The General Data Protection Regulation (gdpr) is theeu regulation that aims to protect the “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data” and lays down “rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.” [5] The regulation has a broad territorial scope and applies to the processing of personal data of people who reside in theeu, regardless of whether the processing of their data takes place in theeu or not. It gives the supervisory authorities discretion to apply administrative fines of up to €20m or\(4\%\) of a company’s total worldwide annual turnover (of its preceding fiscal reporting year, whichever is higher).

Thegdpr was published in April 2016 and came into force on May 25\(^{th}\) 2018. During the two-year transition period between its adoption and enforcement national governments had to transpose thegdpr into laws and organizations had to adapt to the regulation. Thegdpr requires organizations to appoint a data protection officers (dpo) to oversee that the processing of personal data is compliant with the regulation, according to the cases specified underart. 37–39gdpr. Dpos are designated on basis of their professional qualities, including expert knowledge in data protection law and to provide advice and monitor the process of a data protection impact assessments (dpia) required according toart. 35gdpr, an activity that requires legal, technical and organizational expertise. Besides, it will also be expected that adpo can advise organizations in regard to their obligations to implement data protection by design pursuant toart. 25gdpr. As a consequence, thegdpr created a sudden demand for qualified professionals on technical, organizational and legal data protection aspects.

In order to serve this sudden educational demand, we designed a course on thegdpr and Privacy by Design (pbd) principles and legal and technical requirements. We set as objective to educate professionals and full-time undergraduate students using a single course structure. Therefore, we implement the course as a massive open online course (mooc) that supports the individual learning behaviors and needs of an heterogeneous audience.

In this paper we describe how we designed thismooc and present our lessons learned. We explain the overarching course structure and its organization into five modules, introduce the learning outcomes, and discuss the implemented teaching and learning activities.

This paper is organized as follows. Section 2 provides an introduction to thepbd course. Its modules, content and learning outcomes are outlined in Sect. 3. The teaching methods and the characteristics of the produced course content are described in Sect. 4. Section 5 presents the related work. Thepbd course is discussed in Sect. 6 and Sect. 7 concludes the paper.

The course requirements were elicited by a core of data protection specialists from both academia and industry. This group was responsible to outline the learning outcomes of the course, structure it to address the needs of an heterogeneous audience constituted of professionals and undergraduate students, and reach out for a broad diverse and international audience.

Thepbd course structure and its five modules.

Full size image

Concerning theintended audience and outreach, themooc general model offers the desired tools for providing access to the course material to a large (and theoretically unbounded) audience. Amooc also provides flexibility regarding the participants’ individual learning pace, allowing them to decide upon their weekly effort devoted to the course, and adjust their attendance to their ongoing professional and academic commitments. The intended audience is undergraduate students and professionals with basic technical background in information technology (it).

Thecourse content covers topics onpbd, thegdpr and its application. The topics covered were chosen based on the course responsible experts’ considerations about relevant legal, technical and organizational needs of a professional to demonstrate knowledge and competence on tasks assigned to adpo.

Thecourse structure is build on modules. The division into modules has a threefold objective: (a) the course content is divided into specific topics within the scope ofpbd and thegdpr. It allows the course participants to select which modules to attend or to prioritize; (b) the required effort per module is bounded to 40 h. This requirement is key for course participants coming from industry, who can then better plan their work and study schedules, and in some cases claim the effort spent on the module as competence development; and (c) apply specific pedagogical tools and methods that better suits the course content and the learning outcomes defined for each module.

Figure 1 illustrates the five course modules. Participants who are interested in all modules, are recommended a sequential learning path: “1. Introduction to Privacy and thegdpr”, “2. Privacy Enhancing Technologies” (pets), “3. Designing for Privacy”, “4. Privacy Management”, and “5. Privacy Patterns for Software Design”. Modules 1–2 cover the introductory topics (privacy fundamentals,gdpr andpets) that the course is built upon. Modules 3–4 refer topbd and the general knowledge on tools and methods required by thegdpr. Module 5 covers privacy in the context of software design. At the start of modules 3–5, a summary of the first two modules is provided.

