star d2.2 report on the findings of the interviews v1.1 ... · star will thus provide them with...
TRANSCRIPT
STAR
SUPPORT TRAINING ACTIVITIES ON THE DATA PROTECTION REFORM project-star.eu
Report on the findings of the interviews
Deliverable D2.2 version 1.1
Dr Filippo Marchetti, Dr David Barnard-Wills Brussels – London – Budapest May 2018 distribution level: Public
AreportpreparedfortheEuropeanCommission’sDirectorate-GeneralforJusticeandConsumers(DGJUST).
TheSTARproject(SupportTrainingActivitiesonthedataprotectionReform;2017-2019)isco-fundedbytheEuropeanUnionundertheRights,EqualityandCitizenshipProgramme2014-2020(REC-RDAT-TRAI-AG-2016)underGrantAgreementNo.769138.
ThecontentsofthisdeliverablearethesoleresponsibilityoftheauthorsandcaninnowaybetakentoreflecttheviewsoftheEuropeanCommission.
Permanentlink:
https://projectstareu.files.wordpress.com/2018/05/STAR_D22_report_on_the_findings_of_the_interviews.pdf
Authors
Name Partner
DrFilippoMarchetti TRI
DrDavidBarnard-Wills TRI
InternalReviewers
Name Partner
IstvánBöröcz VUB
GáborKulitsán NAIH
DavidWright TRI
AnnaJohnston AdvisoryBoard
AttilaKiss AdvisoryBoard
InstitutionalMembersoftheSTARConsortium
Member Role Website
VrijeUniversiteitBrussel(VUB)ResearchGrouponLaw,Science,TechnologyandSociety(LSTS)
ProjectCoordinator vub.ac.be/LSTS
TrilateralResearchLtd.(TRI) Partner trilateralresearch.com
NemzetiAdatvédelmiésInformációszabadságHatóság(NAIH) Partner naih.hu
1.1
30/05/18
Table of Contents
1 BACKGROUNDTOTHESTARPROJECT........................................................................................4
2 EXECUTIVESUMMARY......................................................................................................................5
3 LISTOFABBREVIATIONS.................................................................................................................6
4 INTRODUCTION..................................................................................................................................7
5 METHODOLOGY..................................................................................................................................8
6 MAPPINGTHEEXISTINGGDPRTRAININGPRACTICES.........................................................106.1 INTRODUCTORYCONSIDERATIONS........................................................................................................................106.2 TRAININGMETHODOLOGY......................................................................................................................................106.2.1 Generalconsiderations...............................................................................................................................106.2.2 Methodologicalcharacteristics..............................................................................................................116.2.2.1 Targetgroups.....................................................................................................................................................................116.2.2.2 Typeoftraining.................................................................................................................................................................126.2.2.3 Theexistingtrainingmaterials....................................................................................................................................146.2.2.4 Feedback..............................................................................................................................................................................16
6.3 TRAININGTOPICS.......................................................................................................................................................17
7 DETERMININGTHEFUTURENEEDSINGDPRTRAINING.....................................................197.1 TRAININGMETHODOLOGY.......................................................................................................................................197.2 TRAININGTOPICS.......................................................................................................................................................207.3 FURTHERASPECTS.....................................................................................................................................................23
8 STAR:THEWAYFORWARD..........................................................................................................25
1 Background to the STAR project TheSTARproject(SupportTrainingActivitiesonthedataprotectionReform)isprovidingsupportto the trainingactivitiesofEuropeanUnion(EU)DataProtectionAuthorities(DPAs)anddataprotection officers (DPOs) on the EU data protection reform, especially the General DataProtectionRegulation(GDPR).
TheGDPRrequiresthesetwocategoriesofdataprotectionactorstoundertaketrainingactivities(Arts57(1)and39(1)(b)).EachDPAdevelopingsuchmaterialsinisolationincreasestheoverallcost, risks undermining the harmonising effect of the GDPR and puts greater pressure on itsconsistency mechanisms. STAR will thus provide them with necessary and efficient trainingmaterialsandresources.Inparticular,STARwill:
1) formulatethetrainingtopicsinclosecooperationwithstakeholders,2) authortheactualtrainingmaterials,3) validateandtesttheminpilottrainings.
This outputwill be freely andpublicly available in English in adigital form. STAR isdirectlyaddressed toEUDPAs andDPOs; italsooffers abenefit to otherprivacy anddataprotectionprofessionals in the EU and beyond. The STAR consortium will encourage stakeholders totranslatethematerials,whereappropriate,totailorthemtotheaudiencemothertongue,andwillkindlyaskstakeholderstoallowthetranslatedmaterialstobepublishedontheproject’swebsiteinaspiritofEuropeancooperationandtofostertheeffectivenessofSTAR.
STARsupports the legalobligationsofDPAsandDPOs toundertake trainingactivitiesand, inordertofacilitatetheirwork,willprovidethemwithready-made,easy-to-customiseandeasy-to-runtrainingmaterials,easilyadaptabletospecifictrainingsituations.STARwillalsoprovidetotheEuropeanDataProtectionBoard(EDPB)thecommontrainingprogrammes(Art70GDPR).Themainoutputsare thus the trainingmaterialsandresources themselves.While theirexactformatandnaturewillberefinedincooperationwithstakeholders,thefollowingwillatleastbeincluded:
1) Trainingscenariosforeachtrainingcategory,2) ASeminars’TopicsList,basedonthetrainingscenarios,3) SeminarMaterialforeachoneoftheseminars,4) Webinars(selectedfromtheSeminars’TopicsList),5) AtrainingHandbook,6) AtakeawayreferenceGDPRchecklist,7) Aten-pointGDPRintroductorylist.
STAR–DeliverableD2.2
5
2 Executive summary The aim of the STAR project (Support Training Activities on the data protection Reform) is tocontribute to fostering theharmonisationof trainingactivitieson theGeneralDataProtectionRegulation(GDPR),toensurethatthegoalofunifyingdataprotectionatEuropeanlevelisnotundermined by scattered training of operators in the public and private domains. This STARProjectdeliverableprovidesanoverviewoftheconsortium’sfindingsunderprojectactivities2.2and2.3,namelystakeholderengagementthroughsemi-structured,qualitativeinterviews,andtheanalysisofexistingtrainingmaterialsdealingwiththeGDPRandtheupcomingdataprotectionregime in general. The aim of these activities was to inform the requirements for trainingmaterialsandprovide the consortiumwith anoverviewof existing trainingpracticesand thetrainingmaterialavailableinthisdomain.
TheconsortiumwasabletocontactandinterviewDataProtectionAuthorities(DPAs)andDataProtectionOfficers(DPOs),aswellasdataprotectionexperts.Theprojectteamalsointerviewedotherstakeholderswhodonotholdtrainingresponsibilities,butwhowereableofferadditionalperspectives.
AkeyfindingisthattheapproachandpointsofviewofDPAsandotherstakeholdersdivergeinterms of substantive training asmuch as they dowith regard to the current andprospectivetraining methodologies. On the one hand, authorities tend to deliver (and consider mostimportanttodeliver)moreinstitutional,theoreticaltrainingontheGDPR,aimedatcreatingintraineesaclearpictureofthelegalframeworkinwhichbothregulatorsandregulatedoperate.Ontheotherhand,otherstakeholdertrainers,inparticularthosewhoprovidetrainingforaprofit,tendto focusonmoreoperativeaspects, suchasproceduresandmethodstocomplywith theGDPRprovisions.
Intermsoftrainingmethodologies,face-to-face,in-classtrainingispreferredbothbyDPAsandbyotherstakeholders,buttheyareinterestedintechnologiesthatallowtrainerstoreachahighernumberofstakeholders,suchaswebinarstotrainallemployeesofacertaincompany,orvideosforthegeneralpublic.Thetargetofthetraininghoweverdiffers,asthedriversandultimategoalsofDPAsandotherstakeholdersalsodiffer.
Intermsofexistingtrainingmaterials,practicesalsovary,withastrongfocusongeneralslidesandnotfunctionalguidesandchecklists.Asthisdeliverableshows,thisbest-practices-mappingexerciseallowedtheconsortiumtoidentifyseveralaspectsworthconsidering,suchasnecessarygraphicelements,aseriousneedtopayattentiontoaccessibility,andsimilaraspects.
