Accredited Data Protection Officer training

Join the next generation of Data Protection Officers

Learn your DPO skills on one course rather than two or more and save a lot of money. A 2022 Barclay Simpson UK survey indicates that a DPO can earn up to 150,000 GBP full-time or 800 GBP per day contract. Start your journey to becoming a DPO today.

A Continuing Professional Development certified course.

CPD certified training course

Course overview

Our CPD accredited Data Protection Officer training course provides comprehensive training covering the roles and responsibilities of a Data Protection Officer; risk management, policies, standards, procedures and the governance framework. You will learn about the GDPR, e-Privacy, managing individual rights (DSAR), breach handling, records management (ROPA and more), privacy by design (DPIA), dealing with multiple privacy laws, vendor management, third-party contracts, data sharing and transfers, security and access measures, and how all these components work together.

The course contains nineteen units. Seventeen units include training material, unit eighteen is a course evaluation, and unit nineteen is the final examination. Training material units have a theory and a practical application quiz to measure your progress.

When you pass the course, your certificate is immediately generated online for you to download and display.

Course audience and logistics

Our CPD accredited Data Protection Officer training course is built for people interested in reskilling or upskilling in EU data privacy. The course is open to anyone globally because all organisations that trade with EU consumers must be GDPR compliant.

You study at your own pace because the course is online and self-study in our Moodle virtual classroom. However, we estimate that completing the course will take about 100 hours of studying.

Before starting the course, you don’t need to have any prior knowledge of data protection.

The course fee is 950 Euros.

  • There are no fixed course start dates or times
  • You start when you choose
  • You work through all the units in order.
  • Every unit (except for the READ ME FIRST unit) has two quizzes on theory and practical application.
  • Quizzes are sequenced, so you cannot take quizzes in random order.
  • You must pass each to proceed to the next.
  • There is a final, three-part exam of 150 minutes.
  • The final exam passing grade is 70% to get your CPD accredited DPO certificate.
  • Your accredited DPO certificate is available as soon as you pass the final exam.

Study carefully. Do not skim or skip the material. If you fail, you must enrol and pay again. There are no retakes.

Step 1 - Register now!

  1. Fill out your details
  2. Follow the instructions in the email from “EBC Business Courses”

Step 2 - Pay and Start!

  1. Scroll down and click “Buy Now”
  2. Follow the “Stripe” instructions and start your course

Time limit

You have a maximum of 24 weeks to complete the course. If you fail to complete on time, you must enrol and pay again.

Final exam

Your final exam is taken in three sections totalling 2.5 hours.

  1. Exam part 1 – Units 1, 2 and 3: There are 18 questions. You have 30 minutes to answer.
  2. Exam part 2 – Units 4, 5, 6 and 7: There are 20 questions. You have 30 minutes to answer.
  3. Exam part 3 – Units 8 to 17: There are 62 questions. You have 90 minutes to answer.

You only get one shot at the final exam.

You must get a 70% passing grade in all three sections.

If you fail to pass any section, you fail the final exam and you must enrol and pay again.

Course learning objectives

The primary objective is to give you the foundation skills required to be a Data Protection Officer to get a job in data privacy and data protection.

Behavioural objectives

The GDPR lays out a DPO’s behavioural expectations. In addition, a DPO must understand the regulation and how to implement and operate a governance structure to enable compliance. This course teaches the skills required for a DPO to behave under DPO rules and as a leader of day-to-day data privacy operations.

Knowledge and Understanding

When you finish the course, you should understand the following:

  1. the difference between data protection and data privacy;
  2. what data protection is and what the GDPR covers;
  3. the Data Protection Officer’s (DPO) skill requirements, role, responsibilities and tasks;
  4. what makes a good DPO, and the primary duties of a DPO;
  5. how to prepare for GDPR compliance;
  6. the nature of the fourteen structural components of the GDPR Comply layer;
  7. the dependencies and relationships between the fourteen structural components;
  8. what is personal data governance and its implications;
  9. how private data governance works;
  10. the role of DPO regarding personal data governance;
  11. how to formulate a Risk Appetite Statement (RAS);
  12. how to measure a company’s GDPR performance against the RAS using Key Risk Indicators (KRI), Key Control Indicators (KCI) and Limits;
  13. the role of DPO in risk management;
  14. what a Data Protection Policy should include and set out;
  15. how to lawfully process personal data under the GDPR;
  16. the DPO’s duties relative to the Data Protection Policy;
  17. how to set up and use a Data Protection Group (DPG) to coordinate compliance;
  18. the aims and principles of personal data rights treatments;
  19. a formal external complaint handling procedure;
  20. why training and raising all employees’ awareness of GDPR is essential;
  21. records management tasks;
  22. why local legal considerations are important;
  23. principles and conditions for data sharing and transfers;
  24. the role and requirements of personal data transfer contracts;
  25. the four steps to personal data transfer contracts;
  26. the use of a processor by a controller;
  27. what third-party compliance entails and how it can be achieved;
  28. what is DPIA, its objectives and outcomes;
  29. the rules for conducting a DPIA;
  30. what security measures should be taken by an organisation to protect personal data;
  31. what types of breaches need to be reported to the Supervisory Authority and individuals.

