GDPR AUDITOR Training Pathway according to ISDP©10003 Scheme

Auditing is a strategic activity for maintaining compliance with current regulations of any data protection management system. The ability to design and make effective audits in the field, helps to ensure that all activities put in place by the data controller for the implementation of a good privacy management system, are implemented correctly and maintained over time. This course create the technical and methodological conditions so that trained auditors and Lead Auditors are able to manage, plan, conduct and implement a first second and third party audit plan with reference to the requirements of the ISDP©10003 standard. The course is structured so that the participant acquires all the practical tools and skills to carry out audits of data protection systems, including the structure and quality assessment of data contained in Data bases, including in second-party audits to suppliers and subcontractors.

The course will be held ONLINE, on the GoToMeeting platform, as part of Inveo's #privacyhome program to address the Covid-19 emergency.

The course is preparatory and qualified inVeo for registration in the register of European Privacy Auditor/Lead Auditor qualified for the ISDP©10003 scheme and privacy assessor according to the UNI 11697:2017 standard with obtaining the relevant AICQ-SICEV certifications.

SESSION 16 HOURS

• Understand, acquire, plan an audit
• ISDP Guidelines©10003
• EDPB Guidelines 1/2018
• The technical structure ISDP©10003
• The lawfulness of treatment
• Transparency Guidelines WP260 rev.01
• Consent Guidelines WP 256 rev.01
• Data mapping and risk assessment
• DPO Guidelines WP243 rev.01
• Control Authority Guidelines WP 244 rev.01
• Risk and analytical assessment tools
• Sanctions Guidelines WP 253
• Impact assessment
• Impact assessment guidelines WP 248 rev.01
• Guideline 4/2018 Accreditation of certification bodies
• Guidelines 1/2018 Certification

24-HOUR SESSION

• Interrelationships figures privacy
• UNI ISO 31000 Standard
• Analytical risk assessment
• The role of the DPO
• Integration of organizational processes and the risk management process
• The conduct of the evaluation
• Prevention and mitigation
• Periodic audits and review
• The analytical evaluation of audits
• The hot areas: legal, compliance and IT
• General principles
• When to conduct a DPIA
• Decision criteria for a DPIA
• Contexts in which to develop a DPIA
• DPIA and risk variations in ongoing treatments
• Relationships with Owner, Manager, and Authority
• Conducting the DPIA
• EDPB Guidelines (formerly WP29)
• Methodology and tools.
• Technologies and costs of implementing a DPIA
• The Treatment Registry
• Log types and format
• Data contained in the owner's record
• Data contained in the register of the person in charge
• Retention times, processes and changes
• Methodological approach for management
• ISO 19011. Audit Management System
• Fields of application
• Initiating, preparing, conducting, and closing Audit
• The survey collection methods
• Analysis of the findings of an audit plan

Structure of the course. Sessions 

The AUDITOR GDPR course consists of 2 training sessions of 16+24 hours hours for a total of 40 hours.
The course will be held ONLINE, on the GoToMeeting platform, as part of Inveo's #privacyacasa program to address the Covid-19 emergency.

SESSION 16 h* 
2 days 16 h + learning test

SESSION 24 h
3 days 24 h + learning test and case histories

Final exam
for ISDP©10003:2020 Data Protection Auditor/Lead Auditor/Privacy Assessor registration.

Purpose

The course provides the theoretical and practical skills to conduct first, second and third party audits for the assessment of adequacy to the new European standards. Special attention is further paid to the skills for assessing the management in accuracy and correctness of personal data contained in the archives of companies in compliance with the principles of Art. 5 EU Reg. 2016/679.

Professional Outcomes: 
At the end of the course participants, will be able to:

Understand the purpose and benefits of a certification system adapted to EU Reg. 2016/679
Acquire techniques and methodologies for conducting and managing an Audit for compliance of a data protection system and its certification
Plan an audit, conduct an audit, prepare reports, conduct surveillance audits of data protection systems to assess compliance with the ISDP©10003:2015 scheme as outlined in ISO/IEC 17065 and ISO 19011.

Teaching

The courses are taught by lecturers with specific experience in the field of data protection certification mechanisms.
The examination board is composed of figures who did not take part in the training/training of the candidates: a technical expert, a jurist and a representative of stakeholders.  

To whom it is addressed

• Inspectors and assessors of Certification Bodies who wish to acquire certification to conduct third-party audits, on behalf of their bodies, for the purpose of issuing certifications of compliance with the ISDP©10003 scheme.
• Those who wish to acquire techniques and knowledge on how to conduct audits in the area of data protection (DPO, etc.)
• Auditors on information security management systems who intend to acquire specific techniques and knowledge in data protection auditing
• Consultants who want to advise on structuring data protection management systems in compliance
• Data protection professionals

Minimum requirements

• basic knowledge EU Reg.2016/679 
• basic knowledge of uni en iso 19011

Final Examination

The course includes a final exam, the passing of which will enable the receipt of an AICQ-SICEV certificate of competence that allows access to the certification register for Data Protection Auditor/ Data Protection LeadAuditor or Privacy Assessor.  
For more information on conduction and modalities see AICQ SICEV Regulations.

Data Protection Auditor Register Entry

The Data Protection Auditor (ISDP©10003) is a profile that meets specific knowledge, skill, competence and training requirements under UNI 11697:2017 and the ISDP©10003 certification scheme (under IS/IEC 17065:2012), which can perform 1st, 2nd and 3rd party audits, "monitors the compliance of personal data processing with applicable laws and regulations," and is able to implement policies to assess the adequacy of a system of analysis and control of the principles and reference standards in the field of personal data processing. For more information on membership see AICQ SICEV Regulations

Data Protection Lead Auditor Register Entry

The Lead Auditor Data Protection (ISDP©10003) is a profile with relevant 3rd party audit experience gained also on other Certification Schemes (ISO 9001 and ISO 27001) consistent with the specific minimum requirements. For more information on registration see AICQ SICEV Regulations

Retention requirements

For information on how to maintain see AICQ SICEV Regulations

Privacy assessor registry entry

The Privacy Assessor is understood to be a profile that meets specific knowledge, skill, competence and training requirements according to UNI 11697:2017, which can perform 1st and 2nd party audits and "monitors the compliance of personal data processing with applicable laws and regulations." For more information on membership see Regolamento AICQ SICEV