ThisdeliverablecapturesthecurrentstatusofGDPRtrainingandgivesaclearindicationtotheconsortium on what topics are best addressed in andwhatmethodologies are best used fordevelopingtheSTARtrainingmaterials.
STAR–DeliverableD2.2
6
3 List of Abbreviations
DPA DataProtectionAuthority
DPD DataProtectionDirective(Directive95/46/EContheprotectionofindividualswithregardtotheprocessingofpersonaldataandon the free movement of such data, ELI:data.europa.eu/eli/dir/1995/46/oj)
DPIA DataProtectionImpactAssessment
DPO DataProtectionOfficer
ePrivacyDirective Directive2002/58/ECconcerningtheprocessingofpersonaldataand theprotectionof privacy in the electronic communicationssector(ELI:data.europa.eu/eli/dir/2002/58/oj)
EU EuropeanUnion
GDPR GeneralDataProtectionRegulation(RegulationEU2016/679ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonal data and on the free movement of such data, ELI:data.europa.eu/eli/reg/2016/679/oj)
STAR SupportTrainingActivitiesonthedataprotectionReform
WP29 WorkingPartyontheProtectionofIndividualswithregardtothe
ProcessingofPersonalDatasetupunderArticle29ofDirective95/46/EC(Article29WorkingParty)
STAR–DeliverableD2.2
7
4 Introduction ThisreportisthefirstpublicdeliverabledraftedinthecontextoftheSTARProject.ItspurposeistomapandunderstandtheexistinglandscapeoftrainingbyDataProtectionAuthorities(DPAs)andDataProtectionOfficers(DPOs),andtheexistingtrainingmaterialused.Itisalsointendedtocapture the trainingneedsof theseactors,and thereby informthedevelopersofnewtrainingmaterialsbytheSTARproject.
The information supporting this report derives from two sources. The first source is semi-structured,qualitativeinterviewscarriedoutinJanuary-April2018withrepresentativesoftheMemberStates’DPAsandpublicandprivatesectors’DPOs.Theseinterviewsaimedtoidentifythe current training practices of both categories of stakeholders and assess their foreseeableneedsforthefuture.Thesecondsourceofinformationisacollectionofexistingtrainingmaterialsthat the research consortium obtained from the interviewees and by carrying out extensiveresearchontheDPAwebsites,aswellasonthewebsitesofotherorganisationsthatprovideGDPRtrainingservices.
Togivestakeholdersanaccurateoverviewoftheconsortium’sfindings,andfortheSTARproject’snext phases, this report sets out the methodology, the findings, and some concludingconsiderations concerning both the conducted interviews and the assessment of the existingtrainingmaterials.While thedeterminationof the trainingmaterials that the consortiumwilldevelopduringthisprojectwillbetheobjectofadifferent,dedicateddocument(Deliverable2.4),thisdocumentincludestheconcludingremarksofananalysisoftheexistingmaterialsaimedatidentifying the existing best practices and key worthwhile features to include in the STARmaterials.
TherequirementsandspecificationsforthetrainingmaterialstobedevelopedbySTARcanbefoundinthecompanionreport–Deliverable2.4
STAR–DeliverableD2.2
8
5 Methodology Todevelopthisreport,theSTARconsortiumpartners[VrijeUniversiteitBrussel(VUB),TrilateralResearch(TRI),andNemzetiAdatvédelmiésInformációszabadságHatóság(NAIH,theHungarianDPA)]conductedaseriesofsemi-structured,qualitativeinterviewswitha)seniorrepresentativesofseveralMemberStates’DPAsandb)DPOs,dataprotectionexperts,andotherstakeholdersbetween January andApril 2018.Theseoral orwritten interviews lastedbetween25and60minutes and were based upon an interview guide developed and validated by the researchconsortium in January 2018. The “Interview templates for interviewing DPAs and otherstakeholders”(STARDeliverable2.1)werecarefullyplannedtoaddresstheinformationneedsfortheproject,namelymappingthecurrenttrainingpracticesandinvestigatingthepotentialtrainingneeds of the stakeholders. Consequently, all questions intended to solicit a key informationrequiredforplanninganeffectivetrainingschemeintheSTARproject.
Thestakeholder interviewapproachhadbeenvalidatedby theconsortiumpartners’previouscollaborationinotherprojects,suchasImprovingPracticalandHelpfulCo-OperationBetweenDataProtectionAuthorities(PHAEDRA)IandII,wherethemethodologyhadprovedasuitableway of collecting and understanding DPA perspectives.1 The semi-structured approach usingagreed templates allows for flexibility and adaptation to particular interviewees, 2 but alsoconsistencyacrossthedifferentinterviewers.
The interviewswerecarriedoutexclusively throughtheuseof technologicalmeans,eitherbyphone, by Skype, or by making resort to other conference call services as requested by theinterviewees.Uponexplicitrequest,aswellaswhena“live”interviewcouldnotbearranged–mainly due to time constraints of DPAs that are now extremely busy in view of the GDPRapplicabilitydeadline–theinterviewquestionswereprovidedtotheparticipatingstakeholderinstitutiontobecompletedasawrittenquestionnaire.
Where circumstances allowed, andparticipants gave their consent, the interviewswereaudiorecorded.AllinterviewanswerswereinsertedinasingleExcelfile,andanonymisedtoensureconfidentialitybyremovinganyreferencetotheintervieweename,title,orcontactdetailfromthisfile.
Afewintervieweesrequestedtheopportunitytoseeandapprovetheirinterviewtranscript.Inthese cases, the answerswere extracted from the abovementioned Excel file and sent to theintervieweedirectly.Inallcases,wereceivedtheinterviewee’sapproval.
TheconsortiumcontactedallMemberStates’DPAstopresenttheprojectandasktheiravailabilityto be interviewed. The majority of them replied positively and were interviewed in the
1 Barnard-Wills, D., Pauner Chulvi, C., & De Hert, P. "Data protection authority perspectives on the impact of data protection reform on cooperation in the EU", Computer Law and Security Review, 32(4), 2016. 2 Fielding, N. & H. Thomas, "Qualitative interviewing" in G. Nigel (Ed.) Researching Social life, London, Sage Publications, 2001; Rubin, H.J & I.S. Rubin, Qualitative Interviewing: The Art of Hearing Data, London, Sage Publications, 1995.
STAR–DeliverableD2.2
9
abovementionedtimeframe.AfewDPAsshowedinterestintheprojectbutdeclinedtoparticipateduetoworkoverloadinthemonthspriortothe25May2018deadlineortothelimitedtrainingactivitiescarriedout.TheconsortiumdidnotreceiveanyresponsefromalimitednumberofDPAsdespitemultipleattemptstocontactthem,byemailandphone.Intotal,theconsortiumwasabletointerview17DPAs,includingtwoGermanStateDPAs(LandesbeauftragterfürDatenschutz).
ListoftheinterviewedDPAs:
• Austria• Bulgaria• Cyprus• CzechRepublic• Estonia• France
• Germany(Niedersachsen)
• Germany(SchleswigHolstein)
• Hungary• Italy
• Malta• Poland• Portugal• Romania• Slovakia• Slovenia• UnitedKingdom
Withregardtotheinterviewswithotherstakeholders,theconsortiummanagedtointerviewasampleof15DPOsanddataprotectionexpertswhoareinchargeoftrainingactivitiesintheirorganisations.Theymainlyoperatedinthebanking,educations,legalservices,andconsultancysectors,givingagoodcross-sectionofDPOconcernsrelativetothesamplesize.Moreover,afewadditionalinterviewshavebeencarriedoutwithstakeholderswithouttrainingresponsibilities,suchascivilservantsandsimilarofficers.Inaddition,theconsortiumtriedtogetincontactwiththemainDPOassociationsoperatingintheMemberStates,anddespiteseveralattempts,onlyoneassociationrespondedandwasinterviewed.
Withregardtotheanalysisoftheexistingtrainingmaterials,acriticalanalysishasbeencarriedouttodetectthecurrentbestpractices,aswellastopinpointthecharacteristicsthattheSTARtrainingmaterialsshouldhaveforthemtobe1)easilyadaptabletoeachtrainingsituationand,2) easily understandable by audiences with different education, experience, and culturalbackgrounds.
