GET Ready for GDPR

One-off Payment * Lifetime License * No Annual Fees


About

This course is designed and delivered in collaboration with Martin de Bruin a recognised industry expert with over 20 years’ experience in data protection, information governance and information security to provide every individual within your company with the fundamental knowledge they require and to prove that they understand the requirements of the legislation.

As a foundation course it can be seen as the first step towards practitioner level training for those individuals with more senior data processing responsibilities.

We have managed to compress a 7 hour long GDPR Foundation course into 1 hour of engaging content, case studies and quizzes.


Key Points

Total Data Protection

Global Applicability – applies to organisations anywhere who control or process EU citizen data.

Applies Equally Around EU

As a regulation, the GDPR is directly effective, and does not leave room for jurisdictional interpretation of all its rules.

Legislation with teeth

For Irish organisations, this is a whole new world. The current Data Protection Act lacks the teeth to really punitively effect wrongdoers. New powers will be given to the Data Protection Commissioner to impose fines to a maximum of 4% of turnover/€20 million.

Risk Based Approach

The fundamental rights and freedoms of individuals to privacy must be balanced against the operations of the organisation. Risk Assessments and in-built privacy considerations are to factor in every new approach taken by organisations.

Organisational Accountability

The requirements for Data Protection Office, Mandatory Breach Reporting and documenting compliance are pushing the onus on the data controllers and processors to prove they are taking individuals’ fundamental rights seriously.

Long Over Due

Privacy has never been so challenged and technology has never been so advanced. Legislators are finally catching up!


Training

Are you prepared for the GDPR?
Here are 12 steps to help you take actions now

Awareness

Ensure that all decision makers and key people in your business are aware that the law is changing to the GDPR. It’s important you make them aware of the impact this may have on your business.

Information

It is important to document any personal data you hold, including where it came from and who do you share it with. Consider organising an information audit.

Communicating privacy information

Review your current privacy notices and implement a plan for making any necessary changes to it in time for GDPR implementation.

Individuals’ rights

Evaluate your procedures to confirm they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

Subject access requests

Update your procedures and implement a plan for how you will handle requests within the new timescale and provide any additional information.

Legal basis for processing personal data

Analyse the various types of data processing you carry out as a business and identify your legal basis for carrying it out and document it.

Consent

Carry out an audit into how are you seeking, obtaining and recording consent? It is important you understand it in order to make any changes to this process.

Children

Consider implementing a system to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

Date breaches

Make sure you have the necessary measures in place to detect, report and investigate a personal data breach.

Data Protection Impact

Ensure you conduct an impact assessment within your business, it will ensure you can deliver the required changes in time for GDPR.

Data Protection Officers

Designate a Data Protection Officer to be accountable for data protection compliance. Consider the position of this role within your business structure and governance arrangements.

International

If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.


FAQ

Find the answers to the most frequently asked questions


“Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


You must implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.

You should look to continually minimise the amount and type of data you collect, process and store, such as by undertaking regular information and internal process audits across appropriate areas of the business.


The GDPR refers to sensitive personal data as “special categories of personal data”. The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. You must determine your condition for processing special category data before you begin this processing under the GDPR, and you should document it.


The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities. The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level. DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.


An organisation must conduct an extensive audit of the data flows in order to prepare for the GDPR. This can include the type of data held, where it is stored, who the owner of the data is, who can access the data, and with whom the data is shared. An audit is helpful in letting the organisation know where the Personally Identifiable Information (PII) is located.


The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay. You should ensure you have robust breach detection, investigation and internal reporting procedures in place.


The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.


Data Classification places a key identifier on your assets and helps raise awareness to the end user. It ensures the correct handling and monitoring of sensitive information both in and outside of a business, a critical aspect when it comes to protecting the most valuable data.

Statistics indicate that anything up to 70% of unstructured data on a network could be considered ‘ROT-ten’ (Redundant, Obsolete or Trivial). By only storing what you need to for as long as you need to you will reduce your storage costs, which is also a key consideration under GDPR. Removing what you don’t need can also lead to better indexing, faster access and quicker recovery times. Reducing what you store can also reduce your risk. After all, if you don’t have it, it can’t be stolen!


The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance. You are expected to put into place comprehensive but proportionate governance measures. Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.


Under the GDPR, individuals will have the right to obtain: confirmation that their data is being processed; access to their personal data; and other supplementary information – this largely corresponds to the information that should be provided in a privacy notice. Information must be provided without delay and at the latest within one month of receipt.


Under the GDPR, individuals will have the right to obtain: confirmation that their data is being processed; access to their personal data; and other supplementary information – this largely corresponds to the information that should be provided in a privacy notice. Information must be provided without delay and at the latest within one month of receipt.


An effective solution to solving your GDPR challenge is to leverage automation to provide the “big picture” risk information that helps management understand the compliance risk “hot spots.” GDPR is the call to arms for many organisations to upgrade to modern third-party risk management (TPRM) platforms that provides the ability cost effectively scale to assess the third-parties for GDPR compliance, track remediation and provide executive level reporting.


Under the GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.

Do you have any questions?

We’ve got you covered!