Embedded Files
Introduction
Introduction
We recently spoke at Step Into Cyber event organized by Steven Furnell among others at University of Nottingham. One of our fellow speakers was Kevin Streater, Chief Operating Officer of the Chartered Institute on Information Security.
Ansel was lucky enough to speak to him more at length about best leveraging his legal background in the world of information security. Kevin’s recommendations centered largely around the International Association of Privacy Professionals (IAPP) and their Certified Information Privacy Professional (CIPP) certifications, of which CIPP(e) would be most pertinent to ourselves as a European company. In investigating the certification, Ansel took the introductory prep course on Udemy, which positions itself as a general GDPR readiness tool, and a CIPP(e) Prep tool. Our evaluation is as follows:
1. Data Mapping as a First Principle
1. Data Mapping as a First Principle
The first module focused on data mapping not as an audit requirement, but as a foundation for privacy decision-making. The lecture demonstrated applying these principles to a new client onboarding and discovering flows of personal data across departments and systems.
2. Assigning Clear Accountability
2. Assigning Clear Accountability
The governance module emphasised the importance of ownership and oversight. The lecture also showed how to review client structures and formalise data protection roles, and how to escalate to a Data Protection Officer (DPO) where required and clarifying escalation paths.
3. Risk-Based Policy Design
3. Risk-Based Policy Design
In the third session, the course moved into risk-responsive policy development. Instead of relying on boilerplate documentation, the lecture went through guiding clients to create targeted controls for high-risk areas such as retention, breach reporting, and vendor agreements. Each policy was linked to their actual exposure, not just regulation.
Making GDPR Work Operationally
Making GDPR Work Operationally
4. Privacy Notices That Build Trust
4. Privacy Notices That Build Trust
The next dedicated lecture covered external privacy notices. We were guided through reviewing privacy statements across websites, HR systems, and mobile apps. Their Recommended updates included layered structures, clearer language, and defined version control procedures to reflect changes in processing or technology.
5. Lawful Basis and Evidence Trails
5. Lawful Basis and Evidence Trails
The fifth module reinforced the need to justify every processing activity. The lecture included supporting clients in mapping lawful bases (under Articles 6 or 9), building out Records of Processing Activities (RoPAs), and developing Legitimate Interest Assessments (LIAs) and DPIAs where needed.
6. Data Subject Rights Handling
Next, the lecture explored building workflows around subject access and other rights, including implementing structured intake, verification, and response processes tracking each step for accountability.
7. International Data Transfers
A later focused session on Schrems II and third-country transfers helped me understand approaches to cross-border risk. We reviewed how to develop Transfer Impact Assessments (TIAs), apply updated Standard Contractual Clauses (SCCs), and implement encryption and access control requirements for US- and APAC-based services.
8. Incident Response and Breach Management
8. Incident Response and Breach Management
The module on personal data breaches was a bit of a wake up call to what is expected of organizations in the event of such breaches. The worked example concerned creating a breach register, updating client protocols to distinguish between minor incidents and notifiable breaches, and conducting tabletop exercises to test your team’s response speed and clarity.
Sustaining GDPR Over Time
Sustaining GDPR Over Time
9. Policy Understanding and Staff Engagement
9. Policy Understanding and Staff Engagement
In the final phase of the course, emphasis shifted to awareness and maintenance. The lecture covered how to introduce policy acknowledgment workflows, targeted training refreshers, and just-in-time system prompts, and how these interventions help reinforce key GDPR principles within everyday tools and processes.
10. Accuracy and Data Integrity
10. Accuracy and Data Integrity
The training reinforced the importance of data quality under Article 5(1)(d), and how to help clients or your business implement periodic data reviews, self-service update options, and flagged data discrepancies through exception reporting ensuring systems remain accurate and actionable.
11. Change Management and DPIAs
11. Change Management and DPIAs
One lecture near the end of the course focused on privacy in business change, including embedding DPIA triggers into procurement and development lifecycles, introducing privacy-by-design checklists, and maintaining a central DPIA log with outcomes and mitigations documented.
12. Third-Party Oversight
12. Third-Party Oversight
To strengthen vendor compliance, the lecturer recommended introducing GDPR-compliant data processing agreements (DPAs), updating your onboarding due diligence, and launching vendor monitoring schedules based on SOC 2/ISO 27001 certifications.
13. Monitoring Performance
Finally, the course underlined the need to prove control effectiveness. It recommends establishing dashboards for key GDPR KPIs such as SAR response times, DPIA coverage, breach resolution speed, and vendor audit findings supporting ongoing improvement and leadership reporting.
14. Monitoring Performance
The course ends on a few study tips, including recommended materials( other than itself) for attempting the CIPP(e) certification. From my own experience, and from most online review’s perspective, the course is a great grounding for small business GDPR prep/compliance, and a decent, if not complete preparation tool for the CIPP(e) exam; For its cost and general availability, SSC would consider it a great first introduction to GDPR readiness in general, and the IAPP CIPP certification sphere more specifically.
Data privacy has long been part of enterprise applications and systems. Compliance may even be baked into systems you already use. SSC has experience of some of these tools especially in Oracle’s applications suite.
Oracle's Privacy section in its security guide is a good resource for understanding how the enterprise applications categorize and protect private data.
Oracle Fusion Applications Security Guide
If you would like to know more about these tools, or how to best ensure your enterprise systems are up to date with current data privacy regulations, contact us at info@SoftwareStrategyConsulting.co.uk or on +44(0)7904 429874
Google Sites
Report abuse