Some of the existing materials have been directly provided by the interviewees upon theconsortium’s request.Where the circumstancesdidnotallowthe interviewees to share thosematerials, an open source search has been carried out on several DPAs’ and organisations’websites. A total number of 87 sample materials has been collected and catalogued by theconsortium,andasampleof60ofsuchdocuments3havebeenanalysedandevaluatedbasedonthe criteria of accuracy, comprehensiveness, suitability, coherence with the regulatoryenvironment,deliveryqualityandclarity,certification,cross-borderrelevance,accessibility.4TheresultsofthisanalysisnowconvergeintothisdocumenttoenrichtheanalysisoftheinterviewoutcomesandwillcontributetothedevelopmentoftheSTARmaterials.
3 The remaining materials have not been analysed due to linguistic barriers. 4 These criteria were acknowledged by the majority of interviewees as an appropriate basis for analysis of training materials. See below, para 3.2.2.3.
STAR–DeliverableD2.2
10
6 Mapping the existing GDPR training practices
6.1 Introductory considerations
ThepurposeofthismappingexerciseistogatherinformationfromDPAsandotherstakeholderson the scope of the existing training on the GDPR; to avoid developing duplicates of alreadyexisting training materials; to investigate best practices; and ultimately to allow for thedevelopmentofmaterialsthatcaneasilybeincorporatedinanexistingtrainingenvironment.Tothisend,theconsortiumdevelopedquestionsthataimedtoassesstwokeyaspectsoftraining.Ontheonehand,interviewquestionsinvestigatedmethodologicalaspectsoftraining,includingbutnot limited to the nature of the provided training, the target audience, the materials andtechnologicalmeansused.Ontheotherhand,otherquestionsinvestigatedthesubstanceoftheexistingtraining,includingcoveredtopicsandtrainingpriorities.
6.2 Training Methodology
6.2.1 General considerations
MostDPAshavesomeinvolvementintraining
Ingeneral,theconsortiumobservedthatmostinterviewedDPAsatnationalorsubnationallevel5engagedintraining,dissemination,orawareness-raisingactivitieswithaviewtotheapplicabilitydeadlineoftheGDPRon25May2018.
TrainingapproachesarehighlyvariableacrosstheEU
The approach to such activities varies greatly from authority to authority. Some authoritiescurrentlyfocusoncarryingoutinternaltrainingtoensurealltheirstaffarepreparedtodealwiththenewlegislationwhenitbecomesapplicable.Thisiscarriedoutindifferentwaysdependingonthesizeoftheauthorityanditsinternalorganisation.Internaltraininginsmallerauthoritiesinvolvesmost, if not all, of the personnel in the same, interactive session, due to the ease ofengagingactivities insmallgroups.A fewbiggerauthorities tendtoorganise internal trainingsessionsthatareattendedbyaselectedaudienceofofficersofdifferentdepartments.
NotallDPAsseeexternaltrainingasacurrentduty
Externaltraining(i.e.providingtrainingtonon-staff)isnotunanimouslyperceivedasacurrentduty.Whilemost – if not all – DPAs provided or are providing internal training, answers onexternal training were more diversified. Some of the interviewed DPAs do not considerthemselves currently compelled to train externally, some of them arguing that need beingaddressedbyprivate-sectorservices.Someotherengageinsomesortoftraining,althoughthelevelofplanningdiffers.
5 The allocation of supervisory powers at national or subnational level depends on the legal system of the EU Member State, provided that also a national DPA exists in countries where such powers are devolved at subnational level.
STAR–DeliverableD2.2
11
Theconsortiumobservedthatthereislimitedcorrelationbetweenthesizeoftheauthorityanditschoice toengageinexternal training:a fewsmallerDPAsprovideexternal training, thoughtheir size of course influences the nature of the trainingprovided. However, it has also beenobservedthatsmallerDPAsaregenerallymorecommittedtotakeparttodisseminationevents,includinggivingpresentationstospecialisedaudiencesinindustrysectorassociations’meetingsand takepart to conferences atnational and international level, perhaps asway tomaximiselimitedresources.
Externaltrainingisnotalwaysstrategic
Theseexternaltrainingactivitiesaresometimesorganisedandplannedinadvancebytheissuingauthorityaspartofastrategy,andsomeothertimesaredevelopedonanad-hocbasisinresponsetospecificrequestsbyStateadministrationorexternalstakeholderstoprovidetraining.Whilethisdifferencemaybeduetoadifferentapproachtotraining,theamountofresourcesandstaffingalso has itsweight in deciding if and towhat extent a planned training programmemust beorganised.
Most"training"materialispassivedissemination
Withregardtodisseminationandawareness-raisingactivities,mostDPAsdevelopedandmadeinformativematerialsavailableontheirwebsitestoensurethatorganisationsandcitizeninneedof information on the GDPR innovationsmay access knowledge for free and from an officialsource.Thesematerialsaremostlymeansforpassivedissemination,suchashandbooksandinfo-sheets,buttheysporadicallyalsoincludedvideos.Inalimitednumberofcases,DPAsengagedininformativesessionsorawareness-raisingactivitieswithschools.
SomeDPAsarestillwaitingonnationallegislation
AlastgeneralpointtobenotedconcerningtheDPAactivities,isthatsomeMemberStateshavenotyetissuednationallawstocompletethepartsoftheGDPRthatrequirethelattertodoso.Therefore,afewDPAsarestillwaitingfortheseregulationstobeissuedtoplanacomprehensivetrainingorawareness-raisingscheme.
Natureofthetrainingorganisationiscriticalforthetypeoftraining
WhilethedistinctionbetweeninternalandexternaltrainingisrelevantwheninvestigatingtheDPAs activities, it has limited relevance when dealing with other stakeholders, such as DPOassociations,DPOs,andofficerswithdataprotectionresponsibilities.Thisisduetothefactthatthenatureoftheorganisation’sactivitiesplaysakeyroleindeterminingwhethertheywillbeinneedorencouragedtoengageininternalorexternaltrainingactivities.Forinstance,bankswillbemoreinclinedinengagingininternaltrainingtoensuretheiremployeesarewellawarethattheprivacycultureischangingbutwillnotbeinclinedtoengageinexternaltraining.Atthesametime,consultancyfirmsandlawfirmsaremoreinclinedtoenterthemarketofGDPRtrainingforbusinessreasons,whiletheirprofessionalswillbeGDPRexpertsabletoprovidesuchtraining.
Afeworganisationsprovidetrainingforsubsidiariesorparentorganisationsthatisfocusedontheir specific needs, especially with regard to data protection obligations for non-privacy-specialists.
6.2.2 Methodological characteristics
6.2.2.1 Target groups
Assaid,thoughthelandscapeisnothomogeneous,DPAsofferbothinternalandexternaltraining.
STAR–DeliverableD2.2
12
Internally,theycarryouttrainingactivitiestopreparetheirstafffortheentryintoforceoftheGDPR.Asanticipated,thetargetgroupforsmallerDPAstendstoincludemost–ifnotall–oftheauthority’s staff. Bigger DPAs carried out the internal training in different ways, includingseminarswitharestrictedaudiencetoensureinteractionamongparticipants.Inthislattercase,each DPA department is represented by one or more officers, while a DPA experts gives apresentationonaspecifictopic.
Externally,DPAscarryouttrainingactivitiesbothwithpublicandprivatesectororganisations.Inmanycases,theseactivitiesseemtobefocusedontrainingthepublicsectorfirst.Ontheonehand,thisseemsreasonabledue to the factthatpublicbodies–especiallyinsomecountries–havelimitedpossibilitiestomakeresorttoprivateservicesduetobureaucracyorlimitedresources.Ontheotherhand,thisriskstheprivatesectorlackingconsistenttrainingfrompublicauthoritiesandbecomingreliantonprivateservicesonly.
Asexpected,theapproachofexternaltrainers6intheprivatesectoriscomplementarytothatofDPAs,astheytendtofocusontrainingcompaniesandotherorganisationsintheprivatesectorasapriority.Ofcourse,asanticipated,somestakeholdersalsoprovidetraininginternally.Uptoacertain extent, this data may be interpreted as to highlight the market-orientation of non-institutional trainers.Theirapproach ismarket-ledandprofit-oriented,andasaconsequence,theyfocustheirtrainingonthemarketsegmentsthatarewillingtopayfortraining.IftheDPAsfocusontraininginthepublicsectorandonawareness-raisingactivities,privateorganisationsmayfillthegapinofferingtrainingtoothercategoriesofstakeholders.