Skills and Abilities

When you finish the course, you should know the following:

  1. whether an organisation needs a DPO or not;
  2. who is responsible for guidance, oversight and supervisory authority relationship;
  3. the duties and obligations of a DPO, especially those related to direction, oversight and supervisory authority;
  4. how from who and what kind of personal data an organisation might collect;
  5. data privacy escalation procedures for changes, DSARs, DPIAs, breaches, questions, etc.;
  6. what purposes the personal data collected might be used for;
  7. the aims of all data privacy structural components;
  8. how a data subject can exercise their rights by an enquiry, request or a complaint;
  9. what kind of enquiries, requests and complaints the data subjects might make;
  10. how to respond to all DSAR types;
  11. the requirements for the GDPR training;
  12. different types of training programmes and their roles;
  13. what records are required, their content and how they are managed;
  14. how to manage personal data acquisition, use, transfer, retention and destruction;
  15. the procedures for creating and maintaining data transfer contracts with third parties;
  16. the steps of conducting a DPIA;
  17. the main components of an information security policy;
  18. the roles of different members of staff in data security;
  19. minimum control standards with regards to security and access;
  20. when and how breaches should be dealt with;
  21. the step-by-step process of dealing with breaches.

How to enrol and get started

1 – Start dates

  1. There are no fixed course start dates or times
  2. You start when you choose

2 – Register

  1. Click here to register on our training platform
  2. After you enter your details you will be sent an email that you must confirm
  3. If you do not see the email in your inbox, check your spam
  4. The email title is “EBC Business Courses: account confirmation”
  5. The email is from “EBC Business Courses”
  6. Open the email and follow the instructions in the email
  7. Click the “Continue” button after you click the link in the email

3 – Pay and start

  1. Click here to open the “Data Protection Officer Comprehensive Training” course
  2. Scroll down and click “Buy Now” (example below)
  3. Follow the “Stripe” instructions
  4. Start your course

    data protection officer course payment

     

    Sample Certificate

    data protection officer certificate

    Data Protection Officer Training Course Content

    Summary of timings

    • READ ME FIRST – Course Introduction – 1 hour
    • Unit 1 – Introduction to Data Protection – 5 hours
    • Unit 2 – Introduction to structural components – 5 hours
    • Unit 3 – Personal Data Governance – 4 hours
    • Unit 4 – Personal data protection risk management – 4 hours
    • Unit 5 – Data Protection Policy – 4 hours
    • Unit 6 – Data Protection Officer – 4 hours
    • Unit 7 – Guidance, Oversight, Supervisory Authority relations – 5 hours
    • Unit 8 – Personal data rights treatment – 5 hours
    • Unit 9 – Enquiries, requests and complaints – 10 hours
    • Unit 10 – Training and awareness – 5 hours
    • Unit 11 – Records management – 5 hours
    • Unit 12 – Local legal considerations – 5 hours
    • Unit 13 – Data Sharing and Transfers – 5 hours
    • Unit 14 – Third-party transfer compliance – 5 hours
    • Unit 15 – Risk assessment (DPIA) – 10 hours
    • Unit 16 – Security and access – 5 hours
    • Unit 17 – Breach notification – 10 hours
    • Unit 18 – Review – half an hour
    • Unit 19 – Final examination and certification – 2.5 hours

    Total: 100 hours

    READ ME FIRST – Course Introduction – 1 hour

    Course instructions

    • The system marks this item complete according to conditions.
    • There is no time limit for this course.
    • Work through all the units in order.
    • Every unit except this one has two quizzes in Theory and Practical application.
    • Quizzes are sequenced, so you cannot take quizzes in random order.
    • You must pass each to proceed to the next.
    • There is a final, three-part exam of 150 minutes.
    • The final exam passing grade is 70% to get your CPDDPO certificate.
    • Your CPDDPO certificate is available as soon as you pass the exam.

    Important information about using and navigating the course

    • The system marks this item complete according to conditions: Important information about this course
    • IMPORTANT: Read this before you start the course!
    • All marked coursework has a 70% passing grade.

    How to take quizzes and the final exam

    • IMPORTANT: Read this before you start the course!

    Glossary of terms used in this course

    • The system marks this item complete according to conditions: Glossary of terms used in this course

    The GDPR – an online, interactive version

    • The system marks this item complete according to conditions: The GDPR – an online, interactive version
    • Here’s a link to our online, interactive version of the GDPR showing articles with their related recitals and fine ranges.
    • Full GDPR online at Data Protection Controls
    • IMPORTANT: You will see the word “should” mentioned in the GDPR. “Should” means “must”. An example is “Any processing of personal data should be lawful and fair.” The GDPR is all about lawful and fair personal data processing. “Should” in plain English could imply some type of conditional option, but in the GDPR, it means an obligation. So to be safe, where you see “should”, read “must”.

