Skip to main content
Designing a data protection programme
Data protection and privacy

Designing a data protection programme

Nathan-Ross Adams Nathan-Ross Adams
Overview
Curriculum
  • 6 Sections
Collapse All
Module 1 | Defining the Programme’s Conceptual Boundaries
    Module 2 | Governance Philosophy and Structural Decision-Making
      Module 3 | Designing the Artefact Universe
        Module 4 | Education as a Structural Design Layer
          Module 5 | Artefact Justification and Strategic Risk Alignment
            Module 6 | Designing for Maturity, Evolution, and Auditability

              Designing a data protection programme is an advanced, strategy-focused course for professionals responsible for architecting the structure, boundaries, and accountability of privacy and data protection functions within their organisations.

              Rather than focusing on implementation or operational compliance, this course guides participants through the upstream design process — where decisions about scope, governance, artefacts, education strategy, and risk alignment shape the long-term credibility and defensibility of a data protection programme.

              Participants will learn how to define conceptual boundaries, choose governance models that balance control with flexibility, construct a tailored artefact universe, and apply principled logic to justify inclusion or exclusion of programme components. The course also introduces education as a structural design element — not a downstream training activity — and emphasizes how strategic choices in design impact auditability, stakeholder trust, and regulatory alignment.

              Whether you're designing your first programme or re-architecting an existing one for scalability and resilience, this course will equip you to build a defensible, future-ready privacy framework from the ground up.

              Deleting Course Review

              Are you sure? You can't restore this back

              Course Access

              This course is password protected. To access it please enter your password below:

              Related Courses

              Beginner
              Abstract architectural blueprint lines in gold on a dark background, representing structured accountability and data governance.
              Data protection and privacy

              ROPA Mastery: Designing, operating & defending records of processing activities

              Nathan-Ross Adams Nathan-Ross Adams

              Accountability-first approachUnderstand ROPAs as the primary mechanism for demonstrating accountability under POPIA and GDPR—not just a compliance artefact.

              Regulator-ready by designLearn how regulators and auditors actually use ROPAs during investigations, audits, and breach follow-ups.

              POPIA & GDPR alignedCovers GDPR Article 30 alongside South Africa’s POPIA Section 17, PAIA record-keeping duties, and Information Officer obligations.

              5h
              7
              Intermediate
              Data processing agreements course
              Data protection and privacy

              Data processing agreements

              Nathan-Ross Adams Nathan-Ross Adams

              Purpose and legal basis: The course opens by explaining why DPAs are essential instruments for assigning responsibilities between controllers and processors. It notes that laws like POPIA and the GDPR make such agreements mandatory and that failing to implement a compliant DPA can expose organisations to significant liability

              Understanding roles and triggers: Early modules clarify the distinction between controllers, processors and sub‑processors. They discuss when a DPA is required and how to recognise the need for data‑processing clauses in broader contracts. The difference between a full DPA and a data‑processing addendum is also addressed.

              Core clauses and obligations: Participants learn the mandatory elements that must appear in a DPA, such as the scope of processing, security measures, sub‑processing approvals, breach notification and assistance with data‑subject rights. There is emphasis on tailoring these provisions to meet the expectations of POPIA, the GDPR, UK GDPR, US state laws and other regional frameworks.