Programme
Tuesday 14 April 2026
Building a demonstrable and accountable privacy and AI governance programme; a step-by-step approach
Session 3
This session provides a step-by-step methodology for designing and documenting a demonstrable, auditable privacy and AI governance programme. Participants learn how to operationalise GDPR obligations and integrate EU AI Act requirements, focusing on documentation, risk assessments, and data quality control.
- Scope definition and accountability-driven compliance strategy
- Data mapping, records of processing and AI system inventories
- Data Protection Impact Assessments (DPIAs) and their interaction with AI risk management and fundamental-rights assessments
- Governance of training, validation and testing datasets
- Internal policies, procedures, and documentation obligations
- Case-based application across traditional processing and AI-enabled systems
Experts:
Anna Pouliou
Paul Breitbarth
Wednesday 15 April 2026
ICT, AI and data protection contract management: drafting, negotiating and managing
Session 4
This session equips participants with practical skills to review, negotiate, and manage ICT and data protection contracts that support GDPR and EU AI Act compliance throughout the supply chain.
Topics covered:
- GDPR roles, liabilities, and contractual allocation of responsibilities
- AI-specific contractual obligations and risk allocation
- Clauses on AI risk allocation, human oversight and transparency
- Data Processing Agreements (DPAs), Joint-Controllership Agreements (JCAs), and Data Management Agreements (DMAs)
- AI development and deployment contracts
- Supplier selection, auditing and ongoing monitoring obligations
- Sub-processing, audits, transparency, and documentation
- International data transfers and AI-related data flows
- Dispute resolution and liability considerations
- Ongoing compliance monitoring and assurance
Case study
Contractual governance of data-related risks
Focusing on implementation, this session explains how to use contractual tools to manage risks in AI procurement, data sharing and outsourcing. Participants review example clauses and negotiation strategies based on real supervisory authority cases.
Experts:
Paolo Balboni
Laura Senatore
Thursday 16 April 2026
Risk management: integrating privacy, security and AI risk frameworks
Session 5
This session explores how privacy risk, information security risk, and AI-specific risks can be integrated within a unified, risk-based governance approach.
Focus areas:
- Privacy and security risk assessment methodologies
- DPIAs in practice and their limitations in AI contexts
- Identification and mitigation of risks in AI-driven processing
- Governance of bias, discrimination, accuracy, robustness, and explainability
- Case-based application of integrated risk assessments
Case study
Risk Assessment in Practice
Participants apply DPIA and AI risk templates to a simulated high-risk AI system, identifying privacy and security gaps and developing remediation plans.
Experts:
Gianclaudio Malgieri
Paolo Balboni
Yazan AlMasri
Friday 17 April 2026
Measuring, monitoring and auditing programme performance, and reporting to the Board
Session 6
The final session focuses on demonstrating accountability through continuous monitoring, auditing, and effective reporting to senior management and boards. The accountability principle requires organisations to continuously monitoring the compliance and the effectiveness of privacy data governance policies, procedures, processes and technical security measures and periodically auditing them by establishing specific data quality metrics in order to measure the success of data governance and establishing a continuous improvement process.
Topics include:
- Defining metrics and key performance indicators (KPIs) for privacy and AI governance
- Internal and external audits under the GDPR and EU AI Act
- Audit planning and execution
- Data quality and AI governance audits
- Continuous improvement mechanisms
- Communicating compliance posture, risks, and governance outcomes to Boards and senior management
The session concludes with an explanation on what, how, from who and when can reporting on privacy compliance, progress on privacy initiatives, and privacy program key performance indicators be done effectively in a way the board understands.
Expert:
Andreea Lisievici Nevin