Review of GDPR F Distance Learning Course & Exam
Notes on the remote course & exam offered by IT Governance
The most important thing you should know about the European Union’s upcoming General Data Protection Regulation is that:
One cannot simply “explain” the GDPR. To understand the GDPR, you must become the GDPR.
So, I’ve been studying the infamous (depending who you are) EU GDPR. It is an over-arching European privacy framework which comes into force the end of May 2018, has extra-territoriality, and which will have big implications for tech companies targeting EU citizens.
This morning I passed my GDPR F (Foundation) exam — pending review of the video file associated with my remotely proctored examination. This exam is a culmination of a course offered by IT Governance, a UK company:
Certified EU General Data Protection Regulation (GDPR) Foundation Distance Learning Training Course and Examwww.itgovernanceusa.com
EU GDPR F
Now, as far as I can tell, there is no singular “official” sanctioned exam which certifies you in accordance with the GDPR. There are two that I’ve spotted in the wild. One is an exam by IAPP, called CIPP/E. The other is this EU GDPR F & EU GDPR P exam offered by IT Governance.
So anyway, the Foundation course I took consists of around 7 hours of videos which consist of an outline delivered Powerpoint-style with a man narrating them. It costs $360 USD, and comes with a voucher to take the test through a third party, GASQ out of Nuremberg, Germany.
The course is a pre-requisite for their ED GDPR P (Practitioner) course and linked exam. The Practitioner course costs $990 USD and is supposed to be much more detailed.
The Foundation course itself was fine. If you have no experience or understanding of what the GDPR is, you might have a bit of a learning curve. Personally, I’ve done probably more than 50 hours of independent research into this regulation and it’s many implications, but it was useful to have a formalized structure and presentation to put it all together.
Taking the exam remotely
There is a bit of an issue with the actual examination itself. I was drawn to it because they offer a remote proctoring system, so you can sit the exam from home or work, etc. This is unlike the CIPP exams where you must go into a registered testing center and sit the exam in person. [Sidenote: the CIPP/US exam that I looked at costs more than $600 and doesn’t include any preparation materials. I’ve also seen claims online by both tech people and lawyers saying the CIPP/US in particular is the “hardest test they’ve ever taken.”]
While IT Governance offers the course materials via the web, accessible on any platform, the remote proctoring app only works on Windows. If you’re working for a US tech company (e.g. someone who is going to be heavily impacted by the regulation) it’s very possible you only use Mac, like myself. So this lack of Mac support is a bit insufficient and will limit the exam’s potential clientele, in my opinion. But perhaps it’s not insurmountable either for the determined.
Mac users can set up a Windows Virtual Machine (free)
Virtual machines let you run one computer inside another, or at least one operating system inside another. You get the…fieldguide.gizmodo.com
Link to VirtualBox:
VirtualBox 5.1.22 Oracle VM VirtualBox Extension Pack All supported platforms Support for USB 2.0 and USB 3.0 devices…www.virtualbox.org
You can download free 90-day limited virtual machines from Microsoft:
Download free virtual machines to test Microsoft Edge and IE8 to IE11developer.microsoft.com
Brasil (Português) Česká republika (Čeština) Deutschland (Deutsch) España (Español) France (Français) Indonesia (Bahasa…social.technet.microsoft.com
The rules around taking the test via the remote proctoring system are fairly strict. I won’t paste them in here as I don’t want to agitate the Privacy Gods. Suffice it to say, you must remain in the frame of the camera, show your ID when you begin, must not allow anyone else in the frame, must not use books or take screenshots of the exam, etc.
I scored a 77.5% out of the 40 questions (you’re given 60 minutes), which means I got around 9 questions wrong.
Evidently, they have someone review your video session before the results are finalized, which they say can take up to a week.
Overall, I feel that even though I technically passed (required 65%) the course materials combined with my 50+ hours of independent study should have gotten me a higher score than 77.5%. Given that I paid for the course, the level of preparation offered, in my humble opinion, should be result in higher competency.
As according to the IT Governance website:
“Buyers receive a complimentary e-book copy of EU GDPR & EU-US Privacy Shield — A Pocket Guide when they buy this course, ensuring they have long-term access to essential GDPR reference materials.”
Unfortunately, the electronic versions of this book are DRM protected, so you must use proprietary Adobe Reader app. This is a disappointment to me because I need to be able to consult this book on my Amazon Kindle and this is not supported.
Also, inappropriately listed under “What you will learn” on the site, it says:
“International data transfers, including under the EU-US Privacy Shield.”
This is inaccurate, and I’ve left that feedback for the company. The EU-US (and US-Swiss) Privacy Shield program and its requirements are expressly not covered by this course. If that is an absolute requirement for your learning, you will need to supplement this information elsewhere. I feel that IT Governance should remove or amend these statements from their course description.
Becoming a Data Protection Officer
I’m interested in potentially becoming a Data Protection Officer (DPO) so I plan to continue along with my studies by taking the next level up in this program, the Practitioner course and exam.
Currently, there is no real formal process for how someone becomes a DPO. DPO’s are covered in Article 37 of the GDPR:
The controller and the processor shall designate a data protection officer in any case where: the processing is carried…gdpr-info.eu
1. The controller and the processor shall designate a data protection officer in any case where: […]
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
So this is an interesting opportunity for tech professionals working in or interested in Trust & Safety, Security and Privacy fields to ‘level up’ their knowledge and experience. IT Governance’s course and exam, while imperfect, are still I think a good leg up on the competition and a way for you to prove you’re committed professionally to mastering these emerging topics which will only become more important as the years progress and global Privacy compliance opens internationally-minded companies up to many new risks.
Happy to answer any questions about my experiences studying this so far, though I am far from being an expert on the topic.