WhiletheDPAstrainingactivitiesusuallyavoideddefiningtarget-groupsbasedontheirroleinthetargetorganisation(theyoftenmentiontrainingDPOsandITofficers),thetrainingcarriedoutbynon-DPAstakeholdersishighlytailoredandaimstocoverallcorporatefunctions.Indeed,inadditiontoDPOsandITofficers,mosttrainersmentionedbespoketrainingsessionsforC-levelexecutives,managers,andevenemployeeswithoutdataprotectiontasksbutwhomaybe inapositiontodetectprivacy-relatedissuesinthecompanyoperations.TheseemployeeshavebeendefinedinaninterviewwithanItalianprivacyexpertas“privacyantennas”.
Withregardtopriorityintrainingspecifictargetgroups,privateorganisationsofferingtrainingtendtofirsttrainC-levelexecutivesandDPOs,andthenprogressingtoamorespreadandgeneraltrainingacrosstheorganisations.Tothispurpose,though,economicandorganizationalcapacityplaysanimportantrole.Oneofourintervieweesexplainedthefactthattheirorganisationhadfirstattemptedtorolloutageneraltrainingcourseforallemployees,andthenrolledbacktofocusonlyonmid-levelmanagementduetolackofcapacity.
6.2.2.2 Type of training
Concerningthetypeoftrainingoffered,differenttrendshavebeenobservedamongDPAsvis-à-vis other stakeholders. Exempting passive, informative-dissemination and awareness-raisingcampaignsonDPAwebsites,intermsofactivetrainingbothstakeholdercategoriesexpressedageneralpreferenceforin-class,face-to-facelectures.Reasonsgivenforthispreferenceincluded
6 On this, see the distinctions made above para 3.2.1.
STAR–DeliverableD2.2
13
theeffectivenessofface-to-faceinteraction,increasedattentionoftraineesasopposedtolackofattention and distraction when attending webinars or onlinemodules, and the possibility ofaskingquestionsdirectlyandobtainingananswerstraightaway.
DPAsrelyalmostsolelyonface-to-facedeliverymethodsfortraining,eitherattheirpremisesorinotherlocations.Averylimitednumberofauthoritiesengagedindifferenttypesoftrainings,suchasthecreationofvideos,webinars,orotherformsofdistancelearning.Interactivetrainingisalsopracticed,mainlybyorganisingseminarswitharestrictednumberofparticipantsinorderto ensure interaction among participants and with the instructor. This is especially done insmallerDPAsforthepurposesoftheirinternaltraining.
Non-DPAstakeholderswithtrainingresponsibilitiesappearkeenertoengageininnovativeformsof training. Interviewees often mentioned webinars, distance live lectures, online trainingplatforms, telephone training, on-the-job/mentorship training orwork review, and simulatedgames,inordertoreachbiggeraudiencesormakethetrainingmoreflexibleandadaptabletoeveryworksituation(afewtrainersalsomentionedthatsometraineestakethiskindofcoursesduringbreaks).Atthesametime,afewstakeholdersacknowledgethatdistancelearningislesseffectivethanin-classtraining(notingproblemswithdistractionsor"multitasking"),notingthatitisstillbetterthannotrainingincasesoflimitedresources.
Across-the-board, interviewees appreciated methods such as Question and Answer (Q&A)sessionsandthecreationofwrittenFrequentlyAskedQuestionsdocuments(FAQs),asthesewereconsideredanefficientmethodtoachievesatisfactionamongparticipantsand–atthesametime–toinvestigatetheactualneedsofthetraineestorefocusfuturetrainingsonthemostrelevanttopics.
Incaseofface-to-facetraining,thesizeofclassesvaries.Ingeneral,DPAstendtoorganiseexternaltrainingforclassesofover30andupto100participants.Thismayberelatedtotheneedtotrainasmanypeopleaspossiblewhileoperatingwithlimitedhumanresources.DPOtrainers,however,tendtotrainsmallerclasses,mostlybecauseduetothemoretailorednatureoftraining,thesizemay be tied to the amount of people with a certain role in a company (number of C-levelexecutives,numberofITexperts,etc.).Whenthesizeoftheclassesincreases,theytendtoresorttowebinarsandotheralternativemeans,aswebinarsallowmoreparticipantstotakeparttothetrainingwithoutrequiringafurtherlogisticeffort.Afewintervieweesalsoclaimedtoofferone-to-onetrainingsessions,especiallytotopmanagementofprivatesectorcompanies.
Intermsoflengthofthetraining,thereisageneralunderstandingthatageneral, foundationalGDPRtrainingtosetthebasesforfuturetrainingsorforself-studymaybecarriedoutinaroundoneworkingday(7hourswithbreaks).However,thispreparationwouldnotequipthetraineewiththetoolstoworkindependentlywithoutfurtherstudy.The2-or3-dayformatispreferredbythemajorityofDPAsandotherstakeholdersforexternaltraining,astheyclaimitallowsthemtoprovideanadequatesubstantivepreparationinatimethatisrespectfuloflogisticsandotheraspects (travel time to and from the venue, time away from normal job roles for trainees).Concerninginternaltraining,theytendtobeshorterintermsofhoursordays.Seminarsmaylastupto4hours,butafewDPAstendtoorganiseshortersessions,howeverdistributedoverawiderperiodof time(akintocontinuousprofessionaldevelopment).Finally,asmallnumberofDPOtrainersofferamorestructured,typically1-weektrainingthatleadstosomesortofcertification,suchasDPOcertificationorGDPRprofessionalcertification.
STAR–DeliverableD2.2
14
6.2.2.3 The existing training materials
ThematerialscollectedandanalysedbytheconsortiumcoveralmostalloftheEuropeanDPAs.Asmentionedbefore,materialshavebeenanalysedbasedonthepreviously-determinedcriteriaofcomprehensiveness,suitability,coherencewiththeregulatoryenvironment,deliveryquality,certification,cross-borderrelevance,andaccessibility.
While thematerials issuedbya few countrieshavenotbeenanalysed in fulldue to linguisticbarriers,theyhavestillbeenanalysed,togetherwithallothermaterials,intermsofstructure,keyelements,andaccessibility.
Whilemostoftheprivate-sectorintervieweeswerereluctanttosharetheirtrainingmaterials–evensamplesofthem–withtheconsortiumforcommercialreasons,ithasbeenstillpossibletocollectalimitednumberofmaterialsonline.Thisanalysiscanprovidethefollowingobservations:
Presentationslidesanddocumentsaretheindustrynorms
Asisthenormacrossmanyindustriesandsectors,digitalpresentationslidesarebyfarthemostused training material in this context, both by DPAs and by other stakeholders. Due to theprevalenceofin-classtraining,suchanoutcomewasexpectedbytheconsortium.Handouts,suchaslegaltexts,documentsandguidelinesissuedby theArticle29WorkingParty(WP29)orbyDPAsarealsooftenusedasincoordinationwithslides.
Both DPAs and DPO trainersmake regular use of infographics, checklists, FAQs, and similarmaterialstoensureeasierunderstandingandaccesstoinformation,andtogiveparticipantsareferencetotakeawayfromthetraining.
Ingeneral,thematerialsavailableontheDPAswebsitesarePDF-formatdocumentscontainingthematicguidelines,checklistsforcompliance,andgeneralguidesontheGDPR.Therefore,whileintroductionsusuallymakeclearonthepurposeforwhicheachdocumenthasbeenprepared,theyonlyrarely identifyaspecifictargetaudience.At thesametime,dueto the factthatsuchmaterialsareopenlyaccessibleonlineanddonotpertaintoacomprehensivetrainingschemeortrainingsession,noindicationisusuallymadeonwhattimethereadershoulddedicatetothestudy of each material. A small amount of materials are PowerPoint presentations used byauthoritiesintrainingsessions,conferences,andotherdisseminationevents.
