Privacy Executive week

Courses (Week 1) Duration
Data Protection Contract Management: Drafting, Negotiating and Managing Data Protection related contracts/clauses 1 Day
Auditing GDPR: Demonstrating ongoing compliance 1 Day
Data Breach Management: Prevention, Detection, Mitigation, Notification to the Supervisory Authority and Communication tothe Data Subjects 1 Day
Data Protection Impact Assessment (DPIA), Security Risk Assessment & Data Protection by Design: Assessing and Designing Compliant Data Processing 1 Day 
Cloud Computing: Managing Data Protection Compliance, Risks, and Accountability 1 Day

Data Protection Contract Management

Drafting, Negotiating and Managing Data Protection related contracts/clauses​

In this course data protection implications of the most common IT contracts are analysed, relevant parties' duties and obligations are identified, and guidance on how to correctly deal with them in the related data protection agreements/clauses is provided.

The following questions are addressed:

  • How is an IT contract commonly structured?
  • Which are the data protection implications of the IT services analysed?
  • Actors, roles and responsibilities: who is involved and who is responsible for what?
  • Should you conduct a preliminary Data Protection Impact Assessment?
  • How to determine the appropriate technical and organisational measures to ensure a level of security appropriate to the risk?
  • How to comply with the principles of Data Protection by Design and by Default?
  • Who should keep the record of processing activities and how?
  • How to deal with possible personal data breaches?
  • How to identify issues in IT contracts?
  • How to deal with limitation of liability, hold harmless, and indemnity clauses?
  • How to negotiate appropriate data processing agreements/data protection clauses?
  • How to draft robust data processing agreements/data protection clauses?
  • How to regulate contractual and data protection-related disputes?

Auditing GDPR

Demonstrating ongoing compliance

Demonstrating ongoing compliance with the EU General Data Protection Regulation is a key requirement of the regulation. Our Auditing GDPR course will provide you with the knowledge, skills, and tools that you need to meet this requirement.

  • The course will cover the following key aspects;
  • Understanding the purpose of an Audit
  • The Key Principles for Auditing
  • Developing an Audit Plan
  • How to conduct an audit
  • Auditing Techniques and Approaches
  • Auditing Technical and IT Controls with regards to GDPR
  • Auditing Physical controls with regards to GDPR
  • Presenting the findings of an Audit

The course shall be presented by experienced experts in the areas of GDPR and audit utilising Maastricht University's well-known Problem Based Learning methodology.

Data Breach Management

Prevention, Detection, Mitigation, Notification to the Supervisory Authority and Communication to the Data Subjects 

Practical guidelines on how to manage data breaches in terms of: prevention, investigation, documentation, notification to the competent supervisory authority and communication to the data subjects under the EU General Data Protection Regulation (GDPR).

Building on practical experience of data breaches, this course provides insights on how to handle one of the most complex, stressful and high-risky situation an organisation can face. Specific attention will be dedicated on how to correctly and effectively prepare for a data breach: having data breach management policies and procedures in place, which specifically deal with prevention, detection, mitigation, notification to the competent supervisory authority and, as the case may be, communication of a breach to the data subjects. The following questions are addressed:

  • What is a data breach?
  • How to prevent a data breach?
  • How to detect a data breach?
  • How to document a data breach?
  • How to mitigate the effects of a data breach?
  • Who are the relevant people/functions in the organisation to involve in order to effectively manage data breaches?
  • What is the role of the Data Protection Officer in the management of a data breach?
  • How to evaluate whether the breach must to be notified to the supervisory authority?
  • How to identify the competent supervisory authority to notify the breach?
  • What it the timeline for notifying a data breach to the supervisory authority?
  • What information related to the data breach should be notified to the supervisory authority?
  • How the notification to the supervisory authority should be made?
  • How to evaluate whether the breach must be communicated to the data subjects?
  • What it the timeline for communicating the data breach to the data subjects?
  • What information related to the data breach should be communicated to the data subjects?
  • How the communication to the data subjects should be made?
  • How to draft effective data breach management policies and procedures?
  • How to learn from a data breach?

