General information:
Name:
Ensuring personal data protection in the light of EU regulations
Code:
int.courses-324
Profile of education:
Academic (A)
Lecture language:
English
Semester:
Spring
Responsible teacher:
dr Świątkowska Joanna (joanna.swiatkowska@cc.agh.edu.pl)
Academic teachers:
dr Świątkowska Joanna (joanna.swiatkowska@cc.agh.edu.pl)
Module summary

Students will gain knowledge on personal data processing and protection. They will be able to introduce in practice measures, procedures to comply with main regulations – mainly the GDPR.

Description of learning outcomes for module
MLO code Student after module completion has the knowledge/ knows how to/is able to Connections with FLO Method of learning outcomes verification (form of completion)
Social competence
M_K001 Student will upgrade his ability to self-improvement. Presentation,
Participation in a discussion,
Completion of laboratory classes
Skills
M_U001 Student will be able to plan and realize the analytical process relevant to a given problem. Execution of laboratory classes,
Completion of laboratory classes,
Activity during classes
M_U002 Student will be able to prepare basic documentation, processes to comply with requirements Completion of laboratory classes,
Activity during classes
Knowledge
M_W001 Student will gain extended knowledge of the levels of personal data processing and protection Completion of laboratory classes,
Activity during classes
M_W002 Student will gain extended knowledge on privacy issues in digital era Participation in a discussion
FLO matrix in relation to forms of classes
MLO code Student after module completion has the knowledge/ knows how to/is able to Form of classes
Lecture
Audit. classes
Lab. classes
Project classes
Conv. seminar
Seminar classes
Pract. classes
Zaj. terenowe
Zaj. warsztatowe
Others
E-learning
Social competence
M_K001 Student will upgrade his ability to self-improvement. + - + - - - - - - - -
Skills
M_U001 Student will be able to plan and realize the analytical process relevant to a given problem. + - + - - - - - - - -
M_U002 Student will be able to prepare basic documentation, processes to comply with requirements - - + - - - - - - - -
Knowledge
M_W001 Student will gain extended knowledge of the levels of personal data processing and protection + - - - - - - - - - -
M_W002 Student will gain extended knowledge on privacy issues in digital era + - + - - - - - - - -
Module content
Lectures:

The General Data Protection Regulation (GDPR) introduces a new era in the area of personal data protection. Not only does it bring new standards but it also creates severe sanctions. Understanding this new regulation is essential both to comply with the requirements but also to be able to claim one’s rights. Every sector, every business relays on personal data processing, therefore the new framework will be everyone’s concern. That is why it is absolutely necessary to understand the new regulatory regime.
The main goal of the course is to provide students with comprehensive knowledge related to the GDPR. The course will cover the theoretical dimension and will be enriched with plenty of practical case studies.

Selected knowledge and skills acquired during the lectures include:
• Understanding the key elements of the GDPR: what is personal, especially in the digital era? Who is a controller and a processor and what is the difference?
• How to prepare the entity to comply with the GDPR? Responsibilities of the controller: data protection by design and by default; records of processing activities; data breach notification, security measurements; preparing the consent; information to be provided where personal data are collected from the data subject.
• Being aware of our rights: right of access by the data subject; right to rectification; right to erasure (‘right to be forgotten’); right to restriction of processing; right to data portability; right to object and automated individual decision-making.
• Identify and analyse trends and challenges of the digital world in the context of GDPR – big data, profiling, anonymization, pseudonymization, cloud computing, blockchain etc.
• Ensuring security of personal data in the digital era – learning about risk management.

Laboratory classes:

Students will gain practical skills on how to implement personal data protection measures.
Selected knowledge and skills acquired during the laboratory classes include:

Preparing procedures and documentation to comply with RODO.
Information obligations in practice – how to create and implement the process.
Looking closer to security measures (data protection impact assessment and prior consultation, privacy by design, privacy by default, encryption, risk evaluation, RODO vs ISO, managing security breaches, risk management etc.).
Privacy Enhancing Technologies.
Discussing privacy in digital era.

Student workload (ECTS credits balance)
Student activity form Student workload
Summary student workload 100 h
Module ECTS credits 4 ECTS
Participation in laboratory classes 14 h
Participation in lectures 20 h
Completion of a project 25 h
Preparation for classes 41 h
Additional information
Method of calculating the final grade:

Final Grade = 0.6 EG (test) + 0.4 LG (small projects).

Prerequisites and additional requirements:

Basic skills related to the legislative acts analysis.

Recommended literature and teaching resources:

1. Regulation (EU) 2016/679 Of The European Parliament And Of The Council Of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2. PARP, Personal data protection – guide for small and medium entrepreneurs, Warsaw 2017
3. GIODO, How to apply a risk-based approach?, cz. I, cz. II, 2017.
4. ENISA, Handbook on Security of Personal Data Processing, 2018.
5. ENISA, Privacy Enhancing Technologies: Evolution and State of the Art A Community Approach to PETs Maturity Assessment, 2016
6. ENISA, Privacy and data protection in mobile applications A study on the app development ecosystem and the technical implementation of GDPR, 2017.
7. Bruce Schneier, Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World, 2015.
8. ENISA, Recommendations for a methodology of the assessment of severity of personal data breaches, 2013
9. ENISA, Privacy and Data Protection by Design – from policy to engineering, 2015
10. Article 29 Data Protection Working Party, Guidance on impact assessment for data protection and to help determine whether processing “may pose a high risk” for the purposes of Regulation 2016/679, 2017.
11. Article 29 Data Protection Working Party, Guidelines on Personal data breach notification under Regulation 2016/679, http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052.

Scientific publications of module course instructors related to the topic of the module:

1. Cathy O’Neil, Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy, 2016.
2. DI, General Data Protection Regulation – Implementation in Danish companies, https://digital.di.dk/SiteCollectionDocuments/Vejledninger/Persondataforordningen/Persondataforordningen_engelsk.pdf.
3. ENISA, Big Data Security Good Practices and Recommendations on the Security of Big Data Systems, 2015
4. ENISA, Smartphone Secure Development Guidelines, 2016
5. Article 29 Data Protection Working Party, Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679, http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612053.
6. Article 29 Data Protection Working Party, Guidelines on the right to data portability, http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611233.
7. Article 29 Data Protection Working Party, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236.

Additional information:

None