Topics

• · GDPR in a Nutshell
• · Generate Customer Confidence
• · Focus of GDPR
• · What is Personal Information?
• · Who has PII?
• · Lawful Processing of Personal Data

Topics

• · Introduction
• · Scope
• · UK ICO’s View of the Scope
• · Processing GDPR Definition
• · Who Processes PII?
• · What is Special Data?
• · Legal Framework
• · Timeline and Derogations
• · Some Key Areas for Derogation
• · Data Breaches/Personal Data Breach
• · Consequences of Failure
• · Governance Framework

Topics

• · Key Roles
• · Data Set
• · Subject Access Request (SAR)
• · Data Protection Impact Assessments (DPIA)
• · What Triggers a Data Protection Impact Assessment?
• · DPIA is Not Required
• · Processes to be Considered for a DPIA
• · Responsibilities
• · DPIA Decision Path
• · DPIA Content
• · How Do I Conduct a DPIA?
• · Signing Off the DPIA
• · Mitigating Risks Identified by the DPIA
• · Privacy by Design and Default
• · External Transfers
• · Profiling
• · Pseudonymization
• · Principles, User Rights, and Obligations
• · One Stop Shop

Topics

• · Parts of the GDPR
• · Format of the Articles
• · Articles

Topics

• · Introduction
• · Legality Principle
• · How the Permissions Work Together?
• · Lawfulness of Processing Conditions
• · Lawfulness for Special Categories of Data
• · Criminal Offence Data
• · Consent
• · Transparency Principle
• · Fairness Principle
• · Rights of Data Subjects
• · Purpose Limitation Principle
• · Minimization Principle
• · Accuracy Principle
• · Storage Limitation Principle
• · Integrity and Confidentiality Principle
• · Accountability Principle

Topics

• · Demonstrating Compliance with the GDPR
• · Impact of Compliance Failure
• · Administrative Fines
• · What Influences the Size of an Administrative Fine?
• · Joint Controllers
• · Processor Liability Under GDPR
• · Demonstrating Compliance
• · Protecting PII is Only Half the Job
• · What must be Recorded?
• · Additional Ways of Demonstrating Compliance
• · Demonstrating a Robust Process
• · PIMS (Personal Information Management System)
• · Cyber Essentials
• · ISO 27017 Code of Practice for Information Security Controls
• · Risk Management

Topics

• · What is a Personal Data Breach?
• · Notification Obligations
• · What Breaches Do I Need to Notify the Relevant Supervisory Authority About?
• · What Information Must Be Provided to the SA?
• · How do I Report a Breach to the SA?
• · Notifying Data Subjects
• · What Should I do to Prepare for Breach Reporting?
• · Updating Policies and Procedures
• · Breach Reporting and Responses
• · Ways to Minimize the Breach Impact

Topics

• · What does the GDPR Makes Businesses Responsible For?
• · Difference Between a Data Controller and a Data Processor
• · How the Roles Split?
• · Controllers and Processors
• · Main Obligations of Data Controllers
• · Demonstrate Compliance
• · Joint Controllers and EU Representative
• · Controller-Processor Contract
• · Maintain Records and Keeping Records for Small Businesses
• · Cooperation with Supervisory Authorities
• · Keeping PII Secure
• · Data Breach Transparency
• · Role of the Data Processor
• · Controller-Processor Contract
• · Main Obligations of the Processor
• · Perform Only the Data Processing Defined by the Data Controller
• · Update the Data Controller
• · Sub-Process or Appointment
• · Keep PII Confidential
• · Maintaining Records
• · Cooperate with Supervisory Authorities
• · Security
• · Appoint a DPO – If Necessary
• · Transferring Data Outside the EU

Topics

• · Role of a Data Protection Officer
• · Involvement of the DPO
• · Main Responsibilities of the DPO
• · Working Environment for the DPO
• · Must We Have A DPO?
• · Public Body
• · What does Large Scale mean?
• · Systematic Monitoring
• · Who Can Perform the Role of DPO?
• · Skills Required
• · Monitoring Compliance
• · Training and Awareness
• · Data Protection Impact Assessments (DPIAs)
• · Risk-Based Approach
• · Business Support for the DPO
• · DPO Independence
• · DPO – Conflict of Interest

Topics

• · Key Differences Between the Data Protection Act and the GDPR
• · Highlights from the Data Protection Bill
• · Definition of Controller
• · Health, Social Work, Education, and Child Abuse
• · Age of Consent
• · Exemptions for Freedom of Expression
• · Research and Statistics
• · Archiving in the Public Interest

Topics

• · Specific Permission
• · Privacy by Design
• · Data Portability
• · Right to be Forgotten
• · Definitive Consent
• · Information in Clear Readable Language
• · Limits on the Use of Profiling
• · Everyone Follows the Same Law
• · Adopting Techniques

Topics

• · Subject Access Requests (SAR)
• · Dealing with SAR
• · Recognize the Request
• · Understand the Time Limitations
• · Dealing with Fees and Excessive Requests
• · Identify, Search, and Gather the Requested Data
• · Learn about What Information to Withhold
• · Developing and Sending a Response

