“The clock is ticking and on 25 May 2018 the new and highly complex General Data Protection Regulation (GDPR) is set to take effect. With new and highly onerous fines, it is essential to ensure that your firm is GDPR compliant.”

The Training Course






The new GENERAL DATA PROTECTION REGULATION (2016/679) (GDPR) represents one of the most significant changes in the existing data protection framework in place across the European Union (EU). Its territorial scope is extremely broad and so many companies based outside the EU that are processing personal data about individuals based in the EU will now need to comply with its provisions. The new and complex risk-based framework now imposes onerous accountability requirements on data controllers and data processors, and also brings in new types of data such as genetic, pseudonymous, and biometric data. It is imperative that firms not only clearly and comprehensively understand the new framework, but that they are also able to understand what changes they need to make internally in order to be GDPR compliant. This new two day GDPR: Operational Compliance Training Course will expertly guide attendees through the legal, technological, and operational framework, as well as providing real and unique strategic perspectives. Attendees will also be guided through a range of data protection compliance technology tools and software, and will also learn about offerings from third party data service providers.


MODULE 1: An Overview of the New General Data Protection Regulation (GDPR) Framework

• An Overview of the new General Data Protection Regulation.

• A Summary of the Main Changes from the EU Data Protection Directive.

• Material and Territorial Scope; Extraterritorial Effect; Definitions; Genetic and Biometric Data; Pseudonymous Data; Exemptions (Entity, Activity), Derogations, Special Conditions, Restrictions.

• An Overview of Implementation Costs for average Small and Medium-Sized Enterprises (SMEs).


MODULE 2: The GDPR Operational Framework: PART I

• Key Concepts in the GDPR Framework (Personal Data; Data Processing; Data Controllers; Data Processors).

• Principles relating to the Processing of Personal Data and Lawfulness of Processing.

• Grounds for Processing Data and Data Rights (Rectification, Objection, Erasure, Subject Access, Data Portability, Restriction of Processing, Profiling Rights).

• Legal Basis for Data Processing; Conditions for Consent, Legitimate Interest Legal Basis; Purpose Limitation Principle; Processing of Special Categories of Personal Data.


MODULE 3: The GDPR Operational Framework: PART II

• Key Concepts in the GDPR Framework (Personal Data; Data Processing; Data Controllers; Data Processors; Data Transfers; Profiling and Automated Decision-Taking).

• Records of Processing Activities, Accountability, the Rights of the Data Subject, and Controller-Processor Relationship Agreements.

• The Right to Information and Access to Personal Data.

• Data Governance Obligations, Data Breaches, Data Breach Reporting.


MODULE 4: Organisational Readiness for the GDPR: PART I

Data Protection Officer Responsibilities and Data Privacy Impact Assessments.

Supervision, Non-Compliance, Sanctions and Fines.

Codes of Conduct, Data Protection Certification Mechanisms, Data Protection Seals and Marks, and Developing a Transparent and Robust Information Governance Framework.

Transfers of Personal Data to Third Countries.





MODULE 5: Organisational Readiness for the GDPR: PART II

• Data Protection Officer Responsibilities and Drafting Data Protection Codes of Conduct.

• GDPR Guidance (Data Portability; Lead Supervisory Authorities; Data Protection Officers).

• GDPR Gap Analysis and Implementation Roadmaps, and Recording Data Processing Activities.

•  GDPR Compliance Programmes, Internal Controller Effectiveness Verification, and Independent Expert Effectiveness Verification.


MODULE 6: GDPR Strategic Perspectives

• The GDPR, Data Protection, the Cloud, and Cloud App Data Processing Agreements.

• Data Security (Pseudoanonymisation, Pseudonymous Data, and Encrypted Data, Encryption), Risk-Based Approach for the Security of Processed Data, and the Data Security Guidelines.

• Big Data, Data Profiling, and High-Risk Activities.

• Transfers to the United Kingdom and Brexit Issues, Transfers to the United States and the Privacy Shield Issues.


