Session 2: Data governance models
Session 2: Which data governance model and how to best create and organize your data protection team purpose and structure
Andreea Lisievici, Head of Data Protection Compliance, Boeing
Ralph O'Brien, Principal, REINBO Consulting
This session will focus on how to establish the most appropriate data governance model framework and tools and show-casing best practices in the field of privacy data governance. Moreover, the session will focus on the structure of a data protection team, including roles, responsibilities and reporting structure in order to align with the organisation data protection strategy. In this respect experts will address the key responsibilities of a data protection team such as meet regulatory data protection compliance obligations, meet expectations of data subjects & stakeholders, safeguard data against attacks and threats…
This session will address different topics such as:
- How to establish the appropriate data governance organizational model (Centralized, Distributed or Hybrid)
- Composition of the privacy team
- Defining the role and responsibilities of each team member and required professional competences
- Establish/endorse the measurement of professional competences
- Hierarchical structure (under legal, or IT, or other departments)
- …
Session 3: Building a demonstrable compliant privacy programme
Session 3: Building a demonstrable compliant privacy programme; a step-by-step approach: Where to start?
Andreea Lisievici, Head of Data Protection Compliance, Boeing
Ralph O'Brien, Principal, REINBO Consulting
- Defining the scope of the privacy program and taking an accountability approach to compliance
- Identification of the types of personal data collected and the manner in which it is processed.
- Identification of the relevant privacy and data protection laws and regulations applicable to an organisation taking into account storage, transfer and processing of personal data
- Data processing inventory and Register
- Data Protection Impact Assessments
- Contracts and agreements
- Internal policies and procedures
Session 4: ICT and Data Protection Contract Management
Session 4: ICT and Data Protection Contract Management: Drafting, Negotiating & Managing ICT and Data Protection Agreements
Paolo Balboni, Professor of Privacy, Cybersecurity and IT Contract Law, Maastricht University
This session provides participants with all the necessary information to be able to review, understand and negotiate ICT and data protection contracts. The course covers the legal requirements under the GDPR, supplier selection/audit/monitoring and ongoing contract management to meet the relevant obligations.
Topics covered
- A Brief Introduction to Contracts, duties, obligations, liabilities/responsibilities and disputes resolutions and the GDPR
- Practical Aspects of ICT Contracts: peculiarities, main issues and how to address them, when and what to negotiate
- Data Protection Implications of ICT services: roles, responsibilities, respective duties and obligations and how to effectively address them, i.e., focus on data processing agreements, Formulation, Content and Considerations
- Data Processing Agreements - controller and (sub-)processor obligations – (DPAs)
- Joint-Controllership Agreements (JCAs)
- Data Management Agreements (DMAs),
- Data Transfer Mechanisms, EU Standard Contractual Clauses,
- Ongoing Contract Compliance, Surveillance and Assurance
Session 5: Information Security Management and Data Protection
Session 5: Information Security Management and Data Protection: integrating the two risk-based approaches
Paolo Balboni, Professor of Privacy, Cybersecurity and IT Contract Law, Maastricht University
Fernando Silva, Data Protection Administrative Manager at European Parliament
Protecting personal data through the implementation of industry-leading privacy and security controls and technology and data security risk assessment methodologies:
The following topics will be addressed in this session:
- Risk Assessment methodologies and the interplay between privacy- related and security-related
- Risk Assessment/Data Protection Impact Assessment in practice: Identification and evaluation of the risks for the data subjects and identification of appropriate mitigation measures. Focus on the Data Protection Impact Assessment (DPIA) methodologies.
Session 6: Measuring, monitoring and auditing programme performance
Session 6: Measuring, monitoring and auditing programme performance
Ralph O'Brien, Principle, REINBO Consulting
This session will focus on the best practices for monitoring, measuring, analyzing and auditing privacy program performance in an organisation. The accountability principle requires organizations to continuously monitoring the compliance and the effectiveness of privacy data governance policies, procedures, processes and technical security measures and periodically auditing them by establishing specific data quality metrics in order to measure the success of data governance and establishing a continuous improvement process. It will address key topics such as:
- How to define metrics and key performance indicators?
- Understanding the purpose of an Audit
- How to conduct an internal and external compliance audit with privacy and information security policies and standards?
- An overview of the different types of audit
- The Key Audit Principles
- Develop an Audit Plan: Defining the Scope of the Audit / Roles and responsibilities: Determining who should be present at the audit
- How to align the organisation privacy operations to internal and external compliance audit?
- How to audit data quality and communicate audit findings with the board and stakeholders?
- Presenting the findings of an Audit
Session 7: Reporting to the Board/Management on data protection compliance: What, Why, How?
Session 7: Reporting to the Board/Management on data protection compliance: What, Why, How?
Cosimo Monda, Director, European Centre on Privacy and Cybersecurity, Maastricht University
Andreea Lisievici, Head of Data Protection Compliance, Boeing
This session will focus on what, how, from who and when can reporting on privacy compliance, progress on privacy initiatives, and privacy program key performance indicators be done effectively in a way the board understands.
It will address different topics such as:
- How to develop a communications plan to notify management board?
- How to manage the work generated by privacy teams (project plans, policies, processes and reports).
- How to make sure that key compliance obligations are being effectively addressed.
- How to demonstrate to internal stakeholders, data subjects and partners that you have a comprehensive privacy programme.