When the EU Data Protection Regulation enters into force, it will be a requirement for a number of organisations, including public authorities and undertakings which handle extensive processing of particular (sensitive) data to appoint a data protection officer (DPO).  

Even though the material rules in several central areas will continue with the Regulation, the requirements for the data controllers' compliance in practice - and not least their ability to document such compliance - will for most undertakings result in a need for an increased effort and not least increased formalisation of the personal data work. 

To such undertakings, it may make sense to define another role - for example Chief Privacy Officer (CPO) or a similar function which will not be comprised by the independent requirements for a DPO and whose effort in the organisation will be an integrated part when performing the legal day-to-day work which the Regulation also requires. There will be a larger degree of independence to schedule the role of the CPO in accordance with the needs of the undertaking.

The Certificate is made to ensure that participants achieve the right competences which are necessary to handle the position as DPO pursuant to the Regulation. The Certificate will also be relevant to persons who are to work with Data Protection compliance, including the implementation of the Regulation in the organisation in the two year period from when the Regulation is passed.

The participants will receive comprehensive teaching material. 

The Certificate is offered to the private sector, the public sector and the financial sector. 

Plesner Data Protection Certificate will cover the following subjects

Overview of the Data Protection Regulation

• Background 
• Introduction to the structure and principles of the Regulation 
• Purpose 
• Material and geographical scope of application 
  Definitions 
• Administering rules 
• Transparency and the rights of the registered 
• DPO* 
• Data security breaches* 
• Accountability* 
• Privacy by design/privacy by default* 
• Data processor* 
• Documentation* 
• Data Privacy Impact Assessment (DPIA)* 
• Security* 
• Code of conduct and certification 
• Third country transfers* 
• Regulatory authorities 
• Corporation (one-stop-shop), coherence and EDPB 
• Responsibility and sanctions 

*These subjects will only be touched upon briefly during the introduction as they are dealt with separately in a later module

DPO or CPO - roles and responsibility

• The formal requirements for the DPO role - which tasks does the DPO handle
• The requirement of independence - what does the term cover and how is independence maintained in practice
• Chief Privacy Officer - an alternative or a supplement to Data Protection Officer 

Accountability 

• What does accountability mean? 
• How do you establish accountability? 
• Documentation of the many legal requirements to specific activities and inspections
• Practical exercise in accountability 

The relation to information security 

• Information security is only a part of the Data Protection compliance 
• Synergy and possible conflicts between legal Data Protection compliance and information security 
• Different objects - joint methods

Data Protection Impact Assessment (DPIA) 

• Background and purpose 
• Practical exercise in preparing a DPIA

Privacy by design/Privacy by default

• What do the terms mean? 
• How can it be used in support of compliance and accountability? 
• How may privacy by design and privacy by default be incorporated in system development processes and the day-to-day work in the organisation in practice

Data processor

• When is a data processor "only" a data processor and not data controller 
• The difference between data controllers and data processors 
• Typical data protection challenges when using a data processor
  o Using a sub-contractor
  o Third country transfers
  o Inquiries from registered
  o Duty of information in case of breach of data security 
• Allocation of responsibility and legal risk management 
• Securing accountability when part of the processes and inspections are conducted by a data processor 
• Data security 
• Preparing and renegotiation of data processor contracts

Third country transfers 

• Problems that may arise in connection with third country transfers in general
• Problems that may arise in connection with third country transfers internally in the Group
• The different transfer grounds
• Classical mistakes and misunderstandings

Data security breaches

• Security and compliance breaches - similarities and differences
• Obligations in connection with security breaches
• The relationship between data controller and data processor in case a security breach happens at the data controller
• Processes and resources for handling security breaches (establishing data breach team and data breach handling procedure)
• Use of external advisers when handling security breaches - specific points that need attention 

How to cover the data flow in the organisation

• Check lists and interviews
• Other solutions
• Pitfalls 

The practical cooperation in the organisation 

• The individual actors and their roles (IT, law, compliance, security etc.)
• Best practice for the cooperation - how to speak the same language
• Establishment of processes and workflows that support an effective and business oriented implementation of and compliance with the requirements
• Practical implementation in the organisation
• Handling of inquiries from data subjects and from the Danish Data Protection Agency