Tagged: Data Protection Toggle Comment Threads | Keyboard Shortcuts

  • VA2SFX 12:23 am on June 19, 2017 Permalink | Reply
    Tags: , Data Protection, , ,   

    I know it sounds super boring, but here’s why the GDPR is actually really revolutionary af 

    Data Protection

    I figure the next step after passing my EU GDPR F course would be, you know, actually reading the regulation. Because why not, right?

    So yeah, it’s important to preface this series (yes, this will be a series — so unfollow me now) with a strong disclaimer: I’m not a lawyer. But I am pretty hardcore into “citizen” style DIY research — so, I figure, this is as good a reason as any to explore the themes, articles and questions around the regulation here and maybe generate some conversations around it. The principles it builds out on are fr*&cking huge.

    Anyway, this is the hard copy book I have (if for some reason, you’re a psycho like me who needs to have a copy of this in print), which for some reason has suuuuuuper small type, but oh well:

    I’m still in Chapter I — General Provisions. But these two Recitals are, in my humble opinion, amazing af. af. af.

    Article 1: Recital (4) begins:

    “The processing of personal data should be designed to serve mankind.”

    I mean, is the hair on your arms tingling? Cause mine is!

    Tbh, I’m not 100% sure yet what the role of the Recitals is: they seem to guide somehow interpretation of the articles of the regulation (according to source linked above). But either way, the above is still pretty amazing as a principle to include, even if it may be (?) “aspirational” to some degree.

    Also fascinating is this Recital 7, which includes (excerpted):

    “Natural persons should have control of their own personal data.”


    I know…

    I know there’s an argument to be made that the EU regulation is crazy/naive/unrealistic because it doesn’t take into account how the internet actually works. But as prominent voices are saying, it might be time we admit that how the internet works is fundamentally broken.

    And though I’m still in diapers when it comes to learning about emerging global data protection and privacy laws, regulations and business trends, it’s impressive to me that the European Union has been busily re-envisioning how an internet and tech economy that actually protects its citizens not just might work, but how it will work: a legally binding playbook even companies outside the EU (extra-territoirality) will be obligated to comply with if they target EU citizens as data subjects, whether or not they are paying customers. Or face a huge fine! [Europe is juuust getting warmed up with its fines against tech companies — GDPR isn’t even in force yet.]

    Let me ask you straight out —

    Is this what it will take to fix the internet? Or at least part of the puzzle… Putting technology at the service of humankind, instead of the other way around. So crazy, we might just give it a chance.

    But don’t take my word for it, America. Here’s how Walt Mossberg in his final weekly column for Re/code put it:

    “My best answer is that, if we are really going to turn over our homes, our cars, our health and more to private tech companies, on a scale never imagined, we need much, much stronger standards for security and privacy than now exist. Especially in the U.S., it’s time to stop dancing around the privacy and security issues and pass real, binding laws. […]

    The tech industry, which has long styled itself as a disruptor, will need to work hand in hand with government to craft these policies. And that might be a bigger challenge than developing the technology in the first place.”

  • VA2SFX 11:25 pm on June 15, 2017 Permalink | Reply
    Tags: Data Protection, Gdpr, , , Trust   

    Review of GDPR F Distance Learning Course & Exam 

    Notes on the remote course & exam offered by IT Governance

    The most important thing you should know about the European Union’s upcoming General Data Protection Regulation is that:

    One cannot simply “explain” the GDPR. To understand the GDPR, you must become the GDPR.

    So, I’ve been studying the infamous (depending who you are) EU GDPR. It is an over-arching European privacy framework which comes into force the end of May 2018, has extra-territoriality, and which will have big implications for tech companies targeting EU citizens.

    This morning I passed my GDPR F (Foundation) exam — pending review of the video file associated with my remotely proctored examination. This exam is a culmination of a course offered by IT Governance, a UK company:



    Now, as far as I can tell, there is no singular “official” sanctioned exam which certifies you in accordance with the GDPR. There are two that I’ve spotted in the wild. One is an exam by IAPP, called CIPP/E. The other is this EU GDPR F & EU GDPR P exam offered by IT Governance.

    So anyway, the Foundation course I took consists of around 7 hours of videos which consist of an outline delivered Powerpoint-style with a man narrating them. It costs $360 USD, and comes with a voucher to take the test through a third party, GASQ out of Nuremberg, Germany.

