A discussion of data protection and the course that taught it, by Christine Macleod.
I have just completed the free online course on Understanding of the General Data Protection Regulations course presented by FutureLearn. This was a self-paced, four week course, taking approximately 3 hours per week. The GDPR course is compiled and presented by staff at the University of Groningen.
I was interested in doing this course for three reasons.
- The SLLG committee needs to know how to apply these regulations to the SLLG membership data.
- As a member of the public (a data subject) I was curious as to what my rights are, and how to protect my privacy.
- How does the GDPR apply to my professional work
I completed a previous FutureLearn course on Genealogy by Strathclyde University, so knew roughly what the format would be – articles, videos, interactive comments, quizzes and exercises. There are also additional resources – links and articles you can read on particular topics if you want to research a topic in more depth. After each section you tick a box to confirm you have completed it so you know exactly where you are and how much more you have to do.
The course is interactive and it asks you to write comments on specific questions, like what do you think about privacy and data security. You can read comments from others on the course, and they can “Like” your comments etc. so discussions can start up. Throughout the course there are links to the regulations themselves if you want to read the actual documents or relate the concepts to the particular articles within the regulations.
The new GDPR come into force on 25 May 2018 and any company or organisation (governments, councils universities etc) in the EU that collects and stores data on individuals will have to be compliant with these Regulations by then. It also affects companies outside the EU if they hold data on EU resident data.
The course covers a variety of topics, from basic GDPR concepts, to processing principles, rights of data subjects, obligations for controllers and processors, enforcement mechanisms and liability and sanctions. Each section in explained in articles and videos with reference to supporting materials
Week 1 Is an introduction and is designed to make you think about why and what you need to know about the new regulations and the processing of personal data e.g. What are privacy and data protection? It uses the Google case as an example which I found interesting it connects you to a real case, and goes back to the case throughout to provide a live example.
It then outlined the basic fundamentals of GDPR, Data protection principles, consent and minors, including definitions and the different roles – controllers, processors and subjects, data protection officers DPOs – the basics of what you need to understand to make sense of the regulations.
There are 6 main data protection principles which form the basis for privacy of information and data protection. I have listed them here as they are the backbone to the regulations, so are important to learn and understand.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
These principles are held together by the principle of Accountancy. The Controller shall be responsible for compliance with the principles
Week 2 was all about the rights of data subjects which I found very interesting. It looked at transparency and modalities (the mode in which something is experienced eg – written, spoken, email, by phone etc) and how information about you is held, what is done to it and how to complain; the need for transparent, understandable, language, and any processes must be simple to undertake.
The sections went through the various rights and their exceptions
The Rights to :-
- access and rectification
- object and restrict processing
- erasure (without undue delay) (except for public interest/health, legal claims etc.)
- data portability (copy supplied is in a readable format
- how to complain even/especially if data is processed automatically
- judicial remedies
- to be represented
- compensation for material or non-material damages
These are all rights which we as individuals will have, and I feel it is important that we know what our rights are. Many of the comments in the discussions were about how you are asked by your phone to allow access to your emails, photos, location etc. and how there seems little option but to comply.
Week 3 covered the obligations of controllers and processors – who these groups are, where they overlap, what they are accountable for and to whom. It also looked at the appointment of Data Protection Offices and Data Protection Impact Assessments,
Part of the Controllers obligations include achieving data protection by design and by default. By design – data protection has to be built into systems from the start. By Default – data collections must only contain the minimum amount of data required for specific purposes, and only for a specified amount of time.
Week 4 was about GDPR enforcement and compliance, which looked at the co-ordination, powers and roles of the various authorities, such as the National Supervisory Authorities and the European Data Protection Board. It also looked at the tools available to companies and organisation to help them comply, such as certification mechanisms, codes of conduct, and binding corporate rules. It touched on cross-border data transfers, and finally the liabilities, responsibilities and penalties and sanctions of data controllers and processors are subject to if they do not comply.
Through-out the course you are asked to think about how these concepts apply, what impact they have on you personally, whether you think sanctions will actually work. This method involves you and keeps you interested and engaged, and helps you learn. I do feel I now understand what the GDPR is about and how it applies to me in my life and in my work. I have also been asked to share my new found knowledge with my colleagues.
I found the course great at presenting the information, starting from the general to the specific. It was stimulating, interesting and very pertinent to me both as an individual, and as a SLLG committee member. It made me aware of how I can protect and access my personal data. It also made me think about what the SLLG committee needs to do to protect members’ data. It was in-depth enough to generate more questions (How will the right to be forgotten be applied? Can we have privacy and protect national security?), and stimulated an appreciation of the issues surrounding data protection and privacy in today’s society which is so steeped in social media.
There are lots more interesting courses available on FutureLearn, including several legal subjects eg. “Law for non-Lawyers” and “Maritime Law” , courses useful to chartership “Learning online: reflecting and sharing”, and just interesting subjects like geology and moons – go look and learn!