Data Protection Impact Assessment (DPIA)

Security Risk Assessment & Data Protection by Design: Assessing and Designing Compliant Data Processing

Practical guidelines on how to carry out a Data Protection Impact Assessment (DPIA), evaluate the security risks in an organisation and design data processing in compliance with the EU General Data Protection Regulation (GDPR).

This course provides practical methodologies and tools to conduct a DPIA, to determine the appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Moreover, it focuses on the key principle of data protection-by-design/by default and its practical application to processing activities and technologies in an organization. The following questions are addressed:

  • What is the practical meaning of data security key concepts: confidentiality, integrity, availability?
  • What are personal data, pseudonymized data, and anonymized data?
  • What does personal data processing exactly means? How is data subject exactly defined?
  • Which are effective techniques to anonymize personal data? 
  • How to determine the appropriate technical and organisational measures to ensure a level of security appropriate to the risk?
  • Actors, roles and responsibilities of the parties involved in the relevant data processing activities: who is involved and who is responsible for what?
  • Which are the available information security risk management international standards (e.g., ISO 27005) for the performance of a correct risk analysis?
  • What is a DPIA?
  • Actors, roles and responsibilities: who is involved and who is responsible for completing a DPIA?
  • When should you conduct DPIA?
  • How to conduct a DPIA?
  • How to assess risks? How to quantify them and determining whether the risks are acceptable?
  • What appropriate remedial measures could be adopted to eliminate or mitigate the risks?
  • What DPIA records should be kept and in which format?
  • How to select/develop an effective DPIA procedure (templates, checklists etc.) for your organization?
  • Which are the core elements of the data protection-by-design/by default principle?
  • How to place data protection-by-design/by default in a legal and technical context (matching legal standards and technical requirements to gauge data protection-by-design/by default requirements, specifications, implementation, testing, deployment and maintenance)?
  • How to include data protection-by-design/by default in development cycles and how to embed it in the broader Data Protection Management Programme of your organisation?
  • The basics of data protection engineering and data protection-by-design/by default – or: how to communicate with IT on data protection?
  • What is the role of the Data Protection Officer in the evaluation of the security risks in an organisation, performance of a DPIA, and in the design of data processing activities in compliance with the GDPR?

Cloud Computing

Managing Data Protection Compliance, Risks, and Accountability

In this course data protection implications of cloud computing are specifically analysed, and practical insights on how address compliance and demonstrate accountability in such complex domain will be shared with the participants.

The following questions are addressed:

  • How cloud computing can be defined?
  • How cloud computing services work in practice (service models: IaaS, PaaS, SaaS; deployment models: public cloud, private cloud, hybrid cloud)?
  • Which are the main data protection issues related to cloud computing?
  • Which are the main contractual issues related to cloud computing?
  • Which are the main provisions of the GDPR which need to be considered in the cloud computing domain?
  • Which are the main documents issued by EU (data protection) authorities/institutions on personal data processing related to cloud computing?
  • Are there international standards/codes of conducts related to cloud computing and data protection compliance?
  • Introducing the Privacy Level Agreement [V3] Code of Conduct: A Compliance Tool for Providing Cloud Services in the European Union, how it works and how can it be leverage for assessing compliance of cloud services with the GDPR?
  • How to deal with data breaches which involve a cloud service providers?
  • How to assure data subjects’ rights in the cloud, especially data portability, access, erasure (“right to be forgotten”), restriction of processing?
  • How to deal with data transfer in the cloud computing domain?
  • Does cloud computing trigger the obligation to conduct a DPIA?
  • How to determine the appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed by cloud computing?
  • How to monitor/control data processing in the cloud?
  • How to deal to with Law Enforcement Authorities’ requests for disclosure of personal data in the cloud?
  • How to deal with data restitution/deletion in the cloud?
  • How to deal with ‘migration’ and ‘transfer back’ without losing control on the data in the cloud environment, and in compliance with the GDPR?
  • How to effectively regulate cloud computing services to assure compliance with the GDPR (e.g., data processing agreements, data protection clauses)?
  • Big data & analytics, cloud computing and internet of things are converging to develop cutting-edge solutions, how to deal with compliance in complex/data-intensive environment?

Course listing

  • Privacy Executive week

  • Data Protection Contract Management

  • Auditing GDPR

  • Data Breach Management

  • Data Protection Impact Assessment (DPIA)

  • Cloud Computing