GDPR Compliance Online Course

- Exercise: Key definitions
- Exercise: Data processing
- Exercise: Lawful basis
- Exercise: Rights
- Exercise: Compliance measures
- Exercise: Breaches

- Multi-choice questions to assess existing knowledge

- Dashboard view of training needs in 10 key topics

- What are the key principles
- Can we process personal information for another purpose?
- How can we meet the data minimisation principle?
- Does this meet the accuracy principle?
- Does this violate the storage limitation principle?
- How can we be more proactive when it comes to security?
- Best practice and the six principles of data processing

- What are Individual Rights?
- How should we meet the right to be informed?
- What is the right of access?
- Do we need to fulfil this request?
- When requests are refused or the time is extended
- What other rights do individuals have under the GDPR?
- Is the right to rectification justified?
- When does the right of erasure apply?
- Does the right of erasure apply in this case?
- When does the right to restrict processing apply?
- What other rights do individuals have under the GDPR?
- What rights do you have to stop marketing?
- Can we make solely automated decisions with a legal or significant impact on individuals?
- What is the right to data portability?
- Best practice and individual rights

- What is the lawful basis?
- Why is lawful basis important?
- The six lawful bases
- Relying on consent
- When might we rely on contract?
- You decide: What lawful basis applies in this case?
- Can the company share our personal data?
- Can we rely on contract for this purpose?
- Other obligations in respect of lawful basis
- When is legitimate interests appropriate?
- When we use consent as the lawful basis
- Can we switch the basis from consent to legitimate interests?
- The link between lawful basis and individual rights
- Best practice on the lawful basis for processing personal data

- What is a legitimate interest?
- When might individual interests override Company interests?
- When the interests of the Company and individuals collide
- The Legitimate Interests Assessment (LIA)
- Sophie's story: The purpose test
- Sophie's story: The necessity test
- Sophie's story: The balancing test
- Meeting the GDPR principles
- Individual rights when relying on legitimate interests
- Documenting and reviewing your LIA
- Best practice for using legitimate interests

- What is consent?
- Do we always need consent?
- Is consent the gold standard?
- When do we need consent?
- What constitutes valid consent?
- Can we automatically enrol website visitors?
- Consent can't be bundled with another action
- Consent by default?
- Does consent always require an opt-in box?
- How should we obtain consent?
- How long does the consent last?
- Right to withdraw consent
- Best practice in obtaining consent

- What is special category data?
- Is it special category data?
- Collecting special category data
- Conditions for processing special category data
- What separate condition would apply in this case?
- Conditions for processing special category data
- What is the condition for substantial public interest?
- Safeguarding special category data
- How should we protect special category data?
- What more can we do to protect special category data?
- Best practice and special category data

- The impact of data breaches
- Do we always need to report breaches?
- Informing individuals
- Recognising data breaches
- Informing relevant people
- What information is required for a breach notification to the ICO?
- What if we don't have all the information yet?
- Assessing the impact on individuals affected by a data breach
- Do the affected individuals need to be informed?
- Data breaches and third parties
- Accountability
- Documentation
- Best practice and personal data breaches

- What are restricted transfers?
- Checklist for restricted transfers
- Is it a restricted transfer?
- Adeel's bookings
- What's the difference between transfer and transit?
- How can you make a restricted transfer in accordance with the GDPR?
- Is there an "adequacy decision"?
- Can PNR data be shared outside the UK?
- Are there appropriate safeguards?
- What appropriate safeguards are in place?
- What are the main exceptions?
- Do you know what exception applies here?
- Best practice and international transfers

- What does accountability mean in data protection?
- How do we demonstrate accountability?
- Good Governance Measures 1-3
- Who needs a DPO?
- Good Governance Measures 4-5
- When do we need to conduct a DPIA?
- How can we mitigate risks?
- Good Governance Measures 6-8
- Checklist
- Best practice in accountability and governance

- When do you need a DPIA?
- Benefits of conducting a DPIA
- How to conduct a DPIA
- Exercise: When is a DPIA required?
- Scenario: CCTV data
- The risk of CCTV
- The legal basis for CCTV
- The necessary criteria for CCTV
- CCTV in the workplace
- The impact of CCTV on privacy
- Best practice for DPIAs