPO?
• Skills Required
• Monitoring Compliance
• Training and Awareness
• Data Protection Impact Assessments (DPIAs)
• Risk-Based Approach
• Business Support for the DPO
• DPO Independence
• DPO – Conflict of Interest

Module 10: UK Implementation

• Key Differences Between the Data Protection Act and the GDPR
• Highlights from the Data Protection Bill
• Definition of Controller
• Health, Social Work, Education, and Child Abuse
• Age of Consent
• Exemptions for Freedom of Expression
• Research and Statistics
• Archiving in the Public Interest

Module 11: Key Features

• Specific Permission
• Privacy by Design
• Data Portability
• Right to be Forgotten
• Definitive Consent
• Information in Clear Readable Language
• Limits on the Use of Profiling
• Everyone Follows the Same Law
• Adopting Techniques

Module 12: Subject Access Requests and How to Deal with them?

• Subject Access Requests (SAR)
• Dealing with SAR
• Recognize the Request
• Understand the Time Limitations
• Dealing with Fees and Excessive Requests
• Identify, Search, and Gather the Requested Data
• Learn about What Information to Withhold
• Developing and Sending a Response