    Bibliography

    Unit 1 – Introduction to Data Protection – 5 hours

    Unit 1 – objectives

    • By the end of this unit, you will understand:
    • The difference between data protection and data privacy
    • What data protection is and what the GDPR covers
    • A Data Protection Officer’s (DPO) skill requirements, role, responsibilities and tasks
    • How to prepare for GDPR compliance

    Unit 1 – Theory

    • What are data privacy and data protection?
    • Data protection milestones from 1890 to today
    • Data protection today
    • European Union structure and data protection
    • What types of people qualify for data protection?
    • What is the GDPR?
    • What is the impact of the GDPR on an organisation?
    • The Data Protection Officer
    • Data Protection Officer attributes
    • Getting ready for GDPR compliance
    • Who are the principal actors in data protection?
    • The four fundamental relationships
    • The two pillars of GDPR compliance

    Unit 1 – Putting theory into practice

    • What is personal data?
    • What is the scope of GDPR protection and compliance?
    • Should your organisation be GDPR regulated?
    • GDPR coverage calculator
    • How to select a Data Protection Officer?
    • The Data Protection Officer’s Primary Duties
    • Let’s get started on the road to GDPR compliance
    • The six principles underpinning the GDPR
    • A diagram of the two pillars of GDPR compliance
    • The Protect layer
    • The Comply layer

    Unit 1 – Helpful tips

    • Expert tips and advice

    Unit 1 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 1 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 1 – Additional supporting material

    • Download this unit’s text
    • Download Getting Accountability Right with a Privacy Management Program
    • GDPR articles covered by the components in the Comply layer
    • EU administration articles in the GDPR that can impact the Comply layer

    Unit 2 – Introduction to structural components – 5 hours

    Unit 2 – objectives

    • By the end of this unit, you will understand:
    • the nature of the 14 structural components of the GDPR Comply layer
    • the dependencies and relationships between the 14 structural components

    Unit 2 – Theory

    • A recap of what we know
    • What is the GDPR?
    • What is its impact?
    • Operate a unified personal data protection framework
    • 100% GDPR compliance is unachievable
    • The Unified Personal Data Protection Framework
    • The Framework Components
    • Personal Data Governance
    • Data Protection Policy
    • Data Protection Officer (DPO)
    • Guidance, Oversight, Supervisory Authority relations
    • Personal Data Rights Treatment
    • Enquiries, Requests, Complaints
    • Training and Awareness
    • Records Management
    • Local Legal Considerations
    • Data Sharing and Transfers
    • Third-party Compliance Confirmation
    • Data Risk Assessment – Data Protection Impact Assessment (DPIA)
    • Security and Access
    • Breach Detection and Notification

    Unit 2 – Putting theory into practice

    • The rationale and operational implications of each Framework component
    • Personal Data Governance
    • Data Protection Policy
    • Data Protection Officer (DPO)
    • Guidance, Oversight, Supervisory Authority relations
    • Personal Data Rights Treatment
    • Enquiries, Requests, Complaints
    • Training and Awareness
    • Records Management
    • Local Legal Considerations
    • Data Sharing and Transfers
    • Third-party Compliance Confirmation
    • Data Risk Assessment – Data Protection Impact Assessment (DPIA)
    • Security and Access
    • Breach Detection and Notification

    Unit 2 – Helpful tips

    • Expert tips and advice

    Unit 2 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 2 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 2 – Additional supporting material

    • Download this unit’s text

    Unit 3 – Personal Data Governance – 4 hours

    Unit 3 – objectives

    • By the end of this unit, you will understand:
    • What is personal data governance and its implications
    • How personal data governance works
    • The role of DPO in regard to personal data governance

    Unit 3 – Key GDPR articles

    • NOTE: Each article shows its infraction administrative Fine Range values of None, 10 and 20. 10 means 10 million Euros or 2% of the preceding financial year’s total worldwide annual turnover. 20 means 20 million Euros or 4% of the preceding financial year’s total worldwide annual turnover.
    • Full regulatory text for the key GDPR articles covered by this component

    Unit 3 – Theory

    What is governance?

    What is personal data governance?

    • What are the implications of personal data governance?
    • What is an Operating Model?
    • Fundamental definitions

    Unit 3 – Putting theory into practice

    • How does personal data governance work?
    • The personal data governance and operating 3LOD model
    • Suggested model for a large organisation
    • Suggested model for an SME
    • Key compliance artefacts that depend on governance
    • Personal data governance operational structure
    • Risk reporting flow
    • Suggested model for a large organisation
    • Suggested model for an SME
    • What are the foundation roles and responsibilities for personal data governance?
    • Audit
    • Risk and Compliance
    • DPO (Data Protection Officer)
    • BAU (day-to-day operations)
    • Organisation’s Executive / Senior Leadership
    • Lines of business (core processing, usually revenue generating)
    • All administrative support areas
    • All Employees
    • Information Technology and Security

    Unit 3 – Helpful tips

    • Expert tips and advice

    Unit 3 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 3 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 3 – Additional supporting material

