Privacy & Data Protection Practitioner Courseware - English E-Book

Privacy & Data Protection Practitioner Courseware – English

Colofon

Title:

Privacy & Data Protection Practitioner Courseware – English

Authors:

European Institute of Management and Finance

Publisher:

Van Haren Publishing, ‘s-Hertogenbosch

ISBN Hard Copy:

978 94 018 04 332

Edition:

First edition, first print Febuary 2019

Design:

Van Haren Publishing, ‘s-Hertogenbosch

Copyright:

© Van Haren Publishing 2019

For further information about Van Haren Publishing please e-mail us at: [email protected] or visit our website: www.vanharen.net

All rights reserved. No part of this publication may be reproduced in any form by print, photo print, microfilm or any other means without written permission by the publisher.

Although this publication has been composed with much care, neither author, nor editor, nor publisher can accept any liability for damage caused by possible errors and/or incompleteness in this publication.

The certificate EXIN Privacy and Data Protection Foundation (PDPF) is part of the EXIN qualification program Privacy and Data Protection.

About the Courseware

The Courseware was created by experts from the industry who served as the author(s) for this publication. The input for the material was based on existing publications and the experience and expertise of the author(s). The material has been revised by trainers who also have experience working with the material. Close attention was also paid to the key learning points to ensure what needs to be mastered.

The objective of the courseware is to provide maximum support to the trainer and to the student, during his or her training. The material has a modular structure and according to the author(s) has the highest success rate should the student opt for examination. For this reason, the Courseware has also been accredited, wherever applicable.

In order to satisfy the requirements for accreditation the material must meet certain quality standards. The structure, the use of certain terms, diagrams and references are all part of this accreditation. Additionally, the material must be made available to each student in order to obtain full accreditation. To optimally support the trainer and the participant of the training assignments, practice exams and results have been provided with the material.

Direct reference to advised literature is also regularly covered in the sheets so that students can easily find additional information concerning a particular topic. The decision to separate note pages (handouts) from the Courseware was to encourage students to take notes throughout the material.

Although the courseware is complete, the possibility that the trainer may deviate from the structure of the sheets or chooses to not refer to all the sheets or commands does exist. The student always has the possibility to cover these topics and go through them on their own time. It is strongly recommended to follow the structure of the courseware and publications for maximum exam preparation.

The courseware and the recommended literature are the perfect combination to learn and understand the theory.

- Van Haren Publishing

Other publications by Van Haren Publishing

Van Haren Publishing (VHP) specializes in titles on Best Practices, methods and standards within four domains:

- IT and IT Management

- Architecture (Enterprise and IT)

- Business Management and

- Project Management

Van Haren Publishing is also publishing on behalf of leading organizations and companies: ASLBiSL Foundation, BRMI, CA, Centre Henri Tudor, Gaming Works, IACCM, IAOP, IFDC, Innovation Value Institute, IPMA-NL, ITSqc, NAF, KNVI, PMI-NL, PON, The Open Group, The SOX Institute.

Topics are (per domain):

IT and IT Management

ABC of ICT

ASL®

CATS CM®

CMMI®

COBIT®

e-CF

ISO/IEC 20000

ISO/IEC 27001/27002

ISPL

IT4IT®

IT-CMF™

IT Service CMM

ITIL®

MOF

MSF

SABSA

SAF

SIAM™

TRIM

VeriSM™

Enterprise Architecture

ArchiMate®

GEA®

Novius Architectuur

Methode

TOGAF®

Business Management

BABOK ® Guide

BiSL® and BiSL® Next

BRMBOK™

BTF

EFQM

eSCM

IACCM

ISA-95

ISO 9000/9001

OPBOK

SixSigma

SOX

SqEME®

Project Management

A4-Projectmanagement

DSDM/Atern

ICB / NCB

ISO 21500

MINCE®

M_o_R®

MSP®

P3O®

PMBOK ® Guide

Praxis®

PRINCE2®

For the latest information on VHP publications, visit our website: www.vanharen.net.

About the Author

Plan ahead

•Plan your studying ahead of time

• Spread out your study periods into smaller sections

• Create a study plan that reflects the course schedule

•Before each scheduled session study the relevant chapter.

• This way, you will develop a deeper understanding of the subject and be able to ask questions during the course.

• For better retention of knowledge take regular breaks.

• Divide your studying into sessions of just 20-30 minutes, and focus on a single topic during each session.

Take notes

• When studying the material, take notes and mark anything you don’t understand.

•Create questions that can be asked during your course that are specific to what you don’t understand.

•To better memorize the content, you can create notes or flash cards that you can later use during revision of material.

• Notes or Flashcards can be combined with questions that can help you test yourself later as well.

