Practical Data Protection and PrivacyLaajuus (3 op)

Osaamistavoitteet

Data protection and privacy have become relevant in diverse application fields. Many people have the impression that the regulation is very stringent, and most uses of personal data are forbidden today or that consent is required for every processing step.

Since May 2018, a uniform European law is applicable in all EU member states. This course explains how to use the GDPR (General Data protection Regulation) in practice. The legal text explains what to have, but not how to do it. In this course, we shall cover GDPR from a practical point of view.

Risk assessment and threat identification are some of the major topics that you need to do in order to achieve compliancy. There is also a practical example that needs to be done.

Because the measures you need to take to protect your personal data are often the same as the measures you need to take for information security, translating data protection to practice also involves some information security; still, information security is not the main emphasis in this course. (You can have security without privacy but you cannot have privacy without security)

Sisältö

1. Why is privacy important? (why we evolved towards data protection until today’s legislation; threat modelling and identification; practical exercise: threat identification for a small project)

2. Information security risk assessment and security policy (data severity, risk assessment, policy; practical exercise: perform an information security risk assessment for a small project)

3. Data protection concepts (personal data, register, controller/processor, data protection officer, purpose and compatibility; practical exercise: add the data protection related threat identification and associated risk assessment to your small project)

4. Data protection legal grounds and risk mitigation (legal grounds of data processing, consent, legitimate interest assessment; practical exercise: identify measures as a solution for mitigating the most important risks and legitimate interest assessment)

5. Practical examples and conclusion (data subject rights, real-life cases, privacy statements, contracts, international transfers, automated decisions)

Esitietovaatimukset

The goal of the course is to be able to transfer the legal content to non-legal people and to transfer the technical content to non-technical people. Some technical experience or exposure to software projects is assumed. The students should have a running (and fairly recent) version of Microsoft Excel.

Arviointikriteerit, tyydyttävä (1)

All exercises have to be made. Approval for all assignments by the teacher will be necessary.

Arviointikriteerit, hyvä (3)

The practical example shows clear understanding of the topics and the ability to apply them

Arviointikriteerit, kiitettävä (5)

The practical example shows understanding and application of the topics beyond expectation