    • Download this unit’s text
    • Helpful documentation

    Unit 4 – Personal data protection risk management – 4 hours

    Unit 4 – objectives

    • By the end of this unit, you will understand:
    • How to formulate a Risk Appetite Statement (RAS)
    • How to measure a company’s GDPR performance against the RAS using Key Risk Indicators (KRI), Key Control Indicators (KCI) and Limits
    • The role of DPO with respect to risk management

    Unit 4 – Theory

    • Should you be concerned about GDPR risk?
    • What are the primary risk sources?
    • How much risk will you take?
    • Figuring out your risk appetite
    • Writing a Risk Appetite Statement (RAS)
    • An example of a high-level RAS
    • Supervisory Authority tasks, actions and sanctions
    • Investigative powers
    • Corrective powers
    • Administrative fines
    • Fines mapped to the GDPR components
    • Fines grouped by article
    • Further reading

    Unit 4 – Putting theory into practice

    • Risk appetite flow
    • Example of a simple risk appetite table
    • Examples of supporting key controls

    Unit 4 – Helpful tips

    • Expert tips and advice

    Unit 4 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 4 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 4 – Additional supporting material

    • Download this unit’s text
    • GDPR articles covered
    • Key GDPR risk defining recitals

    Unit 5 – Data Protection Policy – 4 hours

    Unit 5 – objectives

    • By the end of this unit, you will understand:
    • What a Data Protection Policy should include and set out
    • How to lawfully process personal data in accordance with GDPR
    • The DPO’s duties relative to the Data Protection Policy

    Unit 5 – Key GDPR articles

    • NOTE: Each article shows its infraction administrative Fine Range values of None, 10 and 20. 10 means 10 million Euros or 2% of the preceding financial year’s total worldwide annual turnover. 20 means 20 million Euros or 4% of the preceding financial year’s total worldwide annual turnover.
    • Full regulatory text for the key GDPR articles covered by this component

    Unit 5 – Theory

    • What is a policy?
    • What is a data protection policy?
    • What are the implications of data protection policy?
    • Who is responsible for the data protection policy?

    Unit 5 – Putting theory into practice

    • Building the Data Protection Policy
    • Introduction
    • Purpose
    • Applicable audience
    • Data Protection Officer (DPO)
    • DPO’s primary duties
    • Data protection principles
    • Data subject
    • Lawful processing
    • Transparency and consent
    • Data subject rights
    • Data collection
    • Data processor selection
    • Data security
    • Reporting breaches
    • Risk management
    • Data retention
    • Data transfers to external entities
    • Data transfers to external entities in third countries or international organisations
    • Data audit and register
    • Staff training
    • Best practice
    • Monitoring
    • Consequences of failing to comply
    • Linked documents and policies
    • Change management

    Unit 5 – Helpful tips

    • Expert tips and advice

    Unit 5 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 5 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 5 – Additional supporting material

    • Download this unit’s text
    • GDPR articles covered

    Unit 6 – Data Protection Officer – 4 hours

    Unit 6 – objectives

    • By the end of this unit, you will:
    • better understand who a Data Protection Officer (DPO) is
    • know whether an organisation needs a DPO or not
    • understand what makes a good DPO
    • understand the primary duties of a DPO

    Unit 6 – Key GDPR articles

    • NOTE: Each article shows its infraction administrative Fine Range values of None, 10 and 20. 10 means 10 million Euros or 2% of the preceding financial year’s total worldwide annual turnover. 20 means 20 million Euros or 4% of the preceding financial year’s total worldwide annual turnover.
    • Full regulatory text for the key GDPR articles covered by this component

    Unit 6 – Theory

    • What are the attributes of a Data Protection Officer?
    • Does an organisation need to appoint a DPO?
    • The reason some organisations prefer not to appoint a DPO

    Unit 6 – Putting theory into practice

    • DPO attributes and selection criteria
    • Does a Data Protection Officer have to be a lawyer?
    • The Data Protection Officer’s Primary Duties
    • A protected role, reporting and confidentiality
    • Permanent or outsourced role
    • Executive support

    Unit 6 – Helpful tips

    • Expert tips and advice

    Unit 6 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 6 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 6 – Additional supporting material

    • Download this unit’s text
    • Primary operational use cases
    • GDPR articles covered

    Unit 7 – Guidance, Oversight, Supervisory Authority relations – 5 hours

    Unit 7 – objectives

    • By the end of this unit, you will:
    • Learn who is responsible for guidance, oversight and supervisory authority relationship
    • Learn more about the duties and obligations of a DPO, especially those related to guidance, oversight and supervisory authority
    • Understand how to set up and use a Data Protection Group (DPG) to coordinate compliance

    Unit 7 – Key GDPR articles

    • NOTE: Each article shows its infraction administrative Fine Range values of None, 10 and 20. 10 means 10 million Euros or 2% of the preceding financial year’s total worldwide annual turnover. 20 means 20 million Euros or 4% of the preceding financial year’s total worldwide annual turnover.
    • Full regulatory text for the key GDPR articles covered by this component

