Day 1 GDPR & Privacy Legislation

• Module 1: Introduction to data protection & privacy
• Module 2: GDPR Fundamentals & principles
• Module 3: GDPR Rights of the data subject
• Module 4: GDPR Controllers & processors
• Module 5: GDPR Transfers of personal data to 3^rd countries or international organisations
• Module 6: GDPR Remedies, liabilities & penalties
• Module 7: GDPR Supervisory authorities, co-operation, specific situations
• Module 8: Summary of changes

Day 2: Information Governance, Risk Management & Security

Module 1: Information Governance, management, assurance & accreditation

•   Outline the importance of governance and having some kind of assurance & accreditation program in place if appropriate
•   Cover different approaches to governance e.g. ISO27001 and NIST
•   Cover the importance of information asset management control
•   Outline what assurance and accreditation is and how organisations can use this as part of demonstrating compliance with the GDPR requirements for due diligence

Module 2: Risk management frameworks

•   Cover what risk is, emphasise the requirement of risk management in GDPR
•   Cover different risk methodologies that are available and what the objective is
•   Cover residual risk, risk registers and how organisations need to continually monitor risk

Module 3: Information security, monitoring & incident management

•   Cover baseline controls
•   Cover where organisations can find advice and guidance on implementing cyber security e.g. 10 steps, Cyber Essentials, ICO information security recommendations, ISO27032 etc
•   Cover the importance of monitoring – when not if people get in the network and the importance of having good incident management
•   Cover incident management process – what is required, how it feeds into the risk process, how it should be used to improve security
•   Cover reporting procedure

Day 3: Implementation

Module 1: Transitioning from DPA to GDPR

•   Having covered the law delegates should have a solid understanding of this but cover the changes in depth here for them to understand everything that is changing
•   Summary of changes based on legal overview document
•   Use the online ICO self-assessment toolkit for them to understand how they can use that to baseline where they currently are to give them their starting point
•   Data streaming/data mapping
•   Auditing current compliance – use of tools like e-Discovery to facilitate this
•   Identification of policies & procedures which need to be reviewed to bring in line with minimising privacy impact and ensuring compliance

Module 2: Privacy by Design & Data Protection Impact Assessments (DPIA)

•   Cover requirement to build in appropriate security from the start
•   Cover DPIAs
•   Cover impact for failing to do this (business costs – enforcement of failure to do this will be covered later)
•   Privacy notices
•   Bring Your Own Device (BYOD) & privacy

Module 3: Direct marketing & Online profiling

•   Cover consent with regard to direct marketing – what it means
•   Cover the issue of online profiling and tracking cookies and what it will require to be compliant with GDPR
•   The EU PECR is currently in a consultation phase to bring it into line with GDPR – discussion of the implications this will have for organisations

Module 4: Obligations of controllers & processors

•   How organisations need to ensure that a data subject can exercise their rights
•   The obligations on controllers and information they need to provide to data subjects when collecting data from data subjects
•   The obligations when they buy data in
•   The requirements of notification – to data subjects and others they have passed the data to when a data subject exercises their rights
•   The obligations on the controller to ensure a processor is compliant with the GDPR
•   How the change to liability for a breach still doesn’t absolve the controller of their accountability
•   Records required
•   Exemption for small organisations although it is likely most will adhere – the records are what best practice and good management require or is information that should be on a DPIA anyway

Day 4: Implementation

Module 1: Cloud & Big Data

•   Geographic location of cloud
•   Legal and jurisdictional issues
•   What big data is
•   Should we do this vs we can do this – consider repurposing of data issues

Module 2: Staying compliant

•   Steps and quick wins to achieve compliance
•   Steps to remain compliant

Module 3: Enforcement & supervisory authority powers

•   Enforcement regime – summary of the 2%/10 million and 4%/20 million fines
•   Summary of enforcement powers the ICO will have – urgency requirements to stop all processing of personal data immediately
•   One stop shop – simplification of administration across the EU
•   Main establishment determines the supervisory authority
•   Legal requirement to co-operate with the supervisory authority

Day 5

Independent APMG GDPR Examination