Programme

Data Protection Culture and Data Protection Models

Building an organisational data protection culture: Where to start?

The data protection vision and mission is a critical component which communicates to all stakeholders including employees and customers, the organisation’s stand is on data protection. This session will focus on the key steps to building a data protection culture inside the organisation and developing a compliant data protection programme. 

The following topics will be addressed in this session:

• Creating an organisation data protection vision
• Engaging and get leadership buy-in
• Raising awareness of the organisation’s data protection program internally and externally
• Educating employees that process personal data

• Creating data protection champions

   

Expert
  Anna Pouliou, Privacy & AI Lawyer, DPC Chairwoman

Data governance models

Which data governance model and how to best create and organise your data protection team purpose and structure

This session will focus on how to establish the most appropriate data governance model framework and tools and show-casing best practices in the field of privacy data governance. Moreover, the session will focus on the structure of a data protection team, including roles, responsibilities and reporting structure in order to align with the organisation data protection strategy. In this respect experts will address the key responsibilities of a data protection team such as meet regulatory data protection compliance obligations, meet expectations of data subjects & stakeholders, safeguard data against attacks and threats…

The following topics will be addressed in this session:

• How to establish the appropriate data governance organisational model (Centralized, Distributed or Hybrid)
• Composition of the data protection team
• Defining the role and responsibilities of each team member and required professional competences
• Establish/endorse the measurement of professional competences
• Hierarchical structure (under legal, or IT, or other departments)

Expert
  Paul Breitbarth, Senior Visiting Fellow ECPC, Data Protection Lead at Catawiki

Building a demonstrable compliant data protection programme

Building a demonstrable compliant data protection programme; a step-by-step approach: Where to start?

The following topics will be addressed in this session: 

• Defining the scope of the data protection program and taking an accountability approach to compliance
• Identification of the types of personal data collected and the manner in which it is processed.
• Identification of the relevant privacy and data protection laws and regulations applicable to an organisation taking into account storage, transfer and processing of personal data
• Data processing inventory and Register
• Data Protection Impact Assessments
• Contracts and agreements
• Internal policies and procedures

Expert
  Paul Breitbarth, Senior Visiting Fellow ECPC, Data Protection Lead at Catawiki

ICT and Data Protection Contract Management

Drafting, Negotiating & Managing ICT and Data Protection Agreements

This session provides participants with all the necessary information to be able to review, understand and negotiate ICT and data protection contracts. The course covers the legal requirements under the GDPR, supplier selection/audit/monitoring and ongoing contract management to meet the relevant obligations.

The following topics will be addressed in this session:

• A Brief Introduction to Contracts, duties, obligations, liabilities/responsibilities and disputes resolutions and the GDPR
• Practical Aspects of ICT Contracts: peculiarities, main issues and how to address them, when and what to negotiate
• Data Protection Implications of ICT services: roles, responsibilities, respective duties and obligations and how to effectively address them, i.e., focus on data processing agreements, Formulation, Content and Considerations
• Data Processing Agreements - controller and (sub-)processor obligations – (DPAs)
• Joint-Controllership Agreements (JCAs)
• Data Management Agreements (DMAs),
• Data Transfer Mechanisms, EU Standard Contractual Clauses,
• Ongoing Contract Compliance, Surveillance and Assurance

Expert
  Paolo Balboni, Professor of Privacy, Cybersecurity and IT Contract Law, Maastricht University

Information Security Management and Data Protection

Information Security Management and Data Protection: integrating the two risk-based approaches

This session offers a comprehensive understanding on how to protect personal data through the implementation of industry-leading data protection and security controls. Furthermore, technology and data security risk assessment methodologies will be discussed.

The following topics will be addressed in this session:

• Risk Assessment methodologies and the interplay between data protection- related and security- related methodologies.
• Risk Assessment/Data Protection Impact Assessment in practice: Identification and evaluation of the risks for the data subjects and identification of appropriate mitigation measures. Focus on the Data Protection Impact Assessment (DPIA) methodologies.

Expert
 Fernando Silva, Data Protection Administrative Manager at European Parliament

Measuring, monitoring and auditing programme performance

Measuring, monitoring and auditing programme performance, and reporting to the board

This session will focus on the best practices for monitoring, measuring, analyzing and auditing the performance of the privacy program in an organisation. The accountability principle requires organisations to continuously monitoring the compliance and the effectiveness of data protection governance policies, procedures, processes and technical security measures. This includes periodically auditing them by establishing specific data quality metrics to evaluate the success of data governance and creating a process for ongoing improvement. 

The following topics will be addressed in this session:

• How to define metrics and key performance indicators?
• Understanding the purpose of an Audit
• How to conduct an internal and external compliance audit with data protection and information security policies and standards?
• An overview of the different types of audit
• The Key Audit Principles
• Develop an Audit Plan: Defining the Scope of the Audit / Roles and responsibilities: Determining who should be present at the audit
• How to align the organisation data protection operations to internal and external compliance audit?
• How to audit data quality and communicate audit findings with the board and stakeholders?
• Presenting the findings of an Audit

The course will be closed with a session on:
Reporting to the Board/Management on data protection compliance: What, Why, How?

Expert
  Andreea Lisievici, Privacy & tech lawyer, mentor, lecturer and Managing Partner at ICTLC

ECPC-M examination

In order to obtain the ECPC-M Privacy Management and Data Governance Certification, participants need to pass an exam. This is part of the programme and takes place on Friday afternoon. Examination details are explained in the menu tab 'ECPC-M examination'.