The GDPR Primer for Data Protection Officers

2 Days

12 CPD hours

A prior understanding of EU Data Protection legislation is recommended. Candidates are typically management professionals and decision-makers who already have responsibility for data protection compliance within their organisation.Co-Requisite Subjects Candidates should have a good understanding of their own organisation?s data management activities through the life cycle from initial acquisition, through the various areas of processing and usage, to eventual removal or destruction.

To equip the learner with a foundational understanding of the principles of the General Data Protection Regulation (GDPR) and to provide constructive suggestions on implementing compliant processes.

The social, historical and legal background leading to the General Data Protection Regulation (GDPR)

• The scope and global context of the GDPR
• The key concepts within the GDPR
• The definition of all key words and phrases relating to this Data Protection regulation

Principle One: The criteria governing fair, open and transparent processing of personal data

• Principle Two: Purpose Limitation, the challenge of limiting the processing within the context of specified and lawful purposes
• Principle Three: Minimisation of processing, and ensuring that only that data is processed which is necessary to achieve the purpose.
• Principle Two: Purpose Limitation, the challenge of limiting the processing within the context of specified and lawful purposes
• Principle Three: Minimisation of processing, and ensuring that only that data is processed which is necessary to achieve the purpose.
• Principle Four: Ensuring that any personal data held by the organisation is kept accurate and current, and that any processing of such data is appropriate
• Principle Five: Management and storage of personal data in a manner that meets regulatory obligations, while minimising the time that the individual remains identifiable
• Principle Six: The criteria governing safe, secure and confidential processing of personal data in order to protect its integrity
• Principle Seven: The key roles, responsibilities and accountabilities of those involved in Data Management within an organisation
• Establishment within a single Member State
• Joint Controllers
• Privacy by Design and by Default
• Nominated Representatives
• Third-party Contracts and shared liability
• Logging of data management processes
• Data Breach Notification obligations
• Privacy Impact Assessments
• Overseas transfer of personal data
• L2.8 The Data Subject Rights, and their implications for the Data Controller and the Data Processor
• L2.8.1 The ?right to be forgotten?
• L2.8.2 The right to restriction of processing
• L2.8.3 The right to object to certain processing
• L2.8.4 The right to have inaccurate data amended or erased
• L2.8.5 The right to data portability
• L2.8.6 The right of access to one?s personal data
• L2.8.7 Rights in relation to automated decision-making and profiling

The role of the Data Protection Officer (DPO)

• The role of the Data Protection Officer (DPO)
• Criteria for designating a DPO
• Tasks of the DPO
• Position of the DPO within the organisation
• The role of the Supervisory Authority within the Member State
• The Lead Supervisory Authority and independence
• Investigative, corrective and advisory powers
• Independence of the Supervisory Authority
• Collaboration with other Supervisory Authorities
• Codes of Conduct and Certification
• The role, powers and tasks of the European Data Protection Board (EDPB)

The remedies, liabilities and penalties available under the GDPR

• Right to raise a complaint
• Right to representation
• Right to effective judicial remedy
• Right to compensation and liability
• Administrative fines of up to ?10m or 2% of GAT
• Administrative fines of up to ?20m or 4% of GAT

Provisions for specific processing situations

• Freedom of Expression
• Processing of official documents
• Processing of National Identification Numbers
• Processing regarding employment
• Processing for archiving purposes
• Processing under obligations of official secrecy
• Processing of data by religious organisations

Preparing for implementation of the GDPR

• Review of data management policies and procedures
• Review of data assets and security structures
• Training and Awareness-raising
• Data management governance structures
• Embedding Privacy By Design and Default
• Codes of Conduct and Certification against standards
• Breach detection and notification procedures
• Review of third-party agreements, contracts