Alternativedeliverymethodsarerare
DPAsrarelyrelyonadditionalmaterialsbeyondtheabove,whileother trainersreportedalsomakinguseofe-learningplatforms,videos,handbooks,databasesandwikisbothforinternalandfor external use. Notably, in a few of these cases e-learning platforms were used relativelypassively,asavehicleforhostingpresentationslidesonline,toenlargethepotentialaudience,butwithoutsettingupabespokecourse(ormakinguseof interactiveorassessment features, forexample).
Materialsareoftengeneralist
As to the structure of the materials, most of them include an introductory section aimed atintroducingthereadertothetopictreatedinthedocument,andthemajorityofthemincludeatableof contents to assist the reader in identifying the subtopics they aremost interested in.However,onlyasmallminorityof thematerialscontainsan indicationof furtherreadings forthosewhowishtodiveintothetopicandachieveamorecompletepreparation.Thisseemstobearelevantissueinthecurrentpractice,becausethemoregeneralthedocumentsare,themoreindicationstheymightbeexpectedtocontaintoredirectreaderstomorespecialisedmaterials.
STAR–DeliverableD2.2
15
Trainingmethodologiesaremissing
Anothermissingelementinmostofthematerials,includinginthecollectedPPTpresentations,isanymentionofthetrainingmethodology,atopicthatisoftenaddressedinthematerialspreparedbyotherstakeholders.Thereisavailablematerial,basedupontherelevantlegislation,butthismaterialcanonlyrarelybeconsideredtobetrainingmaterialwithapedagogicdesign.
Contentismostlyrelevantanduptodate
Intermsofcontent,thecollectedmaterialsareusuallyup-to-datewiththenewdevelopmentsinthedataprotectionlandscapeasshouldbeexpectedfromdataprotectionauthorities.AfewofthemincludelinkstoWP29guidelinesandtootherregulatoryclarificationsissuedaftertheentryintoforceoftheRegulation.Thecontentismostlyrelevantandwillbeofuseforseveralkindsofaudiences,rangingfromprivatecitizenstoorganisations.However,itmustalsobenotedthatafew of the collected general guides are so theoretical, that corporate and organisationalstakeholderswilllikelyhavetolookelsewheretofindmoreoperative,practicalguidanceonhowtocomplywith theGDPR.Finally, theconsortiumfoundthecontentof thesematerialsmostlyaccurateandwithoutflawedaspects.
Materialdoesn'talwayscoverthefullregulatoryenvironment
Stillintermsofcontent,noteverymaterialaddressestheentireGDPRregulatoryenvironment.WhileguidelinesusuallyfollowthestructureoftheGDPRandthereforecoverallofitscontent,most of the remaining materials deal with single topics, such as Data Protection ImpactAssessments (DPIAs), DPOs, or the rights of data subjects, and therefore leave other GDPRinnovationstobedealtwithinothermaterialsissuedbythesameDPA.Thislikelysupportsauserbrowsingforguidanceorinformationonaspecifictopic,butwithageneralgroundingalready.ArelevantaspecttohighlightisthegenerallackofsystematicapproachintrainingrecipientsonthefullsystemthatwillbeinplaceoncetheGDPRbecomeseffective:indeed,innoneofthecollectedmaterials any reference was found to the other data protection regulations in force, such asDirective2002/58/EC(ePrivacyDirective)orsimilar.Furthermore,anextremelylimitednumberofmaterialscontainedreallifeexamples,casestudiesorscenarios.
Internationaldimensionisoftenmissing
Finally,with regard to contents,whilemanymaterials address the topic of internationaldatatransfers,veryfewofthemapproachdataprotectiontakingintoaccounttransnationalsituationsbeyonddatatransfers.Indeed,nearlyallthematerialshaveaverynationalapproach,andaddressalmostexclusivelyentitiesandpeopleinacertainMemberStateandaredraftedinthelanguageofthatMemberState.This,ofcourse,doesnottellthewholestoryintermsofhowthesematerialswillhaveanactualtransnationalreach.Especiallyduetothelanguageinwhichtheyaredrafted,thematerials issued by the UK Information’s Commissioner’s Office (ICO, the UK DPA) werereportedassometimestakenintoaccountbypractitionersinotherMemberStates:thishappensregardlessofthefactthattheICOmayormaynothaveissuedthemhavingforeignrecipientsinmind. The same goes for other materials issued by countries whose language is spoken orunderstood abroad, and for regulators in countries with a large number of multinationalcompanies,whoseguidancebecomesrelevantacrossborders.
Languagevariesbetweenthegeneralandthelegal
Intermsoflinguisticregister,twodifferentapproachescoexistinthecurrentlandscape.Ontheone hand, some DPAs focus on general, non-technical, easily-understandable language, forstakeholders toeasilygrasp themeaningofthenewconcepts introduced intheGDPR.On the
STAR–DeliverableD2.2
16
otherhand,afewDPAsoptedinfavourofofferingreadersamoretechnical,preciseguidance.Inthissecondcase,whichishoweveraminority,materialsaredraftedusingamorelegally-solidlinguisticregister.
Materialsrarelymeetaccessibilityguidance
Finally,intermsofaccessibility,thereareagreatvarietyofapproaches.WhilesomeDPAsdonotmakeanyefforttoincreasetheappealandreadabilityoftheirdocuments,resultinginplaintextguidelinesthataredifficulttoread,someothersembracedamorecaptivatingstyleinordertomakethedocumentsmoreappealing.Thelatteroftenmakeuseofinfographics,images,graphs,andtablestoaidtheexplanationofconcepts.Asaconsequence,adocumentonDPIAsdraftedasaplain textessaywillbemuchmoredifficult tounderstandthanadocument inwhich text isaccompaniedbygraphsandinfographics.Nonetheless,itmustalsobenotedthatsomeofthetextsfallinginthefirstcategoryaredraftedinamoretechnicaland/orlegallanguage,whichmeansthattheintendedaudienceforsuchmaterialsmaydifferfromtheintendedaudienceofthemorecommunicativematerials.However,themorecommunicativematerialsarenotnecessarilyless-usefultoamorespecialisedaudiencejustbecauseofthewaytheyaredrafted.
Finally, concerning again accessibility, while most of the materials are accessible to hearingimpaired,astheyarewrittendocument,nomaterialhasbeenfoundthatisspecificallyvisuallyimpaired people, with the exception of a few explanatory videos available on the YouTubechannelsofafewDPAs.However,asonemayimagine,veryrarelythesevideosareasdetailedasthewrittendocuments,asthefirstonesaremainlyconceivedfordisseminationandawareness-raising purposes. Formatting for accessibility (e.g. through screen readers or text-to-voicesoftware)ismixedwithinthesample.Somecollecteddocumentswereeasilyaccessibleinthismanner(forexample,because theyaresimple textdocuments)butmanyothermorevisuallycomplexdocumentslackedaccessibilityfeaturessuchasalternatetextforimages,tags,Unicodecharacters, or language specification, which could cause problems for users of accessibilitysoftware.
6.2.2.4 Feedback
Intheinterviews,weexploredtheextenttowhich feedback on trainingwas collectedandused.Feedbackisnormallycollectedasstandardend-ofsessionorend-of-trainingquestionnairetomonitorqualityandtogetthetrainees’perspective.DPAsmostlyrelyonthistooloronmoreinformalfeedbackcollection, such as an oral unstructuredfeedbacksessionattheendoftheseminars.In many cases however, intervieweesreportedthatfeedbackwasnotcollectedatall.
Otherstakeholdertrainersrelyonthesametools but reported more structuredcollection and analysis system forfeedback.Alimitednumberofthemrelyontheir Human Resource departments for
STAR–DeliverableD2.2
17
developing and then extracting information from the questionnaires regarding their internaltraining.
6.3 Training topics
In terms of substantive scope, nearly all of the interviewed DPAs that provide training havefocusedorarefocusingonthegeneralstructureoftheGDPR,targetingaudienceswithlittletonoexperienceindataprotection.Suchsessionsaimatsettingthegroundsforfurtherself-studyortrainingwiththeDPAorothertrainingproviders.