    Unit 7 – Theory

    • Who is responsible for guidance, oversight and supervisory authority relationship?
    • DPO main task descriptions
    • Advice
    • Oversight
    • Supervisory Authority relations
    • Supervisory Authority powers
    • Supervisory Authority audit areas

    Unit 7 – Putting theory into practice

    • DPO tasks and obligations
    • Implementing Policies and Procedures
    • Establishing a Data Protection Group
    • Purpose
    • Attendees
    • Scope of Group
    • Timing
    • Reporting
    • Minutes and Reports

    Unit 7 – Helpful tips

    • Expert tips and advice

    Unit 7 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 7 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 7 – Additional supporting material

    • Download this unit’s text
    • GDPR articles covered

    Unit 8 – Personal data rights treatment – 5 hours

    Unit 8 – objectives

    • By the end of the unit, you will:
    • Understand the aims and principles of personal data rights treatments
    • Know how, from who and what kind of personal data an organisation might collect
    • Understand what purposes the personal data collected might be used for

    Unit 8 – Key GDPR articles

    • NOTE: Each article shows its infraction administrative Fine Range values of None, 10 and 20. 10 means 10 million Euros or 2% of the preceding financial year’s total worldwide annual turnover. 20 means 20 million Euros or 4% of the preceding financial year’s total worldwide annual turnover.
    • Full regulatory text for the key GDPR articles covered by this component

    Unit 8 – Theory

    • What is personal data rights treatment?
    • What is the aim of the personal data rights treatment?
    • Personal data collection
    • What are the principles of personal data rights treatment?
    • Conditions for legally processing personal data
    • Data subject acknowledgement
    • Personal data categories
    • Other personal data terms you may encounter

    Unit 8 – Putting theory into practice

    • Towards building a privacy notice
    • Collecting personal data
    • Types of people whose personal data you might collect
    • Some examples of processing purposes
    • Statutory processing
    • Contractual information
    • Insurance claims (insurance only)
    • Financial
    • Other
    • Email addresses
    • How to define “Legitimate Interest”
    • Collection and use of personal information
    • Retention period
    • Security
    • Cleanliness of direct marketing lists
    • Use of data for direct marketing by post and telephone
    • Data transfers
    • Collecting IP (Internet Protocol) addresses
    • Respecting data privacy rights
    • Breaches
    • Data obfuscation
    • Data Subject Access Requests
    • Cookie notice and consent

    Unit 8 – Helpful tips

    • Expert tips and advice

    Unit 8 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 8 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 8 – Additional supporting material

    • Privacy notice template
    • Privacy notice and direct marketing process flow diagrams
    • An example Legitimate Interest Assessment
    • Download this unit’s text
    • GDPR articles covered

    Unit 9 – Enquiries, requests and complaints – 10 hours

    Unit 9 – objectives

    • By the end of this unit, you will:
    • Understand the aim of this structural component
    • Revise the data subject rights
    • Understand how a data subject can exercise their rights by an enquiry, request or a complaint
    • Know what kind of enquiries, requests and complaints the data subjects might make
    • See an example of a complaint handling procedure

    Unit 9 – Key GDPR articles

    • NOTE: Each article shows its infraction administrative Fine Range values of None, 10 and 20. 10 means 10 million Euros or 2% of the preceding financial year’s total worldwide annual turnover. 20 means 20 million Euros or 4% of the preceding financial year’s total worldwide annual turnover.
    • Full regulatory text for the key GDPR articles covered by this component

    Unit 9 – Theory

    • What is the aim of this component?
    • Accountability in the context of this component?
    • You are the Controller
    • You are a Joint Controller
    • You are a Processor
    • You are a Processor subcontracted by another Processor
    • What does this structural component contain?
    • Data Subject Rights
    • Available data subject rights
    • Exercising data subject rights with a Data Subject Access Request (DSAR)
    • DSAR obligations
    • DSAR enquiries
    • Clarification of transparency
    • Right of access and portability
    • DSAR requests
    • Right to object and restriction of processing
    • Right to opt-out of automated decision making
    • Right to rectification
    • Right to erasure (or to be forgotten)
    • DSAR complaints
    • Right to lodge a complaint with the Supervisory Authority
    • Right to claim compensation

    Unit 9 – Putting theory into practice

    • Data Subject Access Request (DSAR) processing
    • Rationale
    • The receipt of a DSAR
    • Procedure guidelines
    • Step 1: determine the DSAR type
    • Step 2: Authenticate the requestor
    • Authenticate the Data Subject
    • Authenticate a third party acting for the Data Subject
    • Authenticate others enquiring about a Data Subject
    • Step 3: Assess the DSAR
    • Step 4 Initiate processing
    • Step 5: Process the DSAR
    • DSAR triage diagram for a DSAR received directly from the data subject
    • DSAR triage diagram for a DSAR received from a third party
    • DSAR overviews
    • Get access to information comprising personal data (Article 15)
    • Get a copy of personal data to transfer to another organisation (Article 20)
    • Have inaccurate personal data rectified (Articles 16, 19)
    • Have personal data erased or destroyed (Articles 17, 19)
    • Restrict processing (Articles 18, 19)
    • Object to direct marketing processing or other processing (Articles 21, 19)
    • Object to decisions being taken by automated means (Article 22)
    • Data Subject Access Request steps
    • Data access request
    • Data rectification request
    • Data erasure request
    • Processing restriction request
    • Data portability request
    • Processing objection request
    • Object to automated processing
    • Flow example of a Supervisory Authority complaint

