What are the benefits of an online GDPR training course?

One of the most convenient methods of providing GDPR training is through the use of an online course. There are a range of benefits to this method as compared to other methods of training, including flexibility, the scope of the course, and portability. TechGDPR offers an online training course which is specifically designed for developers and technically oriented roles, although its contents will be valuable for employees in multiple areas of an organisation. Past users of the course found the information to be both valuable and interesting. In fact, over 90% of those who provided feedback on the course ranked the course as being either “enjoyable” or “very enjoyable.”

Flexibility: One of the main benefits of training employees on GDPR through an online course is the flexibility this method offers. A self-paced online course can fit into any schedule. As a result, employees are able to take the course whenever it is convenient for them. Additionally, participants in the online training course take their time with sections they want more familiarity with. Furthermore, after completing the course, individuals will be able to keep the handouts and resources provided within the course to help guide and refresh their knowledge of the GDPR.

Scope and Focus: Employees whose job functions do not directly relate to managing compliance efforts might not see the benefits of GDPR training. However, a course specifically designed for employees in these capacities, whether they be a software developer or a CTO, will demonstrate to these individuals the importance of considering the GDPR in their operations. The online course works to answer common questions and address misconceptions on the GDPR. The course has seven lessons: Data Protection Overview, Legal Basis & Consent, Design Considerations around Data Subject Rights (DSRs), Data Controllers and Processors, Risks and Measures, Data Transfers, and Emerging Technologies. Some of these sections will be of more specific relevance to technology teams, while others will provide important general information about the GDPR to any user of the course.

Portability: Employees can take an online course anywhere. No matter where your company or employees are located, you can take advantage of the educational resources provided by the course. This is an important consideration for companies with a number of remote employees, who can take the course from wherever they might be located.

Documentation: A further benefit of online training is that it will allow for an organisation to document its compliance efforts. Additionally, upon correctly answering 60% or more of the questions on assessments throughout the training course, users are able to obtain a certificate of completion.
Importantly, the content covered and the depth of information will vary dramatically depending on the chosen method. Аn online course is not as customisable as a live webinar or in-house training. Due to the time required to build and adjust an online course, customisation is only feasible for large-scale deployments.

What are the benefits of in-house training sessions and webinars?

The most effective training method is a live in-house session. There is also the possibility of having a live webinar as a training option for your organisation instead. There are many advantages to choosing a live session for GDPR training. The customizability of the course includes both the content of the training and a Q&A after the session.

Content: Unlike the online course, the webinar can be customised to your specific needs as an organisation. Up to 30% of the training program can be customised to reflect the actual work situations, typical challenges, and operations of your organisation. This will make it easier for employees to retain the knowledge they gain throughout the training as it is immediately applicable on familiar situations. The program will cover the basics of GDPR and common issues related to compliance. After training, employees will be more confident identifying areas of difficulty in adhering to the GDPR.

Duration: Both the in-person session and the webinar session will last between 1,5-2,5 hours. After the live training session there will be time for a Q&A to answer any questions employees may have. Training should take place both annually and as part of the onboarding process for new employees.

Flexibility: Similar to the online course, the webinar allows participants to be located anywhere. This benefits employees who work remotely, or companies with employees located in different time zones. Multiple sessions of in-house training are also possible, so as to make interruption to your daily operations as minimal as possible.

Documentation: The live training sessions also provide documentation of GDPR compliance efforts for organisations.

Regular GDPR training and documentation of this training will keep staff up-to-date as there are new developments in technology and the law. A shared understanding of GDPR requirements across staff will help reduce the possibility of GDPR violations and data breaches. Learn more about TechGDPR’s in-house training options here.

The post GDPR Training Modes for Technology Teams appeared first on TechGDPR.

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Essentially, data controllers need to consider data protection throughout the core of their organisational activities. As such, those who work to create technologies involved in data processing must consider the implications of their software in the context of the GDPR. While Data Protection by Design and Data Protection by Default are separate concepts, they are complementary. Implementing Data Protection by Design makes achieving Data Protection by Default much easier, with the reverse being true as well.

Building privacy into the heart of data processing operations and systems is part of Privacy by Design, while ensuring that the data subject’s rights are protected as a matter of standard operations is part of Privacy by Default. These concepts have been in existence since long before the GDPR came into fruition, but under the GDPR became important requirements. 

Achieving Privacy by Design and Privacy by Default is not a simple process when one’s main focus is developing and delivering products. As such, familiarity is of the essence. 

What are the most important considerations involved with these concepts, and how may data processors implement them? 

What is Privacy by Design? 