Test yourself

•Keep practicing with the questions during the study period and make sure you understand the correct answer but also why the other options are wrong.

• Read and understand the case studies that will be discussed in class

• Answer the questions from the case studies and practice the answers on your own time also

• Exam tests application of knowledge and implementation so make sure you understand the content in order to answer relevant questions.

Table of content

Reflection

Agenda

EXIN Privacy & Data Protection Practitioner Certificate

(1)

About this course

(3)

Module 1: Data protection policies

(17)

1.1 Purpose of the data protection/privacy policies within an organization

(19)

1.2 Data protection by design and by default

(39)

Module 2: Managing and organizing data Protection

(45)

2.1 Phases of the Data Protection Management System (DPMS)

(46)

2.2 Action plan for data protection awareness

(48)

Module 3: Roles of the Controller, Processor and Data Protection Officer (DPO)

(160)

3.1 Roles of the controller and processor

(161)

3.2 role and responsibilities of a DPO

(186)

Module 4: Data Protection Impact Assessment (DPIA)

(238)

4.1 Criteria for a DPIA

(239)

4.2 Steps of a DPIA

(252)

Module 5: Data breaches, notifications and incident response

(265)

5.1 GDPR requirements with regard to personal data breaches

(266)

5.2 Requirements for notification

(291)

EXIN Practical Assignments

Introduction

Assignment: 1

Assignment: 2

Assignment: 3

Evaluation

e-CF competences for EXIN Privacy and Data Protection Practitioner

EXIN Sample Exam

Introduction

Sample Exam

Evaluation

EXIN Preparation Guide

1 Overview

2 Exam requirements

3 List of basic concepts

4 Literature

Literature A: Guidelines on Data Protection Officers (‘DPOs’)

Literature B: Guidelines on Data Protection Impact Assessment (DPIA)

Self-Reflection of understanding Diagram

‘What you do not measure, you cannot control.” – Tom Peters

Fill in this diagram to self-evaluate your understanding of the material. This is an evaluation of how well you know the material and how well you understand it. In order to pass the exam successfully you should be aiming to reach the higher end of Level 3. If you really want to become a pro, then you should be aiming for Level 4. Your overall level of understanding will naturally follow the learning curve. So, it’s important to keep track of where you are at each point of the training and address any areas of difficulty.

Based on where you are within the Self-Reflection of Understanding diagram you can evaluate the progress of your own training.

Write down the problem areas that you are still having difficulty with so that you can consolidate them yourself, or with your trainer. After you have had a look at these, then you should evaluate to see if you now have a better understanding of where you actually are on the learning curve.

Troubleshooting

Timetable

Day 1

Part 1

Introduction - Overview of Foundation Course

Part 2

Topic 1: Data protection policies

Part 3

Practical Assignment 1 – Case Study

Part 4

Topic 2: Managing and organizing data protection

Day 2

Part 1

Topic 3: Roles of the controller, processor and Data Protection Officer (DPO)

Part 2

Practical Assignment 2 – Case study

Part 3

Topic 4: Data Protection Impact Assessment (DPIA)

Part 4

Practice Questions and discussion

Day 3

Part 1

Topic 5. Data breaches, notification and incident response

Part 2

Practical Assignment 3 – Case Study

Part 3

Multiple Choice for Practitioners

Part 4

Review and Conclusions

Copyright © EXIN Holding B.V. 2018. All rights reserved. EXIN® is a registered trademark.

No part of this publication may be reproduced, stored, utilized or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written permission from EXIN.

1. Introduction

Fulfillment of the practical assignments is part of the certification requirements for EXIN Privacy and Data Protection.

Both the trainer responsible for the practical assignments and the candidate must ensure that each candidate participates in the assignments in such a way that individual performance can be observed. This is particularly important in group assignments.

1.1   Adaptations

Accredited training providers may adapt the practical assignments to fit with the examples and use case studies presented in the training.

1.2   General Guidelines

In general, the following guidelines should be followed in addition to the requirements per assignment:

1. The candidate plans the activities within the assignment, unless otherwise stated.

2. The candidate communicates with others where needed.

3. The candidate provides his or her own solutions.

4. The candidate contributes to the quality of the assignment, especially in group-work.

5. Solutions provided are realistic and thus fit for the scenario or case study.

6. Solutions provided match with business and IT objectives.

1.3   e-Competence Framework

The e-Competence Framework (e-CF)1 is an accepted and common framework developed in Europe (http://www.ecompetences.eu/). EXIN supports the e-CF, because EXIN believes in professionals showing their competences and growing towards their full potential by helping them make their competences transparent. The certificate EXIN Privacy and Data Protection Practitioner is based on the e-CF.