    Unit 9 – Helpful tips

    • Expert tips and advice

    Unit 9 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 9 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 9 – Additional supporting material

    • Download this unit’s text
    • GDPR articles covered

    Unit 10 – Training and awareness – 5 hours

    Unit 10 – objectives

    • By the end of this unit, you will:
    • Understand why training and raising all employees’ awareness of GDPR is essential
    • Know the requirements for the GDPR training
    • Understand different types of training programmes and their roles
    • See some ideas of how to implement a GDPR awareness training

    Unit 10 – Theory

    • Why are training and awareness essential?
    • What should the training consist of?
    • What are the requirements for the training?
    • What type of training evidence would a Supervisory Authority look for?

    Unit 10 – Putting theory into practice

    • Possible content of general training
    • All-staff training programme
    • Induction and refresher training
    • Specialised roles
    • Monitoring
    • Awareness-raising

    Unit 10 – Helpful tips

    • Expert tips and advice

    Unit 10 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 10 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 10 – Additional supporting material

    • Download this unit’s text
    • Download sample material for general staff training
    • GDPR articles covered

    Unit 11 – Records management – 5 hours

    Unit 11 – objectives

    • By the end of this unit, you will:
    • Understand records management better
    • Know what the records should contain and how they should be managed
    • Understand the records management tasks

    Unit 11 – Key GDPR articles

    • NOTE: Each article shows its infraction administrative Fine Range values of None, 10 and 20. 10 means 10 million Euros or 2% of the preceding financial year’s total worldwide annual turnover. 20 means 20 million Euros or 4% of the preceding financial year’s total worldwide annual turnover.
    • Full regulatory text for the key GDPR articles covered by this component

    Unit 11 – Theory

    • What is records management?
    • What should the Records of Processing Activities (ROPA) register contain?
    • Controller’s register
    • Processor’s register
    • Other record-keeping

    Unit 11 – Putting theory into practice

    • Records management tasks
    • Processes and procedures
    • Controller and processor roles documented
    • Contracts and agreements in place
    • Record keeping
    • Data protection assets
    • Agreements (3rd party management)
    • Security measures
    • Systems and processes
    • Records of Processing Activities (ROPA)
    • Data Protection Impact Assessments (DPIA)
    • Data Subject Access Requests (DSAR)
    • Data Incident Management
    • Controller Inspections / Audits
    • Processor Inspections / Audits
    • Example data model showing how record-keeping interconnects

    Unit 11 – Helpful tips

    • Expert tips and advice

    Unit 11 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 11 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 11 – Additional supporting material

    • Download this unit’s text
    • Download a ROPA writing guide
    • Download a sample record-keeping procedure
    • Download sample record-keeping item definitions
    • GDPR articles covered

    Unit 12 – Local legal considerations – 5 hours

    Unit 12 – objectives

    • By the end of this unit, you will:
    • Understand why local legal considerations are important
    • Learn about record retention and destruction
    • See examples of minimum control standards regarding the creation of records, record security, storage, retention and destruction

    Unit 12 – Key GDPR articles

    • NOTE: Each article shows its infraction administrative Fine Range values of None, 10 and 20. 10 means 10 million Euros or 2% of the preceding financial year’s total worldwide annual turnover. 20 means 20 million Euros or 4% of the preceding financial year’s total worldwide annual turnover.
    • Full regulatory text for the key GDPR articles covered by this component

    Unit 12 – Theory

    • What are local legal considerations?
    • Why are local legal considerations important?
    • Context
    • Example data retention policy
    • Purpose of this document
    • Document retention
    • Risk appetite and minimum control standards
    • Destruction of physical material
    • Destruction of electronic records
    • Roles and responsibilities
    • Other considerations

    Unit 12 – Putting theory into practice

    • Record retention schedule (Example content)
    • Data destruction use cases
    • Data Destruction Procedures
    • Destruction type 1 – driven by the Data Retention and Deletion Schedule
    • Destruction type 2 – not included in the Data Retention and Deletion Schedule
    • Destruction type 3 – Data Protection Officer request
    • Destruction type 4 – Transient data destruction
    • Destruction type 5 – Unstructured data detection and destruction
    • Other considerations
    • Freedom of expression and information
    • Public access to official documents
    • National identification numbers
    • Employment
    • Archiving in the public interest, scientific or historical research, and statistical purposes
    • Secrecy obligations
    • Churches and religious associations

    Unit 12 – Helpful tips

    • Expert tips and advice

    Unit 12 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 12 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 12 – Additional supporting material

