GDPR and How to Conduct a Data Protection Impact Assessment

Project number: 1911506

EIPA Headquarters, Maastricht (NL)

Download brochure

Date & pricing

28/10/2019 - 29/10/2019
Register before: 08/10/2019

€ 1.000,00 per attendee

€ 900,00 for EIPA members*

GDPR and How to Conduct a Data Protection Impact Assessment

From:  900,00

The Data Protection Impact Assessment (DPIA) is one of the most important activities for an organisation to demonstrate its compliance with the GDPR. This course will provide you with the insights and techniques to successfully plan, execute and validate a DPIA report.

Registration for this course is closed. Do you want to receive updates about the next editions of this course? Please subscribe to our newsletter.

About this course

Compliance with the General Data Protection Regulation (GDPR) requires a deep understanding of the legislation by the organisations that handle personal data. The Data Protection Impact Assessment (DPIA) is one of the most important activities for an organisation to demonstrate its compliance with the GDPR. Carrying out a DPIA is one of the requirements under the GDPR for certain types of data processing. As part of a DPIA, an organisation must describe its processing activities related to personal data as well as assessing and mitigating risks. A DPIA can be a complex and time-consuming activity that requires expertise in several domains, in particular in terms of technological and information security. Evaluating the potential impact that a project, proposed system or scheme might have on the privacy of a data subject is a key factor in demonstrating compliance.

This course will provide you with the insights and techniques to successfully plan, execute and validate a DPIA report. You will learn about the key aspects of performing a DPIA and ensure that this compliance requirement is implemented in the project cycle within your organisation. During the course, you will gain an understanding of when a DPIA is needed, how to assess the risks and mitigate them, how to validate the DPIA report and when you need to arrange a prior consultation with the Supervisory Authority according to Article 36 of the GDPR.

At the end of the course, you will have an understanding as to why effective DPIAs are key to maintaining compliance with the GDPR. You will help people in your organisation better understand that processing personal data is a responsibility that they must take seriously, as they are protecting a fundamental right of the data subjects that entrust you with their information.

Course methodology and highlights
We believe practical know-how is the key to effective learning. This course therefore includes:

  • Detailed explanations of the key concepts and principles of the GDPR, as well as of its actors and their roles
  • Group assignments;
  • Practical exercises to perform a DPIA;
  • Interactive approach: the module’s structure will give you the opportunity to ask questions and share and discuss experiences, knowledge, needs and challenges with the trainer and other participants;
  • Several methodologies will be used, in particular the ones to perform a DPIA as used by the CNIL (FR), plus methodologies by other supervisory authorities.

Why EIPA?

  • Relevance: EIPA has direct insight into the workings of the European Union
  • Never alone: you will be part of a growing network of colleagues and professionals throughout Europe
  • Quality insurance: all of our courses have the EIPA Quality Seal. Upon successful completion, you will go home with an EIPA Data Protection Centre Certificate.
  • Combine fun and facts: this course is held in one of the most charming cities in Europe. Discover plenty of opportunities to relax and explore what the area has to offer.

What you will learn in this course

  • The key elements of a DPIA;
  • To decide on the need to conduct a DPIA;
  • The importance of a DPIA;
  • The methods to perform a DPIA;
  • Understanding risk assessment and risk management, which are key to the GDPR;
  • Performing a DPIA;
  • The dos and don’ts of a DPIA;
  • Validating a DPIA report;
  • When to perform a prior consultation as per Article 36 of the GDPR.

By the end of the course, you will be able to:

  1. be able to decide on the need to perform a DPIA;
  2. be able to conduct a DPIA;
  3. be able to assess privacy risks;
  4. be able to suggest mitigation measures for privacy risks;
  5. be able to draft a DPIA report;
  6. be able to understand and validate a DPIA report;
  7. be able to decide on whether to carry out a prior consultation.
Rita Beuter

Rita Beuter (DE)

Public Procurement / PPP

Fernando Silva

Fernando Poças da Silva

Computer and Network Security - External Expert

Practical information

Course venue
European Institute of Public Administration (EIPA)
O.L. Vrouweplein 22
6211 HE, Maastricht
the Netherlands

Programme Organiser
Ms Winny Curfs
Tel: + 31 43 3296320
w.curfs@eipa.eu

Fee
The fee includes documentation and refreshments. Lunches, a reception or dinner are included if mentioned in the programme. Accommodation and travel costs are at the expense of the participants or their administration.

Discounts
EIPA offers a 10% discount to all civil servants working for one of EIPA’s supporting countries, and civil servants working for an EU institution, body or agency.

Who are the supporting countries?
Civil servants coming from the following EIPA supporting countries are entitled to get the reduced fee: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Spain, Sweden, United Kingdom.

For all other participants, the regular fee applies.

Meals
Lunches, the reception or dinner will be served at a restaurant in town. Special dietary requirements (e.g. vegetarian, diabetic) can be indicated once you receive the confirmation of the seminar.

Hotel reservations
EIPA has special price arrangements with a number of hotels. All hotels are within 10 minutes walking distance from EIPA. Should you wish to make use of this possibility, please book directly via the links below. Payment is to be made directly and personally to the hotel upon checking out. At the time of booking, please mention in the requested field the EIPA project number for your course.

Payment
Prior payment is a condition for participation.

Cancellation policy
For administrative reasons you will be charged €150 for cancellations received within 15 days before the activity begins. There is no charge for qualified substitute participants.

