Data Privacy Essentials Beyond GDPR

What it covers

This programme equips Data Protection Officers and privacy-adjacent professionals with an up-to-date map of global privacy regulations, covering GDPR as the baseline, national EU member-state deviations, and emerging frameworks including the UK Data Protection Act, Swiss nFADP, and Brazil's LGPD. Participants work through real-world cross-border transfer scenarios using Standard Contractual Clauses, adequacy decisions, and Binding Corporate Rules. The format combines structured instruction with case study workshops and regulatory gap analysis exercises. By the end, participants can independently audit their organisation's compliance posture against multiple overlapping frameworks.

What you'll be able to do

• Map your organisation's data flows against GDPR, UK DPA, nFADP, and LGPD obligations simultaneously and identify compliance gaps
• Select and implement the correct cross-border transfer mechanism (SCC, adequacy, BCR, or derogation) for a given scenario
• Conduct a structured regulatory gap analysis comparing your existing privacy programme against at least two non-EU frameworks
• Prepare jurisdiction-specific breach notification timelines and escalation procedures for a multi-country incident response plan
• Advise internal stakeholders on national deviations that affect HR data, health data, or marketing activities in specific EU member states

Topics covered

• GDPR core obligations, accountability principle and enforcement trends
• National EU member-state deviations and sector-specific exemptions
• UK Data Protection Act 2018 and post-Brexit divergence
• Swiss nFADP: scope, obligations and transition timeline
• Brazil LGPD: key differences, ANPD enforcement and data subject rights
• Cross-border transfer mechanisms: SCCs, adequacy decisions, BCRs, derogations
• Regulatory gap analysis and multi-regime compliance mapping
• Data breach notification obligations across jurisdictions

Delivery

Delivered as a blended programme over two to three days, either in-person or live virtual (Zoom or Teams). Each day combines 60% structured instruction and 40% applied exercises including regulatory mapping workshops, mock regulator Q&A, and case study debriefs. Participants receive a regulatory comparison matrix, a cross-border transfer decision tree, and templates for gap analysis reports. A follow-up 90-minute online clinic is included 4 weeks post-training to address implementation questions.

What makes it work

• Assign a named internal champion per jurisdiction who attends the training and owns the ongoing compliance monitoring for that regime
• Integrate the regulatory comparison matrix into the organisation's Records of Processing Activities immediately after training
• Schedule a quarterly review cadence to track regulatory updates, especially given the pace of change in UK and Swiss frameworks
• Combine training with a formal gap audit project so that learning is applied to real organisational data and processes within 30 days

Common mistakes

• Treating GDPR as the universal standard and overlooking stricter or different national requirements such as France's CNIL guidance on cookies or Germany's BDSG employee data rules
• Relying on pre-2023 Standard Contractual Clauses templates without incorporating updated transfer impact assessments post-Schrems II
• Ignoring LGPD and nFADP as 'secondary' concerns until a regulator inquiry or breach event forces urgent catch-up
• Assuming a single privacy policy document can satisfy all jurisdictions without localisation

Providers to consider

• IAPP (International Association of Privacy Professionals)iapp.org/train/ →
• DataScientestdatascientest.com →
• Fieldfisher Privacy Academywww.fieldfisher.com/en/services/privacy-security-and-information/privacy-academy →
• OneTrust Academywww.onetrust.com/onetrust-academy/ →

Sources

• European Data Protection Board — Recommendations on transfers after Schrems II →
• IAPP Global Privacy Law and DPA Directory →