    • Download this unit’s text
    • GDPR articles covered

    Unit 13 – Data Sharing and Transfers – 5 hours

    Unit 13 objectives

    • By the end of this unit, you will:
    • Understand the general principles and conditions for data sharing and transfers
    • Understand the role and requirements of personal data transfer contracts
    • Learn the four steps to personal data transfer contracts
    • Better understand the use of a processor by a controller

    Unit 13 – Key GDPR articles

    • NOTE: Each article shows its infraction administrative Fine Range values of None, 10 and 20. 10 means 10 million Euros or 2% of the preceding financial year’s total worldwide annual turnover. 20 means 20 million Euros or 4% of the preceding financial year’s total worldwide annual turnover.
    • Full regulatory text for the key GDPR articles covered by this component

    Unit 13 – Theory

    • What is the purpose of data sharing and transfers?
    • What are the general principles for data sharing and transfers?
    • Sharing and transfer conditions
    • Who can initiate sharing and transferring?
    • EU approved transfers
    • EU “Adequacy Decision” countries
    • EU Binding Corporate Rules approved international organisations
    • Data sharing and transfers to entities that are not EU approved
    • Documenting the sharing and transfer condition
    • Personal data transfer contracts
    • Personal data contract considerations
    • GDPR roles for sharing and transfers

    Unit 13 – Putting theory into practice

    • The four steps to personal data contracts
    • Step 1: identify your relationship with the third party
    • Step 2: identify roles, responsibilities, accountabilities and liabilities
    • Controller to Controller contract expectations
    • Controller to Processor contract expectations
    • Step 3: agree, sign and record the contract or agreement
    • Step 4: periodic review
    • High-level process diagram
    • Controller to Processor considerations
    • Processor selection
    • Processor contract maintenance
    • Controller to Processor communication channel
    • Periodic review of the Processor
    • The Processor chain

    Unit 13 – Helpful tips

    • Expert tips and advice

    Unit 13 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 13 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 13 – Additional supporting material

    • Download this unit’s text
    • Examples of contract texts
    • GDPR articles covered

    Unit 14 – Third-party transfer compliance – 5 hours

    Unit 14 – objectives

    • By the end of this unit, you will:
    • Better understand what third-party compliance entails and how it can be achieved
    • Learn the procedures for creating and maintaining data transfer contracts with third parties

    Unit 14 – Key GDPR articles

    • NOTE: Each article shows its infraction administrative Fine Range values of None, 10 and 20. 10 means 10 million Euros or 2% of the preceding financial year’s total worldwide annual turnover. 20 means 20 million Euros or 4% of the preceding financial year’s total worldwide annual turnover.
    • Full regulatory text for the key GDPR articles covered by this component

    Unit 14 – Theory

    • Component scope
    • What does third-party transfer compliance entail?
    • What are the implications of third-party transfer compliance?

    Unit 14 – Putting theory into practice

    • Procedure guidelines
    • Contract requirement decision table
    • Impact on your processing
    • Contracts for personal data collected from an external entity
    • Contracts for personal data stored externally
    • Creating a contract
    • High-level contract content
    • Maintaining a contract
    • Reviewing contracts
    • Contract record keeping
    • Contracting Processors and sub-Processors
    • Impact on your processing
    • Due-diligence
    • Standards
    • Procedure
    • Processor selection
    • Processor contract maintenance
    • Controller to Processor communication channel
    • Periodic review of the Processor
    • Perform
    • Records
    • Inspections and audits
    • Standards
    • Governance
    • Training and Awareness
    • Records Management
    • Data Security
    • Data Subject Requests
    • Data Sharing
    • Data Protection Impact Assessment (DPIA)
    • Procedure
    • Perform
    • Records

    Unit 14 – Helpful tips

    • Expert tips and advice

    Unit 14 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 14 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 14 – Additional supporting material

    • Download this unit’s text
    • Download an example third party GDPR due diligence sheet
    • GDPR articles covered

    Unit 15 – Risk assessment (DPIA) – 10 hours

    Unit 15 – objectives

    • By the end of this unit, you will:
    • Learn what is DPIA, its objectives and outcomes
    • Understand what the rules for conducting a DPIA are
    • Learn the step of conducting a DPIA
    • See a sample DPIA reporting template

    Unit 15 – Key GDPR articles

    • NOTE: Each article shows its infraction administrative Fine Range values of None, 10 and 20. 10 means 10 million Euros or 2% of the preceding financial year’s total worldwide annual turnover. 20 means 20 million Euros or 4% of the preceding financial year’s total worldwide annual turnover.
    • Full regulatory text for the key GDPR articles covered by this component

    Unit 15 – Theory

    • Compliant solutions overview
    • Data Privacy Impact Assessment description
    • Ground rules for conducting a DPIA
    • Code of practice for conducting a DPIA
    • DPIA results
    • Consulting with the Supervisory Authority
    • Data Privacy Impact Assessment (DPIA)
    • Introduction
    • DPIA Objectives
    • DPIA Outcomes