EIPA reserves the right to cancel the activity up to 2 weeks before the starting date. In that case, registration fees received will be fully reimbursed. EIPA accepts no responsibility for any costs incurred (travel, accommodation, etc.). 

The programme

Trainer: Fernando Poças da Silva, Portuguese Data Protection Authority, Lisbon (PT)

09.00 Introduction to the course
General overview of a DPIA

  • Key concepts
  • Methodology
  • Benefits
10.30 Coffee break
10.45 Threats to personal data and risk management

  • Definition of privacy risks
  • Conducting risk assessments
  • Rating risk level – likelihood and severity
  • Countermeasures
  • Examples
12.30 Lunch
14.00 Assignment: practical case

  • Identifying data protection risks in several cases
  • Proposing mitigation measures
15.30 Coffee break
16.00 Conducting a DPIA

  • Actors in a DPIA process
  • Understanding of the project, terms of reference, resources and time frame
  • When to perform a DPIA
  • The role of the DPO
  • Examples
17.30 End of the day
19.00 Dinner in a restaurant in town
09.00 DPIA process

  • Description of the collection of personally identifying information (PII) and data flow
  • Compliance with data protection requirements
  • Assessment of the privacy risks and recommendations/mitigation
  • Validation
  • Examples
10.30 Coffee break
10.45 Assignment: practical case

  • Performing a DPIA on several cases
12.30 Lunch
14.00 DPIA follow-up

  • Creating a register of DPIAs
  • Reporting validation
  • Mitigating measures
  • Decision regarding a prior consultation
  • Follow-up on the decision regarding a prior consultation
15.30 Coffee break
16.00 Assignment: practical case

  • Performing an evaluation report on the DPIA of the several cases, and deciding on prior consultation
16.45 Golden rule of a DPIA

  • Wrapping up the DPIA process
  • Updating the DPIA, if there are any changes
  • Conclusions of the DPIA process
17.30 End of the course
MONDAY 28 OCTOBER 2019
 
Trainer: Trainer: Dr Theo Jans, Associate Professor, EIPA Maastricht
09.00 Introduction to the course
General overview of a DPIA

  • Key concepts
  • Methodology
  • Benefits
10.30 Coffee break
10.45 Threats to personal data and risk management

  • Definition of privacy risks
  • Conducting risk assessments
  • Rating risk level – likelihood and severity
  • Countermeasures
  • Examples
12.30 Lunch
 
14.00 Assignment: practical case

  • Identifying data protection risks in several cases
  • Proposing mitigation measures
15.30 Coffee break
16.00 Conducting a DPIA

  • Actors in a DPIA process
  • Understanding of the project, terms of reference, resources and time frame
  • When to perform a DPIA
  • The role of the DPO
  • Examples
17.30 End of the day
19.00 Dinner in a restaurant in town
TUESDAY 29 OCTOBER 2019
09.00 DPIA process

  • Description of the collection of personally identifying information (PII) and data flow
  • Compliance with data protection requirements
  • Assessment of the privacy risks and recommendations/mitigation
  • Validation
  • Examples
10.30 Coffee break
 
10.45 Assignment: practical case

  • Performing a DPIA on several cases
12.30 Lunch
14.00 DPIA follow-up

  • Creating a register of DPIAs
  • Reporting validation
  • Mitigating measures
  • Decision regarding a prior consultation
  • Follow-up on the decision regarding a prior consultation
15.30 Coffee break
16.00 Assignment: practical case

  • Performing an evaluation report on the DPIA of the several cases, and deciding on prior consultation
16.45 Golden rule of a DPIA

  • Wrapping up the DPIA process
  • Updating the DPIA, if there are any changes
  • Conclusions of the DPIA process
17.30 End of the course

Course venue
European Institute of Public Administration (EIPA)
O.L. Vrouweplein 22
6211 HE, Maastricht
the Netherlands

Programme Organiser
Ms Winny Curfs
Tel: + 31 43 3296320
w.curfs@eipa.eu

Fee
The fee includes documentation and refreshments. Lunches, a reception or dinner are included if mentioned in the programme. Accommodation and travel costs are at the expense of the participants or their administration.

Discounts
EIPA offers a 10% discount to all civil servants working for one of EIPA’s supporting countries, and civil servants working for an EU institution, body or agency.

Who are the supporting countries?
Civil servants coming from the following EIPA supporting countries are entitled to get the reduced fee: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Spain, Sweden, United Kingdom.

For all other participants, the regular fee applies.

Meals
Lunches, the reception or dinner will be served at a restaurant in town. Special dietary requirements (e.g. vegetarian, diabetic) can be indicated once you receive the confirmation of the seminar.

Hotel reservations
EIPA has special price arrangements with a number of hotels. All hotels are within 10 minutes walking distance from EIPA. Should you wish to make use of this possibility, please book directly via the links below. Payment is to be made directly and personally to the hotel upon checking out. At the time of booking, please mention in the requested field the EIPA project number for your course.

Confirmation
Confirmation of registration will be forwarded to participants on receipt of the completed online registration form.

Payment
Prior payment is a condition for participation.

Cancellation policy
For administrative reasons you will be charged €150 for cancellations received within 15 days before the activity begins. There is no charge for qualified substitute participants.

EIPA reserves the right to cancel the activity up to 2 weeks before the starting date. In that case, registration fees received will be fully reimbursed. EIPA accepts no responsibility for any costs incurred (travel, accommodation, etc.).