    The course is a pre-requisite for their ED GDPR P (Practitioner) course and linked exam. The Practitioner course costs $990 USD and is supposed to be much more detailed.

    The Foundation course itself was fine. If you have no experience or understanding of what the GDPR is, you might have a bit of a learning curve. Personally, I’ve done probably more than 50 hours of independent research into this regulation and it’s many implications, but it was useful to have a formalized structure and presentation to put it all together.

    Taking the exam remotely

    There is a bit of an issue with the actual examination itself. I was drawn to it because they offer a remote proctoring system, so you can sit the exam from home or work, etc. This is unlike the CIPP exams where you must go into a registered testing center and sit the exam in person. [Sidenote: the CIPP/US exam that I looked at costs more than $600 and doesn’t include any preparation materials. I’ve also seen claims online by both tech people and lawyers saying the CIPP/US in particular is the “hardest test they’ve ever taken.”]

    While IT Governance offers the course materials via the web, accessible on any platform, the remote proctoring app only works on Windows. If you’re working for a US tech company (e.g. someone who is going to be heavily impacted by the regulation) it’s very possible you only use Mac, like myself. So this lack of Mac support is a bit insufficient and will limit the exam’s potential clientele, in my opinion. But perhaps it’s not insurmountable either for the determined.

    Mac users can set up a Windows Virtual Machine (free)

    Luckily, Mac users can set up a Windows virtual machine and sit the exam that way. I followed this guide to get started, and used VirtualBox as my VM controller.


    Link to VirtualBox:


    You can download free 90-day limited virtual machines from Microsoft:


    And to get the Mac webcam to work on your Windows VM, you will need to install the VirtualBox extension pack, following these instructions:


    The rules around taking the test via the remote proctoring system are fairly strict. I won’t paste them in here as I don’t want to agitate the Privacy Gods. Suffice it to say, you must remain in the frame of the camera, show your ID when you begin, must not allow anyone else in the frame, must not use books or take screenshots of the exam, etc.

    My results

    I scored a 77.5% out of the 40 questions (you’re given 60 minutes), which means I got around 9 questions wrong.

    Evidently, they have someone review your video session before the results are finalized, which they say can take up to a week.

    Overall, I feel that even though I technically passed (required 65%) the course materials combined with my 50+ hours of independent study should have gotten me a higher score than 77.5%. Given that I paid for the course, the level of preparation offered, in my humble opinion, should be result in higher competency.

    Other issues

    As according to the IT Governance website:

    “Buyers receive a complimentary e-book copy of EU GDPR & EU-US Privacy Shield — A Pocket Guide when they buy this course, ensuring they have long-term access to essential GDPR reference materials.”

    Unfortunately, the electronic versions of this book are DRM protected, so you must use proprietary Adobe Reader app. This is a disappointment to me because I need to be able to consult this book on my Amazon Kindle and this is not supported.

    Also, inappropriately listed under “What you will learn” on the site, it says:

    “International data transfers, including under the EU-US Privacy Shield.”

    This is inaccurate, and I’ve left that feedback for the company. The EU-US (and US-Swiss) Privacy Shield program and its requirements are expressly not covered by this course. If that is an absolute requirement for your learning, you will need to supplement this information elsewhere. I feel that IT Governance should remove or amend these statements from their course description.

    Becoming a Data Protection Officer

    I’m interested in potentially becoming a Data Protection Officer (DPO) so I plan to continue along with my studies by taking the next level up in this program, the Practitioner course and exam.

    Currently, there is no real formal process for how someone becomes a DPO. DPO’s are covered in Article 37 of the GDPR:


    More specifically:

    1. The controller and the processor shall designate a data protection officer in any case where: […]

    (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;

    So this is an interesting opportunity for tech professionals working in or interested in Trust & Safety, Security and Privacy fields to ‘level up’ their knowledge and experience. IT Governance’s course and exam, while imperfect, are still I think a good leg up on the competition and a way for you to prove you’re committed professionally to mastering these emerging topics which will only become more important as the years progress and global Privacy compliance opens internationally-minded companies up to many new risks.

    Happy to answer any questions about my experiences studying this so far, though I am far from being an expert on the topic.


Compose new post
Next post/Next comment
Previous post/Previous comment
Show/Hide comments
Go to top
Go to login
Show/Hide help
shift + esc