As an ISC2 member, I'm attending the online course "GDPR for Security Professionals: A Framework for Success". After the first two sessions, I have noticed a couple quite evident mistakes:
1) session "1. Setting the GDPR Strategy", emphasizes the concept that "GDPR does not include privacy or personal identifiable data". Why on earth? GDPR is all about privacy protection, and, although it doesn't use the expression "personal identifiable data", it refers to "personal data" 598 times!
2) session "2. Organizational Awareness", in response to a quiz, states that "Under Article 80 of GDPR, the amount of damages awarded could be unlimited", and that "the other choiches ('the greatesf of 10M Euros or 2%', or 'the greatest of 20M Euros or 4%) are the maximum amount that could be awarded to one data subject". This is not true: the maximum fine that can be applied to an Organization is, depending upon the GDPR infringement, either he greatesf of 10M Euros or 2% or the greatest of 20M Euros or 4%.
Both these statements need correction, in order to avoid confusion about GDPR!
Well, this is even worse:
session "6. Implementation from Policy to Organizations" states that "Devices that are used to access the systems remotely must have the login credentials stored on the hard-disk".
I really can't believe this course is sponsored by ISC2!
All of those errors are the reason I stopped half way through the course.
Some parts of the data need to be checked before the courses go online.
You'd better better looking for a general introduction to GDPR from one of the legal practices posting webinar's on BrightTalk, reading the regulation itself (as it's not particularly long) or looking at the materials the IAPP recommend for those who need a deeper understanding. I abandoned the course as ill informed.
Another wrong interpretation of another key topic contained in GDPR is evident when the course tries to explain the "rights in relation to automated decision making and profiling" . Here the teacher's explanation is "a procedure must be put in place to ensure that the user can gain access to the data the business holds and have automated processing objections acted upon". Practically, the teacher is just adding the adjective "automated" to the explanation previously relevant to the "right to object".
The real meaning of "rights in relation to automated decision making and profiling" is stated by recital 71 of the GDPR itself:
"The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes 'profiling' that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her."
@AngeloCarugati I'll be sure to share this thread with our PDI team for review. They are the group responsible for the courses.
If you ever see anything in a course that needs addressing, please feel free to reach out directly to them at PDI@isc2.org - thanks!
I want to thank everyone for their feedback and would like to jump in to address some of the raised concerns. As the Content Lead for the PDI courses, I want to let you know that we take these insights seriously and have no intention of placing things in our courses that are confusing. These courses are developed by a large group of people internally, and by technical content experts like yourself. However, sometimes content may be interpreted in a particular way or come from a specific perspective that doesn’t necessarily translate well in a course. We are currently working on improving this course to address student feedback, and a revised version is set to release in early 2020. The feedback provided here is very valuable and the items you addressed will be incorporated into our revision process. Our courses are made better by our members either during the development process or through feedback like you have provided. We are committed to producing excellent courses and encourage feedback through the course evaluation and/or contacting us directly via firstname.lastname@example.org. Please continue to communicate with us and thank you again for your feedback.