CB Comply: Data protection training

The Information Commissioner’s Office expect your data protection practices, procedures, and policies to be reviewed regularly, especially in a fast-changing privacy landscape that has resulted in several big-ticket fines for companies around the world. It is also a legal requirement that your employees receive up-to-date training. Making sure that they comply with the fast-evolving laws on data protection is not optional.

Failure to train and update employees will expose your business to an increased risk of a data breach. The ICO also has wide powers to enforce compliance with UK GDPR, ranging from enforcement notices up to very substantial fines. All enforcement action is published on the ICO website, so this can result in potentially lasting reputational damage. In an increasingly cautious economic environment, taking shortcuts when it comes to data protection compliance could also make it more difficult to secure the investment you need to grow your business.

This introductory training session covers the fundamental concepts of the UK and EU GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 1993. It is ideal for staff who handle personal data in their day-to-day functions, such as your HR or risk and compliance team.

You will learn about the rights of UK- and EU-based individuals in respect of their personal data, the implications for your business’s staff, the rules that apply to using special categories of ‘sensitive’ personal data, and how to make sure your organisation is compliant. We also highlight common privacy-related issues faced by businesses in relation to direct e-marketing to individuals.

When a data controller appoints a data processor, UK and EU laws require a written contract to be in place between them. While it is a requirement that this contract contains certain mandatory provisions, sophisticated businesses typically take different approaches to negotiating their content and wording as a method of minimising their risk exposure and maximising their commercial leverage.

This training session is designed for businesses that frequently encounter controller-processor agreements and require the know-how to be able to negotiate these in-house, depending on whether they are a controller or a processor. We will cover the requirements of Article 28 of the UK GDPR and EU GDPR in detail, considering issues such as allocation of liability and costs apportionment, so that you have the confidence to negotiate these on a regular basis.

The failure of businesses to handle a data subject access request (DSAR) properly is one of the most common reasons why individuals complain about them to the UK’s regulator, the Information Commissioner’s Office. DSARs are also increasingly complex to manage, since the quantity of information that businesses are likely to hold about them will typically be increasing.

In this training session, we explain in detail the rights of individuals to gain access to their personal data, as well as exemptions that your business could rely on in order to withhold certain information. We also take a look how to avoid common pitfalls when handling a DSAR so that you are fully up to date with the requirements of the UK GDPR, the Data Protection Act 2018, and the ICO’s latest guidance on this topic.

Despite the globalised way in which many businesses operate today, UK and EU data protection laws restrict the transfer of personal data to countries outside of the UK and the European Economic Area that are not deemed to have an adequate level of data protection. This can present challenges not only when it comes to international commerce but also in respect of basic outsourced functions, such as using CRM systems or servers that are not located in the UK or the EEA.

In this session, we explain what constitutes an international transfer of personal data, how to determine whether a country is considered ‘adequate’, and what to do if you wish to transfer personal data to a country that does not have adequacy status. In particular, we will take a look at the implications of the much-publicised Schrems II judgment that invalidated the EU-US Privacy Shield and how this affects your transfer of personal data to countries such as the United States, as well as the latest set of ‘standard contractual clauses’ mandated by the European Commission and their UK equivalent.

Data breaches can arise in a number of different circumstances, many of which may not be immediately apparent to a business unless it is aware of what to look out for. A data breach resulting in a risk of serious adverse consequences for data subjects must be reported to the Information Commissioner within 72 hours of its discovery, and individuals may also need to be notified. It is therefore very important that the managers of a business have trained their staff to identify when a breach may have occurred and to have a procedure to deal with any reporting that may be needed.

In this session, we will highlight the most common forms of data breach, including suggesting practical steps to minimise such breaches occurring. We will also set out the basic steps necessary to investigate the extent and assess the potential severity of the breach, to establish whether it was a one-off or a continuing event, and to progress to terminating the breach and dealing with any necessary reporting to the ICO and individuals.