Programme

Session 1: Data Protection Culture and Data Protection Models

Session 1: Building an organizational data protection culture: Where to start?

Trainers
Cosimo Monda, Director, European Centre on Privacy and Cybersecurity
Anna Pouliou, Chief Privacy Officer, Mrs Inc.

The privacy vision and mission is a critical component which communicates to all stakeholders including employees and customers, what the organisation’s stand is on privacy. This session will focus on different steps to building a data privacy culture inside the organization and to building a compliant privacy programme such as:

Create an organisation privacy vision
Engage and get leadership buy-in
Create awareness of the organization’s privacy program internally and externally
Educate employees that process and store personal data
Create privacy champions
…

Session 2: Data governance models

Session 2: Which data governance model and how to best create and organize your data protection team purpose and structure

Trainers
Andreea Lisievici, Head of Data Protection Compliance, Boeing
Paul Breitbarth, Senior Visiting Fellow ECPC, Data Protection Lead at Catawiki

This session will focus on how to establish the most appropriate data governance model framework and tools and show-casing best practices in the field of privacy data governance. Moreover, the session will focus on the structure of a data protection team, including roles, responsibilities and reporting structure in order to align with the organisation data protection strategy. In this respect experts will address the key responsibilities of a data protection team such as meet regulatory data protection compliance obligations, meet expectations of data subjects & stakeholders, safeguard data against attacks and threats…

This session will address different topics such as:

How to establish the appropriate data governance organizational model (Centralized, Distributed or Hybrid)
Composition of the privacy team
Defining the role and responsibilities of each team member and required professional competences
Establish/endorse the measurement of professional competences
Hierarchical structure (under legal, or IT, or other departments)
…

Session 3: Building a demonstrable compliant privacy programme

Session 3: Building a demonstrable compliant privacy programme; a step-by-step approach: Where to start?

Trainers
Andreea Lisievici, Head of Data Protection Compliance, Boeing
Paul Breitbarth, Senior Visiting Fellow ECPC, Data Protection Lead at Catawiki

Defining the scope of the privacy program and taking an accountability approach to compliance
Identification of the types of personal data collected and the manner in which it is processed.
Identification of the relevant privacy and data protection laws and regulations applicable to an organisation taking into account storage, transfer and processing of personal data
Data processing inventory and Register
Data Protection Impact Assessments
Contracts and agreements
Internal policies and procedures

Session 4: ICT and Data Protection Contract Management

Session 4: ICT and Data Protection Contract Management: Drafting, Negotiating & Managing ICT and Data Protection Agreements

Trainer
Paolo Balboni, Professor of Privacy, Cybersecurity and IT Contract Law, Maastricht University

This session provides participants with all the necessary information to be able to review, understand and negotiate ICT and data protection contracts. The course covers the legal requirements under the GDPR, supplier selection/audit/monitoring and ongoing contract management to meet the relevant obligations.

Topics covered

A Brief Introduction to Contracts, duties, obligations, liabilities/responsibilities and disputes resolutions and the GDPR
Practical Aspects of ICT Contracts: peculiarities, main issues and how to address them, when and what to negotiate
Data Protection Implications of ICT services: roles, responsibilities, respective duties and obligations and how to effectively address them, i.e., focus on data processing agreements, Formulation, Content and Considerations
Data Processing Agreements - controller and (sub-)processor obligations – (DPAs)
Joint-Controllership Agreements (JCAs)
Data Management Agreements (DMAs),
Data Transfer Mechanisms, EU Standard Contractual Clauses,
Ongoing Contract Compliance, Surveillance and Assurance

Session 5: Information Security Management and Data Protection

Session 5: Information Security Management and Data Protection: integrating the two risk-based approaches

Trainers
Fernando Silva, Data Protection Administrative Manager at European Parliament

Protecting personal data through the implementation of industry-leading privacy and security controls and technology and data security risk assessment methodologies:

The following topics will be addressed in this session:

Risk Assessment methodologies and the interplay between privacy- related and security-related
Risk Assessment/Data Protection Impact Assessment in practice: Identiﬁcation and evaluation of the risks for the data subjects and identiﬁcation of appropriate mitigation measures. Focus on the Data Protection Impact Assessment (DPIA) methodologies.

Session 6: Measuring, monitoring and auditing programme performance

Session 6: Measuring, monitoring and auditing programme performance, and reporting to the board

Trainer
Andreea Lisievici, Head of Data Protection Compliance, Boeing

This session will focus on the best practices for monitoring, measuring, analyzing and auditing privacy program performance in an organisation. The accountability principle requires organizations to continuously monitoring the compliance and the effectiveness of privacy data governance policies, procedures, processes and technical security measures and periodically auditing them by establishing specific data quality metrics in order to measure the success of data governance and establishing a continuous improvement process. It will address key topics such as:

How to define metrics and key performance indicators?
Understanding the purpose of an Audit
How to conduct an internal and external compliance audit with privacy and information security policies and standards?
An overview of the different types of audit
The Key Audit Principles
Develop an Audit Plan: Defining the Scope of the Audit / Roles and responsibilities: Determining who should be present at the audit
How to align the organisation privacy operations to internal and external compliance audit?
How to audit data quality and communicate audit findings with the board and stakeholders?
Presenting the findings of an Audit

The course will be closed with a session on

Reporting to the Board/Management on data protection compliance: What, Why, How?

ECPC-M examination

In order to obtain the ECPC-M Privacy Management Certification, participants need to pass an exam. This is part of the programme and takes place on Friday afternoon. Examination details are explained in the menu tab 'ECPC-M examination'.

Search term