Outside this general training,most of theDPAsheavily focuson the innovationsof theGDPRcompared to the old legislation (national implementations of Directive 95/46/EC (DPD) andothers).ThisincludesteachingthenewconceptsandtoolsintroducedwiththeRegulation(e.g.the DPIA, sanctions, territorial scope, etc.), the new obligations for data controllers and dataprocessors(e.g.risk-basedapproachandaccountability,databreachnotification,etc.),aswellasthenewrightsofthedatasubjects(e.g.dataportability).Inthiscase,thereisageneralassumptionthat,despitenothavinganypriorpreparationontheGDPR,theiraudienceisatleastacquaintedwithdataprotectionlawandwiththeconceptsguidingtheregimeoftheDPD,orthattheprimaryconcernoftheiraudience,istransitioningfromtheoldregimetothenew.
Nearly all interviewed DPAs mentioned the fact that they are also including information onnationallegislationinthetraining.Indeed,thoughtheGDPRisdirectlyapplicableinallMemberStates,asmallbutrelevantnumberofrulesrequirenationallegalsystemstoenactlegislationtocompleteordefineafewaspects(forinstance,itisstillnationallawthatdefineswhataPublicAuthorityisunderEUdataprotectionlaw).DPAs,aswellasnearlyeveryinterviewedstakeholder,underlinedthenecessityoftakingnational law intoaccountwhendesigningadataprotectiontrainingscheme.Theunderstoodpriorityforend-userswasthattheschemecoverstherelevantlawfortheircontextandoperations,notthatitbeconceptuallydrivenbythelegalinstrument.
Avery limitednumberofDPAsaredetermining thescopeof their trainingactivitiesbasedonrequestsfromtheirtrainees.Indeed,whilethisisaverycommonapproachintheprivatesectorwheretrainingactivitiesarereconfiguredbasedupontheneedsofthe"customer",DPAstendnotto organise request-driven training sessions. This coupled with the relative lack of feedbackcollectedbyDPAsfromtrainingsessions,potentiallyleavesDPAtrainingatsomedistancefromitspotentialusers.
AlimitednumberofDPAsdidhoweverreportorganisingbespoketrainingforspecificindustries,suchasthefinancialsector,thehealthsector,orthepubliceducationsector.
ItistobehighlightedthatoneofthemostrelevantdifferencesbetweenDPAsandothertrainersistheapproachtotheoperativedimensionofGDPRcompliance.WhileDPAsseemtoadoptamoretheoretical approach for conveying GDPR knowledge, such as the reading and explanation orcommentoftheGDPRlegaltext,DPOtrainerstendtofocusonthepracticalaspectsofthenewlegislation.ThisincludesoperativeinstructionstocarryoutanddeliveradequateDPIAs,impactoftheGPDRoncontractswithsuppliersandclients,howtoupdatethedocumentationondatatransfers,therecordofprocessingactivities(dataregisters),thefunctionofbindingcorporaterules(notwithoutcriticismsabouttheslownessofDPAstoprovideguidanceonthispoint),thepracticalobligationsforthenewly-appointedDPOs.
Additional,specific,practicaltrainingtopicsmentionedbynon-DPAtrainersinclude:
• Procedures to complywithnewrightsofdatasubjects
• Obligations for data controllersandprocessors
• Lawfulnessofprocessing• How to use privacy-related IT
tools• DPO–appointmentandrole• RecordofDPAactivities• data protection in employment
contracts• BigdataandtheGDPR• Anonymisation• Mobiledevicemanagement• SAP7• Directmarketing
• Complaintprocedures• Datalifecyclemanagement• Dataprocessingaudit• Regulatory and compliance gap
analysis• Training clients staff on GDPR
andcompliance• Structuring data processing
methods• Preparing compliance strategies
andactionplans• Compliancedocumentation• Data protection impact
assessment• Notification of personal data
breach
7 SAP is a software that aims at facilitating organisations’ management of business operations and customer relations.
STAR–DeliverableD2.2
19
7 Determining the future needs in GDPR training InadditiontoquestionsconcerningtheexistingtrainingpracticesofDPAsandotherstakeholders,theconsortiumaskedtheirintervieweestoexpressthemselvesonthetrainingpractices,contents,andmaterials they expect to be useful for them or for the general public in the near future,includingwhattopicstheyexpectourconsortiumtofocusonforthenextphasesoftheproject.
7.1 Training methodology
Inmostofthecases,DPAsandstakeholdersareconvincedthattheircurrenttrainingmethodologywillproveadequatealsoforfurthertraining.8Nonetheless,thoughthemajorityofstakeholders,bothDPAandnon-DPA,areconvincedthatface-to-faceclassesarestillthemosteffectivewaytoconveyknowledge,theyalsoprovidedseveralexamplesofinnovativeandalternativetraining,bothasawishfortheconsortiumtoexploretheseareasandasanambitionforthemtorealisethesetrainingsinthefuture.Theymentionedwebinars,onlineplatforms,videoseries(especiallywithoperative content andpractical examples), live-chats, case studies, andQ&A sessions. Innearlyallcases,DPAsandotherstakeholdersstronglywishedfuturetrainingschemestohaveapracticalapproachwithexamples,casestudiesandsimulations,templates,andchecklists.
Withregard totheaudience for these trainings,DPAsexpressed thebelief thatasector-basedapproach would be preferable to the more common topic-based approach that currentlydominates.
Inaddition,despitetheirreadinesstoexplorenewtypesoftraining,DPAsunderlinethattraineeswishtohavethematerialsashandoutsforreference.Therefore,eveninfuturetrainingschemes,thepossibilityofprovidingtheaudiencewithwrittenhandoutsshouldbeincluded.
Intermsofstructureanddurationofthetraining,avarietyofinputshavebeenreceivedfromDPAsstakeholders.However,ingeneralitcanbeconcludedthatDPAsaresatisfiedwiththelengththeyarecurrentlyableorwillingtoofferandtheydonotexpectfuturetrainingschemestoalterthislength:coursesandworkshopslasting1-3daystoprovideageneralknowledgeoftheGDPR,and30minutesforsinglewebinarmodules.AllsessionsshouldbecompletedbyQ&Asessionsasdiscussionwashighlyvaluedbynearlyallrespondents.Thisisalsosupportedbymosttheoriesoflearningandtraining.Thisformatandlengthiscommonacrossindustriesandtosomeextent,the GDPR training available conforms to general corporate training practices, rather than aninherentnatureofthecontentorsubjectareabeingtrained.
Similarbutnotentirelymatchingopinionhavebeenreceivedfromnon-DPAtrainers.Theywouldstretchfullcoursesuptoaweekandhavethematicworkshoplasthalfadaytooneday.Webinarswouldlastabout1hourwhilee-learningcoursesmaybelonger,duetothefactthattheycanbepaused and resumed. This suggests many trainers feel under pressure in terms of teachingeverything they consider important, or necessary for their traineeswithin the logistical timeconstraints.
8 See above, para 3.1.
STAR–DeliverableD2.2
20
Ageneralrequestonmethodologyisthatfuturetrainingadoptaneasilyunderstandablelanguage,that aims at ‘decoding’ the legal and IT language that is used in the GDPR and other relateddocuments.Thereisageneralpressuretomovefromalegal-theoreticalexpositionoftheGDPRforexpertstopracticalandeasilyunderstoodmaterialforpractitioners(atvariouslevels).
Intermsofthedegreeoffocustoadoptinfuturetrainings,thereisnoconvergenceamongDPAsonwhethertrainersshouldfocusonprovidingveryspecific,in-depthtrainingormoregenerally-accessible materials for the public. One could argue that this divergence derives from theapproachthatDPAshaveadoptedsofar:workingwithlimitedresources,someDPAshavefocusedongeneral informationandawareness-raising,whileothershave focusedongettingsomekeysectorsreadyfortheGDPR;asaconsequence,thefirstgrouppreferfuturetrainingtodivedeepinto specific issues, to complete theirworkandprovidematerials they cannotprovidedue tolimited resources, while the second will have the opposite wish, having neglected generalinformationinordertotraincriticalsectorsinthenationaleconomy.Thereisdemandfrombothperspectives,butalsopotentialmaterialinbothwhichcanbedrawnuponinaholistictrainingscheme.
Anotherpointofdisagreementiswhetherfuturetrainingmaterialsshouldaimattrainingnon-DPAstakeholdersonlyorDPAstafftoo.