Topics

• · Must I Always Obey a Right?
• · Rights and Third Parties
• · Requests Made on Behalf of Other Data Subjects
• · Guidelines for Children's Maturity
• · Responding to a Rights Request
• · What is a Month?
• · Rights Request Flow Chart
• · Right to be Informed
• · When Should Information Be Provided?
• · Best Practice Guidance
• · Right of Access
• · Right to Rectification
• · Right to Erasure
• · When can I Refuse to Comply with a Request for Erasure?
• · Erasing Children's Data
• · Right to Restrict Processing
• · When Processing Should be Restricted?
• · Protecting PII
• · Other Issues about Restricting Processing
• · Right to Data Portability
• · Right to Object
• · Complying with the Right to Object
• · Rejecting the Right to Object
• · Processing for Direct Marketing Purposes
• · Processing for Research Purposes
• · Rights Related to Automated Decision Making and Profiling
• · When does the Right not apply?

Topics

• · Provenance
• · Overview: SARs
• · SAR is an Activity, Not a Title
• · How can a SAR be Submitted?
• · What Information Should the Response to a SAR Contain?
• · Additional Information
• · Replying to a SAR
• · Confirming a Data Subject’s Identity
• · Scope
• · Electronic Records
• · Non-Electronic Records
• · SARs Involving 3rd Party PII
• · Fees
• · Refusing a Subject Access Request
• · Access Requests from Employees
• · Credit Reference Agencies
• · Best Practice for SARs

Topics

• · Lawful Processing: A Reminder
• · User Rights Change Depending on the Justification
• · Lawfulness of Processing Conditions
• · Lawfulness for Special Categories of Data
• · UK ICO Tool
• · Consent
• · Key Points About Consent
• · Affirmative Action and Explicit Consent
• · Introduction of Affirmative Action
• · What is Not Affirmative Action?
• · Examples of Affirmative Action from the ICO
• · Introduction of Explicit Consent
• · Explicit Statement
• · Obtaining Explicit Consent
• · ICOs View of a Poor Form of Explicit Consent
• · Obtaining Consent for Scientific Research Purposes
• · Getting Consent
• · What Should Go into the Consent Request?
• · Consent Granularity
• · Right to Withdraw Consent
• · Children
• · Consent Records
• · ICOs Examples of Record Keeping
• · Key Points When Establishing Consent
• · Legitimate Interests
• · Getting the Balance Right
• · Consent or Legitimate Interest?
• · What Lawful Basis Can be Used for Processing Marketing PII?

Topics

• · Cross Border Transfers
• · Transfer Mechanisms
• · Derogations
• · Adequacy
• · Adequate Ways to Safeguard Transfers of PII
• · Consent
• · One-Off or Infrequent Transfers
• · Who is Responsible?
• · Transferring PII Between EEA Members
• · Adequate Countries Outside of the EEA
• · Binding Corporate Rules (BCR)
• · What a BCR Must Cover?
• · Authorization for BCRs
• · EU-US Privacy Shield
• · Privacy Shield Overview
• · Privacy Shield: Mechanics
• · Model Clauses
• · Public Authority Agreements

Topics

• · Need to Secure
• · What is Appropriate?
• · Protecting PII – 3 Key Areas
• · Coverage
• · Defensive Design
• · Single Point of Failure (SPOF)
• · Incident Response
• · Data Breach Reporting Requirements
• · Incident Response Team

Topics

• · Introduction
• · What Triggers a Data Protection Impact Assessment?
• · Cases Where DPIA is Not Required
• · Benefits of DPIA
• · Processes to be Considered for a DPIA
• · Responsibilities
• · DPIA Decision Path
• · DPIA Content
• · How Do I Conduct A DPIA?
• · Signing Off the DPIA
• · Mitigating Risks Identified by the DPIA

Topics

• · Overview
• · Need-Want-Drop: Concept Diagram
• · Need-Want-Drop: Categorizing Data
• · Need/Want/Drop Methodology

Topics

• · What is Cloud Computing?
• · Myths of Cloud
• · Cloud Challenges
• · Controller-Processor Contract
• · Checklist
• · Data Controller - Summary

Topics

• · Brexit and its Impact on the GDPR
• · Adequacy
• · What does this Mean in Practice?
• · EU and UK Representatives
• · Exemption Rule
• · One-Stop Shop

Topics

• · Lawful, Fair, and Transparent Processing
• · Limitation of Purpose, Data and Storage
• · Data Subject Rights
• · Consent
• · Personal Data Breaches
• · Privacy by Design
• · Data Protection Impact Assessment
• · Data Transfers
• · Data Protection Officer
• · Awareness and Training

Topics

• · Lawfulness, Fairness, and Transparency
• · Purpose Limitation
• · Data Minimization
• · Accuracy
• · Storage Limitation
• · Integrity and Confidentiality

Topics

• · Common Data Security Failures
• · Consequences
• · Fines Relating to Data Breaches
• · Litigation from Customers Relating to Data Breaches
• · Directors, Officers, and Professional Advisors
• · Reputational Damage
• · Lesson Learned
• · Knowing When and How to Communicate with Affected Individuals is Not Easy
• · GDPR is Important, as are Other Legal Frameworks