18 Sep 2017

Data Protection Governance, Enterprise/Organisation Risk Management, Relationship with Data Subjects and Supervisory Authorities:

Structuring, Auditing and Demonstrating Compliance

Practical guidelines on how to create, implement and audit a Data Protection Management Programme to demonstrate accountability under the EU General Data Protection Regulation (GDPR) both to data subjects and to supervisory authorities, taking into consideration the Enterprise/Organisation Risk Management framework​

This training course provides practical guidance for the creation of a Data Protection Management Programme, which needs to be both effective and coherent with the Enterprise/Organisation Risk Management framework. It sheds light on the concepts of accountability, compliance and data protection management in the context of the evolving EU data protection framework. Moreover, the course provides guidelines and tools (e.g., methodologies and checklists) to perform personal data protection/security internal audit or investigation under the GDPR and coherently assess controllers and processors’ level of compliance. The participants will benefit from hand-on experience to ensure comprehensive data protection management and prompt response to inquiry in their organization. The following questions are addressed:

  • What are the legal requirements derived from the notion of accountability under the GDPR?
  • How to structure and draft a Data Protection Management Programme that will ensure ongoing compliance (and not simply ticking boxes)?
  • What is the role of the Data Protection Officer in creation of an effective Data Protection Management Programme?
  • How to coordinate the Data Protection Management Programme with the relevant Enterprise/Organisation Risk Management framework?
  • How to build internal accountability: techniques of mapping data processing and building a register?
  • How to demonstrate accountability externally: best practices for responding to requests for documentation by supervisory authorities or data subjects?
  • How to gauge the level of compliance of processors or controllers with whom personal data is shared?
  • How different approaches work for different organizations (public authorities vs. private entities; start-ups vs. SMEs vs. MNEs)?
  • How to identify the perimeter of the audit?
  • Who are the entities involved in the audited data processing activities and their roles?
  • What are exactly the data processing activities carried out within the perimeter of the audit?
  • How to identify the type of personal data processed?
  • How to correctly identify the personal data flow/transfer outside the EU?
  • How to identify relevant duties and obligations of the parties involved under the GDPR?
  • How to verify the compliance with parties' relevant duties and obligations?
  • How to determine the appropriate technical and organisational measures to ensure a level of security appropriate to the risk? [Diploma Track offers electives on Data Protection Impact Assessment, Security Risk Assessment & Data Protection by Design]
  • How to verify the correct management of Personal Data Breaches?
  • How to evaluate controller's Data Protection Impact Assessment? [Diploma Track offers electives on Data Protection Impact Assessment, Security Risk Assessment & Data Protection by Design]
  • How to verify the accurateness of the records of processing activities?
  • How to verify the compliance with the principles of Data Protection by Design and by Default? [Diploma Track offers electives on Data Protection Impact Assessment, Security Risk Assessment & Data Protection by Design]
  • How to evaluate data processing agreements/clauses with third parties, e.g., limitation of liability, hold harmless, and indemnity clauses? [see specific training on Data Protection Contract Management]
  • How to verify the correctness of the legal basis for transferring data outside the EU, e.g., Model Contractual Clauses, Privacy Shield, Binding Corporate Rules, Consent, etc.? [see also course day on Data Transfer]
  • How to draft a meaningful audit report?
  • How to effectively set and manage audit meetings and interviews (e.g., kick-off meeting, interim meetings, closing meeting, interviews, etc.)
  • What constitutes a data subject access requests under the new EU GDPR?
  • How to assess the validity of data subjects’ and supervisory authorities’ requests and how to reply to them (identification requirements, content, time limits)?
  • How to set parameters for the search for information and collating the results?
  • How to incorporate data subjects’ and supervisory authorities’ requests into your operational ‘business as usual’ processes?
  • How to manage data subjects complaints?
  • How to deal with new rights such as the right to be forgotten, restriction of processing, data portability, and its practical implementation?