7.2 Training topics
ArelevantquestioninthiscontextoftransitionfromtheoldDPDharmonisedsystemtothenewGDPRunifiedregimeiswhethertheabovementioned9trainingtopicswillstillbeadequatetotraindataprotectionprofessionalsina1-or2-yeartime.Indeed,bythattime,notonlynewlegislationmayhavebeenreleasedalongsidetheGDPR10,butalsoacomparisonwiththeoldsystem,thatisnowthemostcommonapproachtotraining,willloseitsrelevance,and,asaconsequence,theexisting training packages may need reworking. Additionally, as new practitioners enter theworkforceornewfirmsengageinpersonaldataprocessing,theywillhavelittlefamiliaritywiththeoldregime,andacomparisonbetweenthetwowillnotbeeducationallyuseful.
Tothisend,itwasimportanttoinvestigatethetopicsthatDPAsandotherstakeholdersconsidermost important to trainprofessionals in, to outline accurate anduseful trainingmaterials forfuture use. The consortium asked both DPAs and other stakeholders about their expectedprioritiesontrainingtopics.
ForDPAs,theconsortium’sfindingsarethattheteachingprioritiesmaybereorganisedasshowninthefollowingtable.Thistableisorganisedbasedonthenumberoftimeseachtopichasbeenflaggedasapriorityby interviewedstakeholders.Theseprioritiesregard thecurrent training
9 See above, para 3.3. 10 E.g., the ePrivacy Directive is undergoing a reform process that will probably lead to the enactment of an ePrivacy Regulation to complement and complete the GDPR regime in the online environment (see: ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation).
STAR–DeliverableD2.2
21
needsofstakeholders,butitmaywellhappenthat–withnewbestpracticesarisingandcase-lawincreasingovertime–theycouldchangeinthemedium-to-longterm.
Table1:DPAs’teachingpriorities
ThesetopicsindeedreflectthemostrelevantinnovationsinthedataprotectioncontextoncetheGDPRbecomesapplicable.Therightsofthedatasubjectshavebeenincreasedinnumberandinthesubstanceandnowincludeonessuchastherighttobeforgotten,therighttodataportability,etc.Eventhelegalbasesforthelawfulprocessingofpersonaldatahavebeenreworkedandneedorganisationstotakeitintoaccount.ThedutiesandobligationsofdatacontrollersandprocessorsarealsoapartoftheGDPRthatgreatlyinnovatesfromtheDPDsystem.Thisincludesenhancednotificationduties andprocessorsbecome fully responsible for theirprocessingwrongdoingswhenever they or not they remain compliant with their contractual duties. The GDPR alsoinnovatesintermsoftechnicalandoperationalmeasurestoensureadequateprotectionofthedatasubjects’rightsandfreedoms:theoldDirective,draftedin1995,wasobviouslylackingonanycontemporarytechnologicaltooltoprotectprivacy.TrainingorganisationsontheroleoftheDPOisalsoanexpectedpriorityforDPAs:indeed,DPOswillbethemaininterlocutorsforDPAsinthefuture,especiallyinverysensitivefields;atthesametime,itisnotsurprisingthatDPAsare
•BasicsoftheEUdataprotectionframework,includingitsrationale,keyconcepts,andlegalframework(focusGDPR).
Tier1
•Rightsofthedatasubject(andhowtoexercisethem);•Technicalandorganisationalrequirementsandmeasuresfordatasecurity(includingdataminimisation,pseudonymisation,anonymisation,…);•RoleoftheDataProtectionOfficer(appointment,duties).
Tier2
•DataProtectionImpactAssessments.
Tier3
•Dutiesandobligationsofdatacontrollersandprocessors;•Databreach:proceduresandnotification.
Tier4
•Thevalueofprivacyanddataprotection;•DataProtectionAuthorities:roleandpowers;•Legalbasesforthelawfulprocessingofpersonaldata;•DataProtectionDesignandbyDefault.
Tier5
•Nationaldataprotectionframeworks;•Recordsofprocessingactivities(dataprotectionregister).
Tier6
STAR–DeliverableD2.2
22
willing to ensure that all stakeholders are awareof their role and regulatoryand sanctioningpowers.DPIAsandtherecordsorprocessingactivitiesareamongthemostrelevantinnovationsintheGDPR,astheyarebothaself-assessmentandreportingtoolsfororganisationonwhethertheirapproachtodataprocessingiscorrect,andaformidableelementtotakeintoaccountforthepurposesoftheDPAs’audits.Moreover,whilesanctionstookthespotlightasthemost‘fearsome’innovationforcompanies,thecorrectmanagementofdatabreachesisoneofthemaintoolstoavoidbeingsanctioned.Thevalueofprivacyanddataprotectioninthecorporateenvironmentisalsoimportant,becausetheGDPRdemandsachangeofapproachtotheprotectionofpersonaldata,andconceptssuchasdataprotectionbydesignandbydefaultareofparamountimportancetothispurpose.Finally,asmentionedbefore,11nationallawisnotcompletelywithoutaroleinthisnewregime:whiletheGDPRisdirectlyapplicableinallMemberStates,italsoneednationallawtocompleteitsregime.
BasedontheoutcomesoftheinterviewandonthedataconcerningwhichDPAprioritisedeachtrainingtopic,theabovementionedlistmaybealsoreorganisedtohighlightamoreconceptualdifference in approaches between DPAs. Indeed,we envisage the existence of two coexistingphilosophicalorstrategicapproachestotraining.Ontheonehand,agroupofDPAsfocusonamore theoretical/conceptual approach to teaching the GDPR. These DPAs focus on giving anoverviewonaspectssuchasthenewrightsofdatasubjects,theobligationsforcontrollersandprocessors,thevalueoftheprotectionofpersonaldataandthedataprotectionbydesignandbydefault.
Ontheotherhand,asecondgroupofauthoritiesfavourtrainingonmorepracticalaspectsoftheGPDR.TheseauthoritiestendedtoprioritisetrainingonDPIAs,themanagementofdatabreaches,therolesanddutiesofDPOsandDPAs,andtechnicalandoperationalmeasures,includingdatasecurity.
AlthoughsomeDPAsfavourmorepracticalaspectswhenmentioningthetrainingtheyexpecttodeliver, non-DPA trainers have an evenmore practical approach. Indeed, in addition to theabovementionedtopics,non-DPAstakeholdershighlightedtheimportanceoftrainingonaspectssuchas:
• theGDPRimpactoncontracts;• riskmanagementstrategies;• organisationalprocedures(includingforms);• howtopracticallydealwithdatasubjects’requests;• howtopracticallyobtainandmanageconsent.
Itistobehighlightedthatnoteveryabovementionedtopicmayproveusefulinbothinternalandexternaltraining.Forinstance,whileprivateandpublicorganisationsmayfinditinterestingtobetrainedonproceduresandhowtodraftconsentformsanddataregisters,thesamecannotbe
11 See above, para 3.2.1.
STAR–DeliverableD2.2
23
saidforthestaffofadataauthority.Thelatterwillbemoreinterestedinhavingaclearideaoftheirprerogative,andofwhattheycanexpectfromanddemandtoDPOs.
Thesamecanbesaidwithregardtothedepthofthetraining.WhileDPAstaffwillfinditsufficienttohavealessprofoundtrainingonDPIAs,companydataspecialistswillrequireamoredeepandthoroughtrainingnotonlyontheconcepts,butalsoonthepracticalaspectsofDPIAs.
7.3 Further aspects
Theintervieweesnotonlyansweredtheconsortium’sspecificquestions,buttheyalsoprovidedgeneral advice on aspects the STAR team should keep in mindwhen preparing the trainingmaterials.
Practicalfocus
Firstofall,asalreadymentioned,practiceshouldbecentralinthefuturetrainingmaterials.Beingtooacademicandabstractmayproveinefficientinacontextthatisalreadycrowdedwithgeneral,informative materials and lacking specialised, focused ones. At the same time, the examplesshouldberelevant,meaningthattheyshouldnotbetoosimpleorsimplistic,orhavingasanobjectniche data protection processes: they should instead tackle complicated and new issues incontextsofkeyimportance.