MODULE 7: Data Protection Compliance Technology Tools and Software

• Overview of Key Requirements (Content Filtering; Stream-Based Protection; Bandwidth Optimization; Privacy-by-Design Requirements; Digitization Strategy)

• Security Architecture, Security Policy, Privileged Credentials, Digital Identities, Encryption, Scalable SSL Decryption with Micro-Segmentation.

• Test Data Management (People, Systems, and Technology), Copying, Masking.

• A Review of Select GDPR Software Technology Tools and Software: (1) Software AG; (2) Veritas; (3) CA Technologies; (4) Iboss Cybersecurity.


MODULE 8: GDPR Third Party Processors and CloudService Providers

• GDPR and Third Party Processors Compliance (Article 33), GDPR Accreditation, Cloud Services Assurances.

• GDPR and Third Party Processors Contractual Requirements (Article 28) (Subject-Matter; Duration of Processing; Nature and Purpose of Processing; Categories, Personal Data Types; Controller Rights and Obligations).

• Article 29 Working Party Data Protection Code of Conduct on Cloud Computing.

• Third Party Processors and Direct Liability (Article 82), Contractual Breach, Liability for Damages (Controller, Data Subject), Limitation of Liability Clauses.




Training Course Expert Trainer


Rodrigo Zepeda is Co-Founder and Managing Director of Storm-7 Consulting. He is an expert consultant who specialises in derivatives and banking and financial services law, regulation, and compliance. He is an expert in a very broad range of regulatory compliance frameworks such as FATCA, the OECD CRS, MiFID II, MAD 2 MAR, PSD2, CRD IV, Solvency II, OTC Derivatives, CCP Clearing, PRIIPs, BRRD, AML4, and the GDPR. He holds a LLB degree, a LLM Masters degree in International and Comparative Business Law, and has passed the New York Bar Examination. He was an Associate (ACSI) of the Chartered Institute for Securities & Investment from 2004 to 2014 and is now a Chartered Member (MCSI). He has created and delivered numerous conferences and training courses around the world such as 'FATCA for Latin American Firms' (Santo Domingo, Dominican Republic, Panama City, Panama), 'MiFID II: Regulatory, Risk, and Compliance (London, United Kingdom (UK)), and 'Market Abuse: Operational Compliance' (London, UK). He has also delivered numerous in-house training Courses around the world to major international financial institutions such as The Abu Dhabi Investment Authority (MiFID II: Operational Compliance, Abu Dhabi, the United Arab Emirates), the United Nations Principles of Responsible Investment (MiFID II: Final Review, London, UK), and CAF, the Development Bank of Latin America (Swaps and Over-the-counter Derivatives, Lima, Peru). He is a Reviewer for the Journal of Financial Regulation and Compliance and has also published widely in leading industry journals such as the Capco Institute's Journal of Financial Transformation, the Journal of International Banking Law and Regulation, as well as e-books on derivatives law. Noted publications include "Optimizing Risk Allocation for CCPs under the European Market Infrastructure Regulation"; "The ISDA Master Agreement 2012: A Missed Opportunity"; "The ISDA Master Agreement: The Derivatives Risk Management Tool of the 21st Century?"; "To EU, or not to EU: that is the AIFMD question"; and "The Industrialization Blueprint: Re-Engineering the Future of Banking and Financial Services?".


Key Benefits


  • Attendees will be clearly and logically instructed on the new GDPR operational framework.


  • Attendees will be provided with highly comprehensive GDPR regulatory compliance training materials (training manual, definitions, materials, charts, PowerPoint presentations).


  • Attendees will have a comprehensive understanding of cross-border data transfers.


  • The training course aims to be interactive, with an additional client review session at the end of day two, and a follow-up questionnaire to ensure all GDPR queries are answered. 

Course suitable for


All Data Controllers and Data Processors processing or holding European personal data on data subjects both inside and outside of the EU.