    Unit 15 – Putting theory into practice

    • DPIA Steps
    • Step 1: Identifying the need for a DPIA
    • Step 2: Describing information flows
    • Step 3: Identifying privacy and related risks
    • Step 4: Identifying and evaluating privacy solutions
    • Step 5: Signing off and recording the DPIA outcomes
    • Step 6: Integrating the DPIA outcomes back into the project plan
    • Sample DPIA question set
    • DPIA project lifecycle stages
    • Sample DPIA reporting template
    • DPIA steps guide
    • Initial assessment
    • Conduct the DPIA
    • DPIA conclusion

    Unit 15 – Helpful tips

    • Expert tips and advice

    Unit 15 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 15 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 15 – Additional supporting material

    • Download this unit’s text
    • Download an example DPIA initial analysis sheet
    • GDPR articles covered

    Unit 16 – Security and access – 5 hours

    Unit 16 – objectives

    • By the end of this unit, you will:
    • Learn what security measures should be taken by an organisation in order to protect personal data
    • Understand the elements of this component
    • Read an example of an information security policy
    • Understand the roles of different members of staff in data security and the policy
    • See examples of minimum control standards with regards to security and access

    Unit 16 – Key GDPR articles

    • NOTE: Each article shows its infraction administrative Fine Range values of None, 10 and 20. 10 means 10 million Euros or 2% of the preceding financial year’s total worldwide annual turnover. 20 means 20 million Euros or 4% of the preceding financial year’s total worldwide annual turnover.
    • Full regulatory text for the key GDPR articles covered by this component

    Unit 16 – Theory

    • Component scope
    • What is the role of this component?
    • What are the main security drivers?
    • What is an information security policy?
    • Background
    • The security policy’s purpose
    • Definition of confidential information
    • Definition of personal data
    • Definition of special categories of personal data
    • Security scope
    • Roles and responsibilities
    • Governance

    Unit 16 – Putting theory into practice

    • What deficient security could cause
    • Does security cover all GDPR requirements?
    • Who does what?
    • Example of security risk appetite and minimum control standards
    • Security certification
    • Security checklist
    • What digital security covers
    • What physical security covers

    Unit 16 – Helpful tips

    • Expert tips and advice

    Unit 16 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 16 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 16 – Additional supporting material

    • Download this unit’s text
    • GDPR articles covered

    Unit 17 – Breach notification – 10 hours

    Unit 17 – objectives

    • By the end of the unit, you will:
    • Understand what types of breaches need to be reported to the SUPERVISORY AUTHORITY and to individuals
    • Learn when and how breaches should be dealt with
    • Better understand the step-by-step process of dealing with breaches

    Unit 17 – Key GDPR articles

    • NOTE: Each article shows its infraction administrative Fine Range values of None, 10 and 20. 10 means 10 million Euros or 2% of the preceding financial year’s total worldwide annual turnover. 20 means 20 million Euros or 4% of the preceding financial year’s total worldwide annual turnover.
    • Full regulatory text for the key GDPR articles covered by this component

    Unit 17 – Theory

    • What is the role of this component?
    • Who reacts to a personal data breach?
    • Controller
    • Processor
    • What does this component consist of?
    • Personal data breach notification overview
    • When do you notify the Supervisory Authority?
    • Notification clock
    • Creating the notification for the Supervisory Authority
    • Creating the notification for data subjects

    Unit 17 – Putting theory into practice

    • Breach steps guide
    • Have we really had a breach?
    • Did the breach risk individuals’ data?
    • We have 72 hours to report (1)
    • We have 72 hours to report (2)
    • Post-mortem
    • Is it a breach?
    • What is a personal data breach?
    • A quick fix for personal data sent to the wrong person
    • EU breach analysis and reporting guidance

    Unit 17 – Helpful tips

    • Expert tips and advice

    Unit 17 – Theory quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 17 – Practical application quiz

    • Please answer all the questions
    • You must pass the to proceed to the next quiz

    Unit 17 – Additional supporting material

    • Download this unit’s text
    • GDPR articles covered

    Unit 18 – Review – half an hour

    Unit 18 – End of course survey

    • Please answer all the questions

    Unit 19 – Final examination and certification – 2.5 hours

    Unit 19 – Exam part 1 – Units 1, 2 and 3

    • Please answer all the questions
    • There are 18 questions
    • You have 30 minutes to answer

    Unit 19 – Exam part 2 – Units 4, 5, 6 and 7

    • Please answer all the questions
    • There are 20 questions
    • You have 30 minutes to answer

    Unit 19 – Exam part 3 – Units 8 to 17

    • Please answer all the questions
    • There are 62 questions
    • You have 90 minutes to answer

    CPDDPO Certificate Course certificate

    • The system marks this item complete according to conditions: CPDDPO Certificate
    data protection controls

    Data Protection Controls

    Head Office

    Calle de la Caléndula 93, Miniparc III, Edificio E, 28109, Alcobendas, Madrid, Spain

    Call us

    +34 915 553 975