The practical assignments are used to demonstrate practical skills and experience which cannot be tested in a multiple choice exam. Making the practical assignments part of the certification scheme helps to test the entire competence.

1.4   Assessment

Practical assignments can be assessed by an accredited trainer from the accredited training provider. It is the trainer’s responsibility to familiarize themselves with the assessment criteria.

Each assignment has assessment criteria that are based on the exam specifications and linked to the e-CF. The criteria are found in the Checklists. The trainer fills in the checklist for each individual candidate, stating whether or not the criteria have been observed.

The ATO should have evidence that practical assignments have been done in a particular training, this can be requested in an EXIN audit.

2. Assignment 1: Construct a Data privacy breach response plan and handle a personal data breach

Background

Quazle is a European multinational technology company specializing in internet-related services and products. These include online advertising technologies, search, cloud computing, software, and hardware. The company has a database of just over half a million customers and 500 staff. You work in the multinational privacy team that is based at various office locations and you have a position at the European office which is located in Strasbourg.

Your assignment

The privacy team has just implemented a privacy and data protection program. The next step is now to develop a set up for a data privacy breach response plan. Divide the roles of the data protection officer (DPO) and two employees in charge of privacy tasks among a privacy team of three candidates.

Divide the below elements among the three of you and construct a data privacy breach response plan that contains at least the following elements:

1. A definition of what constitutes a data privacy breach

2. Categories of data privacy breaches (based on impact and severity)

3. Detailed scenarios & instructions for each category

4. Contact information:

a. Departments and internal stakeholders that should be involved in a data breach response.

b. Supervisory authority

c. Third parties providing services for remediation

5. A set of draft documents to be used for notifying the supervisory authority and the affected individuals and for informing the media

6. Metrics on data privacy breaches

In addition to this the following documents should be available:

7. Logs that prove that the data privacy breach response plan is tested periodically

8. Reports of data privacy breaches that have previously occurred, incl. root cause analyses

9. Each of the team members thinks of a personal data breach that could occur to the personal data processed by Quazle.

The personal data breaches should be:

-considered as such by the General Data Protection Regulation (GDPR) and the applicable Literature

-plausible in this case scenario

10. Imagine you discover that one of the three personal data breaches the team members have proposed has indeed happened. Apply the newly elaborated data privacy breach response plan in this specific case. Divide the tasks according to the legal requirements for the roles of the DPO on the one side and the other roles on the other side.

11. Describe what you should do to contain the data breach and subsequently investigate it.

12. Motivate why you should or should not notify the supervisory authorities and the individuals affected.

Recommended time

3 hours

Expected results

A group presentation of approximately 15 minutes including:

• A data privacy breach response plan for the above company including the above mentioned elements

• A list detailing 3 possible personal data breaches

• A report of how you would deal with one of the personal data breaches

Assessment criteria for the assignment

The candidate is able to……

1. cooperate in a team to construct a data privacy breach response plan and respond adequately to a data breach

2. construct a data privacy breach response plan containing the essential elements listed above

3. sketch a plausible personal data breach applicable to the case scenario

4. apply the data privacy breach response plan and:

• act appropriately by taking into account his or her specific role

• act according to the requirements presented in the Literature

• provide sufficient depth of details

• clearly express details of the plan

• clearly explain reasons for notification/or reasons for no notification and explain to whom to address the notification

Assignment 1 Checklist

The trainer can assess each candidate on each exam specification.

3. Assignment 2: Controller, Processor and Data Protection Officer

Background

In an EU member state two hospitals decide to merge their organization. Physically the two hospitals will remain on their current locations. Staff services and specialized medical departments will be merged and (re)located at either one of the two premises. The idea behind this merger is to generate cost effectiveness and to enable the modernization of the current IT systems and network. This generates more capacity to better serve patients. In addition to this, the merger provides the opportunity to monitor patients at home or in facilities such as retirement homes, nursing homes and rehabilitation centers.

To mitigate the risks of possible privacy data breaches the boards of directors of the two hospitals designate the data center of former hospital A as main data center and the data center of former hospital B as backup center. The two data centers are serviced by different companies.

You are currently working as the data protection officer (DPO) for both hospital organizations. After the merger you will be the DPO for the new organization. To help prepare for the merger, the boards of the two hospitals request that you provide an overview of the processing flows of personal data in the future organization as well as an indication of the data protection risks arising from the merger.

Your assignment

1. Describe and analyze the roles of the different stakeholders involved as controllers, processors or data subjects in the newly merged hospital organization:

• responsible medical departments, like radiology and surgery

• main datacenter

• back-up data center

• the companies servicing the data centers

• hospital pharmacy

• staff, like financial administration and human resources

• patients at home and in retirement centers etcetera

2. Set up a high level mapping for the data flows of the personal data processed between the above mentioned parties in the newly merged hospital organization.

