Brit Certifications and Assessments
Brit Certifications and Assessments (BCAA) is a leading UK based certification body. This CB is formed to address the gap in the industry in IT and IT Security sector. The certification body leads in IT security, and IT certifications, and in particular doing it with highly pragmatic way.
BCAA UK works in hub and spoke model across the world.
Data Privacy
Data privacy generally means the ability of a person to determine for themselves when, how, and to what extent personal information about them is shared with or communicated to others. This personal information can be one’s name, location, contact information, or online or real-world behavior. Just as someone may wish to exclude people from a private conversation, many online users want to control or prevent certain types of personal data collection.
As Internet usage has increased over the years, so has the importance of data privacy. Websites, applications, and social media platforms often need to collect and store personal data about users in order to provide services. However, some applications and platforms may exceed users’ expectations for data collection and usage, leaving users with less privacy than they realized. Other apps and platforms may not place adequate safeguards around the data they collect, which can result in a data breach that compromises user privacy.
ISO27701
ISO/IEC 27701:2019 is built to complement the widely used ISO/IEC 27001 and ISO/IEC 27002 standards for information security management. It specifies requirements and provides guidance for a Privacy Information Management System (PIMS), making the implementation of PIMS a helpful compliance addition for the many organizations that rely on ISO/IEC 27001, as well as creating a strong integration point for aligning security and privacy controls. ISO/IEC 27701 accomplishes this integration through a framework for managing personal data that can be used by both data controllers and data processors, a key distinction for General Data Protection Regulation (GDPR) compliance.
In addition, any ISO/IEC 27701 audit requires the organization to declare applicable laws/regulations in its criteria for the audit meaning that the standard can be mapped to many of the requirements under GDPR, California Consumer Privacy Act (CCPA), or other laws. Once mapped, the ISO/IEC 27701 operational controls are implemented by privacy professionals. An internal or external third party, who is accredited to assess, then evaluates the organization’s compliance with the requirements of the standard and issues a certificate to that effect. This universal framework allows organizations to efficiently implement compliance with new regulatory requirements.
Benefits:
• Helps with compliance audits.
• Ensures a consistent approach to information security management throughout an organization.
• Enables organizations to understand and manage risks in a systematic manner.
• Provides guidance on how to meet high-level objectives for information security management.
• Includes guidelines for implementing controls at each stage in the risk assessment process.
• Identifies key components that need to be addressed by organizational policies and procedures.
• Provides a framework for assessing effectiveness of implemented controls, including monitoring activities and reporting on results.
Agenda
Module 1: Privacy Compliance Frameworks
• Material scope
• Territorial scope
• Governance
• Objectives
• Key processes
• Personal information management systems
• ISO/IEC 27001:2013
• Selecting and implementing a compliance framework
• Implementing the framework
Module 2: Role of the Data Protection Officer
• Voluntary designation of a Data Protection Officer
• Undertakings that share a DPO
• DPO on a service contract
• Publication of DPO contact details
• Position of the DPO
• Necessary resources
• Acting in an independent manner
• Protected role of the DPO
• Conflicts of interest
• Specification of the DPO
• Duties of the DPO
• The DPO and the organization
• The DPO and the supervisory authority
• Data protection impact assessments and risk management In house or contract
Module 3: Common Data Security Failures
• Personal data breaches Anatomy of a data breach Sites of attack Securing your information
• ISO 27001
• Ten Steps to Cyber Security
• Cyber Essentials
• NIST standards
• The information security policy
• Assuring information security
• Governance of information security
• Information security beyond the organisation’s borders
Module 4: Six Data Protection Principles
• Principle 1: Lawfulness, fairness and transparency
• Principle 2: Purpose limitation
• Principle 3: Data minimisation
• Principle 4: Accuracy
• Principle 5: Storage limitation
• Principle 6: Integrity and confidentiality
• Accountability and compliance
Module 5: Requirements for Data Protection Impact Assessments
• Data protection impact assessments
• When to conduct a DPIA
• Who needs to be involved
• Data protection by design and by default
Module 6: Risk Management and DPIAs
• DPIAs as part of risk management
• Risk management standards and methodologies
• Risk responses
• Risk relationships
• Risk management and personal data
Module 7: Data Mapping
• Objectives and outcomes
• Four elements of data flow
• Data mapping, DPIAs and risk management
Module 8: Conducting DPIAs
• Reasons for conducting a DPIA
• Objectives and outcomes
• Consultation
• Five key stages of the DPIA
• Integrating the DPIA into the project plan
Module 9: Data Subjects’ Rights
• Fair processing
• The right to access
• The right to rectification
• The right to be forgotten
• The right to restriction of processing
• The right to data portability
• The right to object
• The right to appropriate decision making
Module 10: Consent
• Consent in a nutshell
• Withdrawing consent
• Alternatives to consent
• Practicalities of consent
• Children
• Special categories of personal data
• Data relating to criminal convictions and offences
Module 11: Subject Access Requests
• The information to provide
• Data portability
• Responsibilities of the data controller
• Processes and procedures
• Options for confirming the requester’s identity
• Records to examine
• Time and money
• Dealing with bulk subject access requests
• Right to refusal
Module 12: Controllers and Processors
• Data controllers
• Joint controllers
• Data processors
• Controllers that are processors
• Controllers and processors outside the EU
• Records of processing
• Demonstrating compliance
Module 13: Managing Personal Data Internationally
• Key requirements
• Adequacy decisions
• Safeguards
• Binding corporate rules
• The EU-US Privacy Shield
• Privacy Shield Principles
• Limited transfers
• Cloud services
Module 14: Incident Response Management and Reporting Notification
• Events vs incidents
• Types of incident
• Cyber security incident response plans
• Key roles in incident management
• Prepare
• Respond
• Follow up
Module 15: GDPR Enforcement
• The hierarchy of authorities
• One-stop-shop mechanism
• Duties of supervisory authorities
• Powers of supervisory authorities
• Duties and powers of the European Data Protection Board
• Data subjects’ rights to redress
• Administrative fines
• The Regulation’s impact on other laws
Dual Certification
The training program carries dual certification.
1. ISO27701 Lead Implementer
2. Certified Chief Data Protection Officer
Exam:
The training is followed by a subjective ISO27701 exam after successful completion of the training.
CDPO certification is based on experience of the participant with more than 5 years’ experience in IT endorsed by the training partner.
Eligibility
• Managers or consultants seeking to prepare and support an organization in planning, implementing, and maintaining a compliance program based on the GDPR
• DPOs and individuals responsible for maintaining conformance with the GDPR requirements
• Members of information security, incident management, and business continuity teams
• Technical and compliance experts seeking to prepare for a data protection officer role
• Expert advisors involved in the security of personal data