GDPR & Data Protection - 10 Essential Online Modules

Introduction

This webinar series of 10 x 30 minute modules presented by Robert Bond will explore in detail the GDPR.

The modules will consider lawful grounds for processing through to international data transfers.

Module 1 - Introduction to the EU GDPR and the UK GDPR (the ‘GDPRs’)

Nearly 3 years ago the EU General Data Protection Regulation (GDPR) came into force. Impacting EU controllers and processors and having an extra territorial application, and with increased data subject rights and greater enforcement and fines, businesses rushed to put compliance programmes in place. Businesses of all sizes are still grappling with the practical aspects of compliance. Post Brexit the UK continues to abide by the EU GDPR but have recast it as the UK GDPR alongside the Data Protection Act 2018.

This module will examine key aspects of the GDPRs and will include:

• Definitions
• Applicability
• Principles
• Grounds for processing
• Data subject rights
• Enforcements and fines

Module 2 - Data Protection Principles

The GDPRs reflect the data protection principles in a slightly new way, introducing concepts of ‘transparency’ and ‘accountability’. Failure to follow the principles is a breach of the GDPRs and can lead to enforcement, fines and claims for compensation. Understanding how the principles need to be followed and promulgated through policies, procedures and training is important.

This module will cover:

• Overview of the principles
• Fair and lawful processing and transparency
• Accountability
• International data transfer
• Data subject rights
• Data security

Module 3 - Lawful Grounds for Processing

In order to legally process personal data the business needs to establish one or more lawful grounds for processing. Whilst the GDPRs raise the bar regarding consent, it is not the only ground for processing personal data.

This module will look at the six grounds for processing and highlight:

• The six lawful grounds for processing
• Consent vs the other grounds
• How to use legitimate interest legitimately
• When to inform individuals of the grounds for processing
• Where to record the lawful grounds
• The interface between the lawful grounds and data subject rights

Module 4 - Data Subject Rights

Under the GDPRs individuals have a range of rights from information and access to portability and erasure and to rectification and objection and compensation. There are strict timelines in which to respond to data subject requests and a limited but important number of exemptions.

This module will cover:

• Right to information
• Right of access
• Right of erasure and restriction
• Right to object
• Right to compensation
• Right to exemptions

Module 5 - Managing Data Incidents

It is not a matter of if but when a data breach will happen. Not all data incidents are reportable data breaches but they are all an issue to be planned for. Data incidents may be the result of internal or external actions or inactions. Preparing for and responding to data incidents as are important as preventing them.

This module will cover:

• Examples of internal and external threats
• How to minimise risks
• Internal and external due-diligence
• Reporting an incident
• The cost of non-compliance

Module 6 - International Data Transfers

The GDPRs restrict transfer of personal data from the EU (and the EEA) to countries that do not adequately protect the rights of individuals. In July 2020 the decision in Schrems II by the European Court of Justice struck down Privacy Shield and also highlighted the obligation to assess adequacy in data transfer arrangements. Apart from consent, contractual necessity and other limited exceptions, transfers have to be controlled by approved solutions including Binding Corporate Rules (BCR) and Standard Contractual Clauses (SCC).

This module will address the latest news on:

• SCC
• BCR
• Codes of Conduct
• Seals and certifications
• Post Schrems II and Brexit issues

Module 7 - Data Protection Impact Assessments and Data Protection by Default

Data Protection Impact Assessments (DPIA) and Data Protection by Default are key requirements of the GDPRs. DPIA are mandatory in a number of cases. Data Protection by default and design is a pre-requisite to compliance with the GDPRs.

This module will advise on how to adhere to data protection by default and how and when to use a DPIA and will cover:

• Implementing Data Protection by Design and Default
• What is a DPIA
• When to use a DPIA
• Who should be involved in a DPIA
• How to develop a DPIA

Module 8 - Data Processing and Data Sharing Agreements

Although processors are subject to certain aspects of the GDPRs, it is the controller that bears most responsibility and liability for compliance - in particular the contractual requirements when using a processor. When there are joint controller situations both parties need to contractually control their respective duties.

This module will discuss:

• Processor obligations
• Controller obligations
• Joint controller agreement
• Due diligence issues

Module 9 - ePrivacy and Cookies

The ePrivacy Directive, PECR and the draft ePrivacy Regulation are an important issue when addressing data protection compliance. The use of first party and third party cookies as well as location data are a key component of the digital world but data protection authorities have been focussing their attention on the topics of transparency and permissions when cookies and tracking are used.

This module will cover:

• The current legal regime
• Cookies are similar technology
• The advice from the regulators
• Recent case law
• Future developments

Module 10 - The GDPRs vs Other Global Data Protection Laws

Since the EU GDPR came into force other jurisdictions have been either upgrading their data protection laws or creating new data protection regimes.

This module will examine global data protection laws and compare them with the GDPRs and will cover:

• Developments in the USA
• Developments in South America
• Developments in Africa
• Developments in the Middle East
• Developments in the APEC region

This webinar was recorded on 19th October 2020