The concept of Privacy by Design was created by Ann Cavoukian in the 1990s and presented in her 2009 “Privacy by Design: The Definitive Workshop.” As Cavoukian stated, the concept of privacy by design encompasses more than just technology. Rather, Privacy by Design dictates that privacy is taken into account throughout the design process and operations of broader organisations and systems. There are seven foundational principles which constitute the basis of Privacy by Design:

1. Measures are proactive rather than reactive. They anticipate risks and try to prevent them from occurring, rather than allowing for invasions of privacy and minimising them after the fact. These measures are woven into the culture of an organisation. 
2.  Privacy is protected by default. Personal data is protected without requiring the data subject to act. In practice, the most intrusive privacy features of an app, such as geolocation tracking when that is not called for by the user, are turned off when the product is first installed or better yet, every time the app is launched.
3. Privacy is embedded into the design of systems and organisations. It is not an afterthought, but an essential part of a system’s functionality.  Designing for privacy can be quite costly so planning for it rather than redesigning to accommodate it, is a wise cost management strategy.
4. Privacy is not implemented to the detriment of other interests, but rather to accommodate all legitimate interests with full functionality. 
5. Privacy is extended throughout the lifecycle of all the data collected.  
6. Data processing activities are visible and transparent. The business practices and technologies involved are clear to both users and providers.  
7. Measures for privacy are user-centric: the interests of data subjects are at the forefront of operations. 

Cavoukian stresses that ensuring privacy does not come at the cost of other critical interests, but rather ought to complement other organisational goals. 

But how does a team implement these foundational principles into their technological design?

Methods of Implementing and Measuring Data Protection by Design for Technology Developers

The European Data Protection Board adopted guidelines for Data Protection by Design and by Default on 20 October 2020. These guidelines clarify how to implement the requirements of Article 25 in organisations that process personal data. 

Certain concepts, such as pseudonymisation, noise addition, substitution, K-anonymity, L-Diversity, T-closeness, and differential privacy, can help increase the privacy of an individual data subject, or give key information about the privacy of a data set. As a result, individuals working to achieve Privacy by Design should think about these methods as tools they can use, though not as absolute methods in and of themselves. 

• Pseudonymisation replaces direct identifiers, such as names, with codes or numbers, which allows data to be linked to an individual without the individual themself being identified. This data is still within the scope of the GDPR. Truly anonymous data is not considered personal data, and thus its processing does not fall under the scope of the GDPR. However, anonymous data, that is, data which cannot be linked back to a data subject, is different from pseudo-anonymous data in that pseudo-anonymous data has the potential to be re-linked to a data subject, even if in a difficult or indirect way. Thus, pseudo-anonymous data is still subject to the requirements of the GDPR. 
• Noise addition is often used in conjunction with other anonymisation techniques. In this technique, attributes which are both confidential and quantitative are added to or multiplied by a randomised number. The addition of noise still allows for the singling out of an individual’s data, even if the individual themself is not identifiable. It also allows for the records of one individual to be linked, even if the records are less reliable. This linkage can potentially link an individual to an artificially added piece of information. 
• Substitution functions as another method of pseudonymisation. This is where a piece of data is substituted with a different value. Like the addition of noise, substitution ought to be used in conjunction with other data protection measure in order to ensure the data subjects’ rights are protected. 

Means of measuring the privacy of data 

• K-anonymity, a type of aggregation, is a concept that is based around combining datasets with similar attributes such that the identifying information about an individual is obscured. This helps to determine the degree of anonymity of a data set. Essentially, individual information is lumped in with a larger group, thereby hiding the identity of the individual. For example, an individual age could be replaced with an age range, which is called generalisation. By replacing specificity with generality, identifying information is harder to obtain. Suppression is another method of achieving better k-anonymity. This is where a certain category of data is removed from the data set entirely. This is best-suited in cases where the data in that category would be irrelevant in regards to the purpose of the data processing. It is important to note, however, that k-anonymity itself does not guarantee that sensitive data will be protected. 
• L-diversity is an extension of k-anonymity. It provides a way of measuring the diversity of sensitive values in a dataset. Essentially, l-diversity requires each of the values of sensitive attributes within each group to be well-represented. In doing so, l-diversity helps to guarantee that a data set will be better protected against re-identification attacks. This is a helpful consideration in cases where it is possible for attributes in k-anonymised data sets to be linked back to an individual.
• T-closeness expands on l-diversity and is a strategy of anonymisation by generalisation. T-closeness creates equivalent classes which are similar to the initial distribution of attributes in a data set and is beneficial in situations where a data set must be kept as close as possible to its original form. Like k-anonymity and l-diversity, t-closeness helps to ensure that an individual cannot be singled out in a database. Additionally, these three methods still allow for linkability. What l-diversity and t-closeness do which k-anonymity cannot, is provide the guarantee that inference attacks against the data set will not have 100% confidence. 
• Differential privacy aims to ensure the privacy rights of an individual data subject are protected by ensuring the information someone obtains from the output of data analysis is the same with or without the presence of the data of an individual. This allows for data processing without an individual’s information being singled out or the individual being identified. Differential privacy provides privacy through a specific type of randomisation. The data controller adds noise to the data set, with differential privacy revealing how much noise to add. 

Privacy Design Strategies

Researchers have identified eight privacy design strategies, divided into two groups: data-oriented strategies and process-oriented strategies. Data-oriented strategies include: minimise, hide, separate, and abstract. These strategies focus on how to process data in a privacy-friendly manner. Process-oriented strategies include: inform, control, enforce, and demonstrate. These strategies focus on how an organisation can responsibly manage personal data. Article 5 of the GDPR identifies the basic principles to follow when processing personal data: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. These principles help guide the strategies, which can be exemplified by the concepts and methods of pseudonymisation, noise addition, substitution, k-anonymity, l-diversity, t-closeness, and differential privacy. These methods and processes of measuring privacy should stand as part of larger efforts to work to implement data protection into the fabric of data processing operations. 

