01

ISDP©10003:2015. The course

Auditing is a strategic activity to maintaining compliance with current regulations on any data protection management system. The ability to design audits and make them effective helps guarantee that every activity carried out by the data controller, to create a good privacy management system, is implemented correctly and maintained over time. This course creates the basis with which trained auditors and the Lead Auditor can manage, schedule, conduct and implement a first party, second party and a third party audit plan in reference to the requirements of ISDP©10003:2015.
The course is structured so that participants can acquire all the practical tools and skills necessary to verify data protection systems, including the organisation and the assessment of the quality of the data stored in databases, including as part of second party audits of suppliers and sub-contractors.
The course is preparatory and qualified by InVeo for registration in the Register of Auditors/Lead Auditors who have been qualified for the ISDP©10003:2015 scheme and the award of the relative certification.

The course

Module 1

  • The European Regulation, EU GDPR 2016/679
  • General processing principles (articles 5 – 11)
  • Data Controllers and Data Processors
  • Joint Data Controllers
  • Privacy by design & by default
  • Data Mapping
  • Risk assessment
  • Analytical assessment tools

Module 2

  • Data breaches
  • Impact Assessment on data protection (PIAs)
  • Certification mechanisms
  • Codes of conduct
  • Transferring data overseas
  • Compensation and penalties
  • ISDP guidelines

Module 3

  • Assessment in terms of the origin of risk
  • Introduction to ISO/IEC 31000
  • How to carry out a risk assessment
  • Adopting suitable internal practices in order to prevent, mitigate and/or eliminate risks that threaten data
  • Possible guidelines issued by the authority
  • Ways to establish whether data processing carries a risk or a high risk
  • Ways to perform maintenance, periodic checks
  • Analytical assessment for audits carried out on the risks of loss, modification, disclosure or illicit access of personal data



Module 4

  • Assessment of suitability
  • When it is necessary to perform a DPIA
  • Performing an Impact Assessment (DPIA) outside of the cases in which it is mandatory
  • Assessment regarding the origin, particular nature and severity of risks to freedoms and rights
  • How to carry out an Impact Assessment
  • Which methodologies and tools can be used
  • Risk and High Risk
  • Mitigating risks, available technologies and implementation costs
  • Possible regulatory authority consultation

Module 5

  • Professional qualities of a DPO
  • Article 5
  • Accountability
  • The DPO and the audit
  • Audit regulatory system
  • Data quality verification and assessment methodologies
  • DPO guidelines
  • Case Histories and operational issues
Aims

The course offers technical and practical skills to carry out first party, second party and third party audits in order to assess suitability to the new European regulations. Special attention is given to the skills to assess management, in terms of precision and correctness, of personal data stored in a company's archives in compliance with the principles referred to in article 5 of EU Regulation 2016/679.
Professional results:
At the end of the course participants will be able to:
Understand the aims and the benefits of a certification system compliant with EU Regulation 2016/679
Acquire techniques and methodologies to perform and manage an Audit on the compliance of a data protection system and the relative certification
Plan a check, conduct an audit, prepare a report, carry out a surveillance audit on data protections systems to assess compliance to the ISDP©10003:2015 scheme, in accordance with that indicated in ISO/IEC 17065 and ISO 19011

Teaching

Courses are given by teachers with specific experience in data protection certification mechanisms.
The examination board is made up of people that have taken part in training/educating candidates: a technical expert, a lawyer and a representative from the interested parties.  

Target audience
  • Inspectors and Assessors at Certification Bodies who want to obtain certification in order to carry out third party audits, on behalf of their organisations, in order to be able to issue certification of compliance to the ISDP©10003:2015 scheme.
  • Whoever wishes to obtain techniques and knowledge on performing audits regarding data protection (DPO, etc.).
  • Auditors of information security management systems who wish to obtain techniques and knowledge of the specifics of data protection auditing.
  • Consultants who want to offer consulting on structuring in compliance with data protection management systems.
  • Data protection professionals.
Minimum requirements
  • basic knowledge of Italian Legislative Decree 196/2003
  • basic knowledge of EU Regulation 2016/679
  • basic knowledge of UNI EN ISO 19011
Course structure. Modules

5 modules

  • MODULES 1,2 * 
    2 days 16 h + progress test
    €1.560,00+IVA 22%                                                 

  • MODULE 3** 
    1 day  8 h + progress test
    € 700,00+IVA 22%                                                

  • MODULE 4** 
    1 day  8 h + progress test
    € 700,00+IVA 22%                                                 

  • MODULE 5 
    1 giorno  8 h  with cases studies exercises
    costo € 500,00+IVA 22%                             

  • Final Examination*** 
    per l’iscrizione al Registro ISDP©10003:2015 Auditor/Lead Auditor
    costo € 250,00+IVA 22%

Admission to successive modules is open to those who have attended and passed the preceding modules 
*modules 1 and 2 are consecutive 
**modules 3, 4, 5 can be substituted by 2 accompanied audits on clients selected by the auditor (the assessment sheet substitutes for the progress test)
***The examination is organised into 3 tests, one written, multiple choice exam, one oral exam and one simulation of a documentary audit; to be admitted to the final examination, a candidate must pass all the preceding progress tests. If the candidate fails to pass the examination, it can be retaken in a subsequent session with a 50% reduction.

Final examination

The course includes a final examination and, if passed, the candidate will receive a proficiency certificate that enables him/her access to the Auditor certification register.
The examination is organised into three tests, one written, multiple choice exam, one oral exam and one simulation of a documentary audit and focuses solely on the topics dealt with during the course; to be admitted to the final examination, a candidate must pass all the preceding progress tests.
The examination sessions will be established in a timetable that will be prepared at the beginning of each year, taken at a single location in Rome on a quarterly basis. Exclusively for 2017, two extraordinary sessions are planned for November and December.
Participants who fail to pass the examination at the end of the course will receive an attendance certificate and for registration in the register of Auditors or Lead Auditors, they will have to retake the examination not earlier than 90 days from the last test.

The certificate

The certificate is valid for three years, at the end of which it will have to be renewed.
Renewing is necessary in order to continuously update and maintain skills, but also to comply with the regulations in force, with the provisions issued by the supervisory authority and with the updates to the ISDP©10003:2015 scheme.
During the three years, the auditor/lead auditor will have to send documentation attesting to the required training and professional experience requirements, as in the preceding point regarding updating skills.
The registration and maintenance costs are 200.00 euro per year.

Maintenance Requirements

Maintenance/updates must be annual and may be done after an assessment of the documentation submitted by the auditor to InVeo srl on the basis of that provided by the scheme owner:

16 credits (1h=1 credit) from:

  • participation at courses and seminars accredited by InVeo,
  • courses and seminars held by competent authorities

10 days of auditing or 3 audits