Programme

Session 1: Building an organizational data protection culture: Where to start?

Trainers
 Cosimo Monda, Director, European Centre on Privacy and Cybersecurity
 Andreea Lisievici, Head of Data Protection Compliance, Boeing
 Ralph O'Brien, Principal, REINBO Consulting

The privacy vision and mission is a critical component which communicates to all stakeholders including employees and customers, what the organisation’s stand is on privacy. This session will focus on different steps to building a data privacy culture inside the organization and to building a compliant privacy programme such as:

• Create an organisation privacy vision
• Engage and get leadership buy-in
• Create awareness of the organization’s privacy program internally and externally
• Educate employees that process and store personal data
• Create privacy champions
• … 

Session 2: Which data governance model and how to best create and organize your data protection team purpose and structure

Trainers
 Andreea Lisievici, Head of Data Protection Compliance, Boeing
 Ralph O'Brien, Principal,  REINBO Consulting

This session will focus on how to establish the most appropriate data governance model framework and tools and show-casing best practices in the field of privacy data governance. Moreover, the session will focus on the structure of a data protection team, including roles, responsibilities and reporting structure in order to align with the organisation data protection strategy. In this respect experts will address the key responsibilities of a data protection team such as meet regulatory data protection compliance obligations, meet expectations of data subjects & stakeholders, safeguard data against attacks and threats…

This session will address different topics such as:

• How to establish the appropriate data governance organizational model (Centralized, Distributed or Hybrid)
• Composition of the privacy team
• Defining the role and responsibilities of each team member and required professional competences
• Establish/endorse the measurement of professional competences
• Hierarchical structure (under legal, or IT, or other departments)
• …

Session 3: Building a demonstrable compliant privacy programme; a step-by-step approach: Where to start?

Trainers
 Andreea Lisievici, Head of Data Protection Compliance, Boeing
 Ralph O'Brien, Principal,  REINBO Consulting

• Defining the scope of the privacy program and taking an accountability approach to compliance
• Identification of the types of personal data collected and the manner in which it is processed.
• Identification of the relevant privacy and data protection laws and regulations applicable to an organisation taking into account storage, transfer and processing of personal data
• Data processing inventory and Register
• Data Protection Impact Assessments
• Contracts and agreements
• Internal policies and procedures

Session 4: ICT and Data Protection Contract Management: Drafting, Negotiating & Managing ICT and Data Protection Agreements

Trainer
 Paolo Balboni, Professor of Privacy, Cybersecurity and IT Contract Law, Maastricht University

This session provides participants with all the necessary information to be able to review, understand and negotiate ICT and data protection contracts. The course covers the legal requirements under the GDPR, supplier selection/audit/monitoring and ongoing contract management to meet the relevant obligations.

Topics covered

• A Brief Introduction to Contracts, duties, obligations, liabilities/responsibilities and disputes resolutions and the GDPR
• Practical Aspects of ICT Contracts: peculiarities, main issues and how to address them, when and what to negotiate
• Data Protection Implications of ICT services: roles, responsibilities, respective duties and obligations and how to effectively address them, i.e., focus on data processing agreements, Formulation, Content and Considerations
• Data Processing Agreements - controller and (sub-)processor obligations – (DPAs)
• Joint-Controllership Agreements (JCAs)
• Data Management Agreements (DMAs),
• Data Transfer Mechanisms, EU Standard Contractual Clauses,
• Ongoing Contract Compliance, Surveillance and Assurance

Session 5: Information Security Management and Data Protection: integrating the two risk-based approaches

Trainers
Paolo Balboni, Professor of Privacy, Cybersecurity and IT Contract Law, Maastricht University
Fernando Silva, Data Protection Administrative Manager at European Parliament

Protecting personal data through the implementation of industry-leading privacy and security controls and technology and data security risk assessment methodologies:

The following topics will be addressed in this session:

• Risk Assessment methodologies and the interplay between privacy- related and security-related
• Risk Assessment/Data Protection Impact Assessment in practice: Identification and evaluation of the risks for the data subjects and identification of appropriate mitigation measures. Focus on the Data Protection Impact Assessment (DPIA) methodologies.

Session 6: Measuring, monitoring and auditing programme performance

Trainer
 Ralph O'Brien, Principle, REINBO Consulting

This session will focus on the best practices for monitoring, measuring, analyzing and auditing privacy program performance in an organisation. The accountability principle requires organizations to continuously monitoring the compliance and the effectiveness of privacy data governance policies, procedures, processes and technical security measures and periodically auditing them by establishing specific data quality metrics in order to measure the success of data governance and establishing a continuous improvement process. It will address key topics such as:

• How to define metrics and key performance indicators?
• Understanding the purpose of an Audit
• How to conduct an internal and external compliance audit with privacy and information security policies and standards?
• An overview of the different types of audit
• The Key Audit Principles
• Develop an Audit Plan: Defining the Scope of the Audit / Roles and responsibilities: Determining who should be present at the audit
• How to align the organisation privacy operations to internal and external compliance audit?
• How to audit data quality and communicate audit findings with the board and stakeholders?
• Presenting the findings of an Audit

Session 7: Reporting to the Board/Management on data protection compliance: What, Why, How?

Trainers
 Cosimo Monda, Director, European Centre on Privacy and Cybersecurity, Maastricht University
Andreea Lisievici, Head of Data Protection Compliance, Boeing

This session will focus on what, how, from who and when can reporting on privacy compliance, progress on privacy initiatives, and privacy program key performance indicators be done effectively in a way the board understands.

It will address different topics such as:

• How to develop a communications plan to notify management board?
• How to manage the work generated by privacy teams (project plans, policies, processes and reports).
• How to make sure that key compliance obligations are being effectively addressed.
• How to demonstrate to internal stakeholders, data subjects and partners that you have a comprehensive privacy programme.