How can technology developers learn more about Privacy by Design and Default?

Data Protection by Design and Data Protection by Default are fundamental concepts to adhere to under the GDPR. Teams which keep these concepts in mind at every level of their organisations will keep the rights of data subjects at the forefront of their operations, and thus go further in working towards GDPR compliance. Technology developers have a special role in making sure that their products have the capacity to be used in a GDPR compliant manner, and thus should have extensive familiarity with these concepts. Those interested in learning more about GDPR compliance, from the perspective of what a technology developer should consider, can participate in TechGDPR’s Privacy & GDPR Compliance Course for Developers. This course delves into what individuals working in technology development need to know about data protection so they can better understand their own duties and responsibilities under the requirements of the GDPR. 

The post Privacy by Design for Technology Development Teams appeared first on TechGDPR.

Reaching a high level of compliance takes time. As with most endeavours that rely on change management (e.g. setting up a quality management system or an information security management system), staff training plays a crucial role in aligning operations with business goals. Documenting evidence of GDPR training goes a long way in objectively displaying the journey achieved to date.

Data Protection by Design and GDPR Training

The GDPR dictates that a company must weave privacy into the very fabric of a processing operations through the principles of Data Protection by Design and Data Protection by Default, outlined in Article 25 of the GDPR. As such, the individuals responsible for building the technology involved in data collection and processing must pay special heed to the fundamental principles of privacy. Finally, while software designers might not be the first line of defence in terms of achieving GDPR compliance, one could indeed see them as the last line of defence in this regard, and as such ought to be able to recognize the challenges and complexities involved in achieving GDPR compliance.

Thus, encouraging tech developers as well as software engineers and coders to engage in GDPR training achieves two goals for companies looking to enact strong GDPR compliance measures. It both enables designers to include legal requirements in the handling of data and documents company efforts in delivering compliant solutions as a vendor (data processor) or as an implementer (data controller). As Recital 78 of the GDPR states, 

When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.

GDPR and Technology Neutrality

Though there are debates as to whether or not the GDPR prevents the development of advanced technology, the GDPR was not created with the intention of stifling technological innovation. An important feature of the GDPR is that it is technologically neutral, meaning that it does not discriminate between two different technologies with the same functionality or between existing and new technologies. Though its technological neutrality makes the GDPR a much more effective and widely applicable piece of legislation, it also makes it quite a bit more difficult for developers to implement.

Rather than regulating technology itself, legislation regulates only the effects of technology use and the conditions surrounding the actual processing. In essence, the GDPR does not offer specific guidelines for compliance for those developing technology. The GDPR was created to apply to technological developments taking place after its coming into force, so it is up to those developing technology to make sure that their work supports GDPR compliance. 

What challenges do developers of data processing technology face in GDPR Compliance?

New technology brings unique challenges under the GDPR. This is the case with IoT, blockchain, cloud computing, and artificial intelligence. Certain aspects of each of these might, at first glance, appear to be inherently incompatible with GDPR compliance. Since it is always best not to ignore the law, the development of new technology must take data protection into special consideration. GDPR training thus becomes a market differentiator for these organisations. Awareness of the available data subject rights, as well as the obligations of the data controller and data processor, is necessary to prevent incompatibilities between legislation and feature developments.

GDPR compliance is a complicated, though necessary, endeavour. Given that organisations are required to adhere to the principles of Privacy by Design and Privacy by Default along with the core data protection principles, developers need to consider data protection at every phase of the design and development process. In order to develop products that have the potential to be used in a GDPR-compliant way, employees need to comprehend the rights of data subjects and the obligations of the data controller and the data processor which the GDPR outlines.

Without an adequate knowledge of GDPR requirements, it is impossible for individuals or teams to implement the necessary measures to ensure an adequate protection of data subject rights. Awareness of the challenges behind GDPR compliance and the possible conflicts between data protections and certain technologies, achieved through GDPR training, is a fundamental first step towards solving these issues and creating products and organisations that thoroughly protect the rights of data subjects. 

While compliance and GDPR training for employees are no simple tasks for an organisation to undertake, especially fast-developing fields of technology, there are many resources available to help staff understand and best implement GDPR-appropriate measures in their respective roles. One of the most convenient ways for companies to train their technical staff on the GDPR is through the use of an online course. 

TechGDPR has created a unique GDPR training online course specifically for individuals working in technical roles, such as software developers, software engineers, devops, software architects, and more. This course will help clarify the GDPR requirements for technology developers and give them the tools they need to achieve GDPR compliance within their organisations and products.  Though the GDPR does not outline specifications for training requirements in this regard, the extensive requirements of the Regulation and the principles of Data Protection by Design and Data Protection by Default mean that creators of data processing technology help methodically consider which requirements apply and navigate them autonomously. 

The post Why is GDPR training important for technology teams? appeared first on TechGDPR.