This course is available in the Classroom and via Teams

Data Security & Cybersecurity

Course Overview:

Data protection law requires that personal information must be processed in a manner that ensures appropriate security. When it comes to regulatory enforcement, a failure to comply with this obligation is one of the most frequent infringements identified by the Data Protection Commission resulting in fines and sanctions for organisations.

This comprehensive course provides a practical and regulatory-focused guide to data and cyber security obligations under Irish and EU law. With a primary focus on security obligations with respect to personal data under data protection law, it explores the legal, technical, and organisational measures required to protect personal data, prevent breaches, and demonstrate compliance with the GDPR, the Data Protection Act 2018, while also considering emerging cybersecurity frameworks including the NIS2 Directive, the Digital Operational Resilience Act (DORA), and the EU AI Act, as well as other key cybersecurity laws and standards.

Participants will also take away a clear understanding of, and practical approaches to, how to implement a risk-based approach to data security, manage third-party risks, respond to data breaches, and prepare for regulatory enforcement under several cybersecurity regimes. It concentrates on how to avoid breaches from a legal and practical point of view, as well as considering the implications of any breach that might occur.

Key aspects of this session include:

• legal cybersecurity obligations under GDPR and the Data Protection Act 2018, and how these obligations intersect with cybersecurity requirements under NIS2, DORA and the EU AI Act
• risk-based security measures and the accountability principle
• technical and physical security controls, including cyber hygiene and resilience
• organisational governance, training, and documentation requirements
• the requirements for documentation under the various data and cybersecurity regimes and how to comply with them
• the cybersecurity implications of using third parties to process data, such as external contractors and outsourced service providers, with a focus on secure onboarding, due diligence, ongoing monitoring, and supply chain security
• managing processor contracts and data sharing arrangements
• breach detection, notification, and response protocols
• data and cyber incident notification obligations under the GDPR, NIS2, DORA and the EU AI Act
• informing individuals and notifying the Commissioner about data security breaches - what is required and how to go about it
• the powers of the Data Protection Commissioner and other cybersecurity regulators, and other legal and commercial consequences of data security breaches

Attendance on this course can be used as credit towards gaining the Practitioner Certificate in Data Protection.