3. Describe the possible risks for personal data due to the merger and the responsibilities and challenges you face as a DPO during the merger

Recommended time

2 hours

Expected results

A presentation for the two Boards (approximately 10 minutes) about the following topics in the future situation after the merger:

• a short analysis regarding the roles & responsibilities of the controllers and processors (see above list of stakeholders).

• a high level mapping of the data flows between these controllers and processors and data subjects

• the DPO’s role and responsibilities towards the various stakeholders (the controllers or processors mentioned earlier)

• an analysis of three data protection risks that might arise from the merger and the recommended mitigating actions

Assessment criteria for the exercise

The individual candidate can….

• analyze which role stakeholders have according to the GPDR and how they interrelate

• make and provide a data mapping of the different roles

• apply the tasks of the DPO in the given specific context

• demonstrate how to act in compliance with the GDPR regulation in the event of a hospital merger

Assignment 2 Checklist

The trainer can assess each candidate on each exam specification.

4. Assignment 3: Executing a DPIA: Outsourcing of personal data processing

Background

A company named Alpha Manufacturing Inc. (Alpha) outsources the payroll processing operation of the company’s employees to a company called Beta Cloud Services S.A. (Beta).

Company Alpha has the role of controller, company Beta has the role of processor.

Company Beta is certified according to the latest ISO 27001 (Information Security) standard and has been selected through the procurement process of company Alpha.

The board of directors of company Alpha has requested for a Data Protection Impact Assessment (DPIA) to be performed. The DPIA should be done with regards to outsourcing the processing of personal data (by a newly developed payroll application) to this external service provider, in full compliance with the EU GDPR Regulation. The results have to be reported to the board directly.

A DPIA is required because:

- it concerns application of a new technological solution in a changed organizational set-up.

- the processing of this specific personal data by the external party could have a significant impact on the daily lives and privacy of company Alpha employees

The first two steps of the DPIA have already been executed.

A description of the envisaged processing operations and the purposes of the processing is available. The purpose of the processing has been defined by the board.

The inventory of the payroll personal data and the data flows are available, as well as an overview of the responsibilities for and ownership of these personal data. This inventory was set up by a privacy analyst working at the legal department.

Your Assignment

You are a group of three employees of the privacy department of company Alpha. You divide the roles of the data protection officer (DPO) and two employees in charge of privacy tasks.

The board assigns the three of you as the DPIA project group and asks you to perform the following steps of the DPIA. Since this is a heavy workload you divide the steps among the three of you. Each role takes responsibility for preparing two of the steps of the DPIA.

1. make a list of data subjects and stakeholders (internal and external) that you need to consult;

2. assess the necessity and proportionality of the processing;

3. make a list of measures envisaged to demonstrate compliance with the EU GDPR Regulation;

4. assess the risks to the rights and freedoms of data subjects;

5. present the measures envisaged to address the risks;

6. make an overview of the necessary documentation and products.

Recommended time

3 to 4 hours

Expected Results

A presentation of approximately 15 minutes in which you present your set-up of the remaining DPIA steps and the outline for documentation detailing:

• consultation with the internal and external stakeholders;

• assessment of the necessity and proportionality of the processing;

• measures envisaged to: demonstrate compliance with this Regulation;

• assessment of the risks to the rights and freedoms of data subjects;

• measures envisaged to address the risks;

• an overview of the necessary documentation and products.

Assessment criteria for the assignment

• The presentation must contain all above mentioned topics,

• Per candidate 2 of the DPIA steps must be prepared and presented

• The steps must be prepared according with the literature requirements (Literature A and E) and common best practices

• The candidate must be able to provide insight and adequate solutions within the timeframe of the assignment

Assignment 3 Checklist

The trainer can assess each candidate on each exam specification.

5. Evaluation

The trainer can fill out the final evaluation below for each individual candidate. When a minimum of 9 out of 14 (65%) of the criteria have been observed, the candidate has successfully performed the practical assignments.

Please note that some of the exam specifications are assessed in more than one assignment. If the requirement has been observed in at least one of the assignments, the trainer may assess the exam specification as ‘observed’.

6. e-CF competences for EXIN Privacy and Data Protection Practitioner

You can find all of the e-Competence Framework competences related to the EXIN Privacy and Data Protection Practitioner certification below. Also indicated is the level of the competence and whether the competence is covered entirely, partially or superficially. For more information about the e-CF, please visit http://www.ecompetences.eu/ or contact EXIN.

________________

1 The text is based on the European e-Competence Framework 3.0. CWA 16234:2014.