Culturalchange
Moreover,theyunderlinetheneedthatalltrainingmaterialsshouldconveythemessagethattheGDPRdemandsaculturalchangeinallorganisations,anddataprotectionshallnowbeatthecoreof every company operation. These interviewees indicated that the GDPR is also a complexmanagementsystemthatcannotbeapproachedasastandardlegalorcybersecurityexercise,butinsteadneedsamultidisciplinary,integratedapproach,andthatbynecessity,thisshouldguidethedevelopmentoftrainingmaterialsinthisarea.
Linguisticconsiderations
Inaddition,nearlyallinterviewedstakeholdersstressedtheneedfortheresearcherstotakeintoaccount the various linguistic versions of the GDPR and to have the future trainingmaterialstranslatedintotheirownnationallanguages.Indeed,linguisticbarriersarearelevantissueinthecurrentcontext.Ontheonehand,sometimesthedifferentlinguisticversionsoftheGDPRarenotaligned,meaningthatthevariousversionsmaybe interpreteddifferently indifferentMemberStates.12Ontheotherhand,endusersstronglywishtoreadthetrainingmaterialsintheirownlanguage.Even in countries that arenotoriouslymore comfortablewithEnglish as aworkinglanguage,DPAsandstakeholdersreiteratedtheneedtotranslatematerialsinordertoreachthewidestpossibleaudienceandtodifferentiatethemfromtheexistingmaterials.Somestakeholdersalsomentionedthataselectednumberoflanguagesmayalsobeuseful,aslongastheyarechosenwiselytoreachasmanystakeholdersaspossible.
12 On this well-known issue in EU law, see ex multis: Mišćenić, Legal Translation vs. Legal Certainty in EU Law, in Mišćenić, Raccah, Legal Risks in EU Law, Springer, 2016, pp 87-107.
STAR–DeliverableD2.2
24
Nationallaw
Also,nationallawshouldnotbeneglected.Asmentionedbefore,nationallawstillplaysaroleinthe correct application of the GDPR, especially in very specialised contexts. To this end, it isimportantthattrainingmaterialsfindsomewaytotakeintoaccountsuchlaws,fortheformertobeausefulhelptostakeholders.
Positivereceptionforharmonisedtrainingmaterials
However, despite thesewarnings, stakeholders are generally supportive towards the effort tocreateharmonisedtrainingmaterials,claimingthattheywouldcreateaddedvalueandcontributetoamoreuniformapplicationoftheGDPRprinciplesbystakeholders,andthattheywouldbeofrelevant help to DPAs that, due to limited financial or human resources, are not able toautonomouslydeveloptrainingschemes.
STAR–DeliverableD2.2
25
8 STAR: the way forward TheaimoftheseinterviewswastomaptheexistingpracticesonGDPRtrainingbyDPAsandnon-institutional stakeholders, and to investigate the future training needs to obtain sufficientinformationfortheconsortiumtoplanthefuturesstepsoftheproject.TheinterviewshavebeenabletodrawouttheperspectivesofbothDPAsandotherstakeholders,includingtrainingbestpracticesandsomeoftheneedstheyhaveforthefuture.
ThetrainingmethodologiesgreatlydifferintheEuropeanlandscape,notonlywhencomparingDPAandnon-DPAtraining,butalsoamongDPAsandamongotherstakeholdersthataresimilartoeachother.Whilethismayposeachallengefortheconsortiumtocreatematerialsthatcanfitevery training context, it also means that a harmonisation may be particularly beneficial,especiallyinafewcountries.ExperimentingwithnewtrainingmethodologiesissomethingthatDPAsdonotseemtodoinfullconfidence,and,therefore,havinganexternalinputonthismayfunctionasacatalystofinnovation.
Inlightoftheabove,thefollowingconclusionsmaybedrawntopavethewayforthedefinitionofthefutureSTARtrainingmaterials.
• The affection for face-to-face lectures, with brief incursions in new practices such aswebinarsandvideos, shouldbe taken intoaccountandgivenvalue to.To thisend,theSTAR materials should take into account physical audiences, with the possibility ofexploringnon-physicalpresenceinfavourofaselectionofinnovativemeansoftraining.Materialsshouldbeavailableforthetraineestodownloadandtakehomeastheypleaseandshouldnecessarilycontainreferencesforfurtherreadingsandotherusefulresources.
• The development of Europe-wide tools to help organisations manage their GDPRcomplianceworkarealsoarequestofstakeholders.Check-lists,FAQ,andsimilartoolsprovetobeeffectiveingivingquick,althoughnon-bespokeanswerstothepractitioners’questionsandshouldbetakenintohighconsideration.
• With regard to language, the request of stakeholders is clear that translations of thematerialswouldbebeneficial.WhiletheSTARcommitmentsaretodevelopfreetrainingmaterialsinEnglishthatcanbethentranslatedintoeachEUlanguagebystakeholders(forexamplesbyDPAs),itisadvisablethattheconsortiumtakesthisrequestintoaccountandconsideration.
• Methodologically,itisclearthatpracticeshallbeanimportantpartofthematerials.Thestrongrequestofstakeholdersistodevelopmaterialsrichinrelevantexamplesandrealcasestudies/scenariosforthetraineestoseetheGDPRrulesincontext.Theseexamplesshouldalsoincludebothlargeandsmall,publicandprivateorganisations,toproveusefultoagreatvarietyofstakeholders.
• In termsof the content of thematerial, the STARconsortiummust follow through theexistingtensionbetweenrequestsofgeneralandspecialisttrainingmaterials.Tothisend,researcherswillhavetoidentifytheessentialtopicsfromtheoneshighlightedaboveandtocreateaprioritylisttodrawfrom.TheSTARmaterialswillhavetofindanappropriatebalancethatincludesbothgeneralandspecificcontent.
• Onthebenefitsofissuinggeneraltrainingmaterials,thereissufficientevidencefromthisanalysistosupporttheargumentthathavingaharmonisedgeneralguidelineontheGDPRmayhelptosetacommonfoundation,whichcanthenbefurtherbuiltupon.Inaddition,generalmaterialsdonotnecessarilyhavetotakeintoaccountaspectssuchasnationallaw, as they can remain at theEuropean level and still deliver relevant, accurate, and
STAR–DeliverableD2.2
26
completematerials.Atthesametime,optinginfavourofgeneralmaterialswillleadtheconsortiumintoanenvironmentthatisheavilycrowdedwithmaterialsissuedbythemostdiversified stakeholders. Though these materials do not aim to replace the existing,valuablematerials, it is appropriate to ask how the STARmaterials will differentiatethemselvesfromtheexistingmaterials,andwhatelementstheyshouldhavetoensurethat stakeholders from the entire EU take them into account when selecting whichmaterialstheyarewillingtolearnfrom.
• Developingspecialisedtrainingmaterialswouldprobablyovercomethislatterissue,duetothefactthattheconsortiumfoundthatthereisgreatscarcityofthesematerials.Theywouldhelpincreasingtheknowledgeofacertainsectorinaharmonisedway,andthiswouldleadtoarelevantadvancementofGDPRapplicationandcompliance.Atthesametime,eventhisroadpresentsitsdifficulties.Themoretheconsortiumdivesintoaspecifictopic,themoreitwilltouchaspectsofdataprotectionlawthatareintertwinedwithotherlegalfieldsandotherexistingregulations.Ontheonehand,inthiscontextnationaldataprotection law is more relevant, because operative regulation to complete the GDPRregimewillplayabiggerroleinthiscontextanddealingwiththeotherEUdataprotectionrulessuchastheePrivacydirectivewillnotbeavoidable.Ontheotherhand,thereisabigger chance that the training would touch other legal fields that are seemingly notconnectedtodataprotectionlaw,suchas,forinstancecompetitionlaw,conflict-of-laws,insolvencylaw,bankinglaw,healthlaw,etc.
Inconclusions,theSTARinterviewsandtheevaluationoftheexistingtrainingmaterialsprovidedthe consortium with enough foundations to define and delineate the future STAR trainingmaterials.Importantdecisionswillbemadeinthenextprojectsteps,butfromtheinterviewsthetake-homemessagefortheSTARconsortiumisclear,andit isthataharmonisationoftrainingpracticesintheEUisanambitiousanddifficult-to-achieveobjective,butthat,ifobtained,wouldbeamost-welcomedoutcomeforstakeholder,bothDPAsandnon-DPAones.