ClicSOmetimes with training your needs are more complex than preset courses can support.
Whole Staff
The essentials that everyone needs to know
The Training Matrix
History, Terms, Concepts
The 2108 data protection act and the general data protection regulation transformed the responsibilities of organisations who deal with personal data. It also brought a new definition of personal data which is orders of magnitude wider than the previous one.
Reuse of terms can create confusion. Some basic ones need to be known by everyone. The current definition of personal data is essential for all members of staff. The defintion, and its’ implication for the ownership of data, is critical to delivering subject access requests.
There are proposed changes to the definition in the UK depending on the passage of the Data Protection and Digital Information Bill during 2024. For data protection leaders, such potential changes must be worked into training and management plans.
The legal nuts and bolts
Although the implementation of data protection is based on a distillation of the legislation, the DPA and UK GDPR are sophisticated pieces of legislation. At the same time there are area where definition is poor and organisations can be left wondering how to proceed.
The DPA like all UK Legislation is not designed to be easily understood but there are critical sections that need to be appreciated
It is expected that a person taking overall responsibility for data protection in an organisation will be very familiar with the legislation and able to point to sections, regulations and significant paragraphs
What’s in and what’s not
Despite the broad definition of personal data it’s coverage isn’t universal. Part of that comes from the basic definition of personal data, but Chapter 1 of the UK GDPR sets out restrictions and conditions. Some Sections of the Data Protection Act then amend these conditions. At present the UK has maintained complaince with the vast majority of the wording of the EU document, but the forthcoming Data Protection and Digital Information Bill may see that change.
This module is primairly for data protection leaders although it is expected that the required information will be briefed to other individuals. This module provides essential guidance about what is included in the remit of data protection and how to justify what is not included.
Basic Principles
This is a bedrock session for training new individuals or for the regular updates that all staff should have. Chapter 2 of the UK GDPR along with Part 2 and Schedule 1 of the Data Protection Act, set out the fundamental rules that apply to the processing of personal. In some cases this is accompanied by extensive further detail about the requirements to enable a plan for compliance. In other cases there is precious little detail and data controllers have to do their best to interpret the requirements in the light of their own processing . It also contains Article 8, that has caused much confusion for those whose personal data may include that relating to children.
Practical Process
This section is primairly designed for individuals who are charged with delivering the response to SARs. For different catagories of requestor it looks at what information should be available, what needs to be withheld and what might be withheld in certain circumstances. The practical issues in collecting and processing the data are considered.
The most complex work in a SAR is deciding what needs to be redacted and what can be left in, then performing that redaction. There is a great deal of judgement to be exercised but with the scale of some requests there is little time for that to happen. Practical tools and techniques are covered including practical experience.
Managing the unexpected
Data breaches range from the trvial to the catastrophic. The more personal data you handle and the more of it is special category data, your risks grow rapidly. For non deliberate breaches, each incident represents a failure of technology or process, or both. However pragmatism makes it clear that you can’t hope to control every aspect of information management.
It is important to know what types of breach may occure and the potential harm that can arise. In this module we discuss the process of deviding whether a breach will need to be reported to the regulator.
Practical Process
Once a breach has been recognised an organisation needs to swing into action. For most people this simply means ensuring that incidents are reported rapidly, but for those closer to the management of data protection, initial report begins a period of action that may become very intense. This section is essential for those dealing with breaches on a practical level and those overseeing data protection.
As with other practicaqlly focused sessions we cannot hope to cover evert possible scenrio, but rather work towards a set of tools to support decision making.
Major Projects
This is an area where requirements may change if the new bill becomes law. Currently an assessment needs to be done for projects which create significant new risk. It’s another poorly understood area of translating requirements to pratice and many trivial DPIAs have been completed with little benefit and a waste of reources.
If a DPIA is required it should form part of the normal development process of the project. If it doesn’t then again it is mostly an academic exercise. In theory, a DPIA can come out showing such a level of risk that an initiative to it is withdrawn.
Only the data protection lead is likely to be involved in a DPIA so this training is only set at that level.
Monitoring Progress
One of the key requirements in the UK GDPR is to be able demonstrate your progress against the various criteria. It’s implied that organisations may be expected to demonstrate this progress, perhaps in the progress of an audit visit. Tuis module is designed for the data protection lead. It focuses on the varies area of data protection performance and the types of measures required.
Documentation
A module fot those administering data production and primarily those leading the function. There are pieces of administration alongside each process and it’s the requirement of the Regulations that you are able to provide a progrss update. This is best done by having a common incoming information structureand common processes across your organisation. Having a central repository for compliance documents means that a whole team can co-operate and collaborate always having the most up to date information.
For public bodies
Although not strictly part of data protection, the cross-over with Freedom of Information is so frequent that data protection teams are also given responsibility. In the vast majority of cases the response to an FOI request must exclude personal data, but rather like the redaction of a SAR this can vary. Complaints are common and must be handled in a specific way. Even following a complaint, matters can frequently be referred to the ICO and this must be handled with care.
This section of training is for the data protection lead and any members of staff who support the response to such requests. It is very focussed on the practical aspects of responding to requests including areas such Legitimate Interests Assessments.