The structure of the course into those modules was decided to make the course also attractive to full-time students and to professionals from industry and public sector, who may attend the course part-time and are able to select the modules that augment and complement their expertise. For instance, an experienced software developer would probably benefit most from thepbd course by attending the first three and the fifth modules.

The modules were assigned and developed by subgroups of this article’s authors, which includes academic teachers and data protection specialists having technical, legal, industry and academic backgrounds, some of whom had been following the discussions around thegdpr and its development since the release of its first proposal in 2012. The modules were developed independently, having each a specific set of learning outcomes and delivered using a suitable set of pedagogic and presentation teaching techniques. Nonetheless, the overall course objective and course content was discussed and agreed upon in the team.

Most of the course content isaccessible for those with (somewhat limited) physical or psychological impairment. All videos produced either are provided with scripts or have subtitles (or both). The platform used in the course lacks native text-to-speech capabilities but supports third-party solutions. They were not deployed in the initial deployment of the course.

Thecourse accreditation is provided by the academic authors’ home institution, which provides course examinations and grades in the form of European Credit Transfer and Accumulation (ects) credits for the participants enrolled in the course and on individual modules (1.5ects/module).

Theassessment of the participants is based on individual assignments and a short oral exam. Assignments are uploaded by the participants to the online course platform. Each module has its own assignment, and the expected effort to complete it is approximately eight hours. The oral exam has a twofold objective: assessment and checking for authorship. When uploading their assignments, the participants book their oral exams. Before the oral examination, the reports are checked for plagiarism and corrected. Oral exams are 10-min interviews using an online communication platform with video feedback.

Thepbd course contents were distributed following aCreative Commons Attribution license, which allows all course content to be shared and adapted as long as appropriate credit is given and changes are indicated.

In this section, we describe the course modules, content and learning outcomes.

3.1The Course Modules and Their Content

1. Introduction to Privacy and the GDPR covers the definition, history, and foundations of privacy, highlighting privacy challenges surrounding modern Information and Communication Technology. The primary focus of the module is on the legal European framework on privacy, data protection, and cyber security. It includes agreements for transfer of personal data outside of theeu. Selected European Court of Justice decisions are discussed. The content is divided into the following five areas of knowledge:

1. 1.

   The fundamentals of privacy, including the right to privacy, basic principles, laws and history, and key court decisions.

2. 2.

   Contemporary privacy issues, including mobile computing, smart metering, social networks, big data, and cloud computing.

3. 3.

   Thegdpr, including its background, scope, definitions, basic principles, lawfulness and consent, data subject rights and responsibilities, and rules for data controllers and data processors.

4. 4.

   The ePrivacy draft regulation and its possible implications.

5. 5.

   The mapping fromgdpr legal privacy principles topets.

2. Privacy Enhancing Technologies (pets) introduces security and privacy mechanisms and technologies and details how security and privacy mechanisms can be used to solve practical and theoretical problems, along with discussions of their advantages and disadvantages.

1. 1.

   An introduction topets, computer and network security basics and tools, and terminology for security and privacy.

2. 2.

   Secure communication protocols and architectures, includingpgp,tls, Certificate Authorities (cas), digital certificates and secure messaging.

3. 3.

   Anonymous communication protocols (mainly Mix networks and Tor).

4. 4.

   Databases and privacy, includingk-anonymity and differential privacy.

5. 5.

   Other relevantpets and security technologies, such as blockchains, anonymous credentials, and Transparency Enhancing Technologies (tets).

3. Designing for Privacy introduces the foundations of privacy, data protection, and privacy enhancing technologies, and then focuses on the concepts of privacy by design and privacy impact assessments (pias) by exploring the relevant background, their relationship to the foundation and fundamental human rights, and by introducing relevant methods.

1. 1.

   Fundamental concepts that summarize thegdpr andpets.

2. 2.

   The meaning behind designing for “privacy”. Privacy in relation to data protection,pbd, privacy paradigms, technology in hostile states, privacy protection goals, data protection by design and by default [4].

3. 3.

   Privacy anddpia,pia as a process, frameworks andpia in practice.

4. Privacy Management deals with privacy management as part of an organization’s information security management. It introduces approaches to privacy management, provides insight into a management approach and explains how privacy threats can be anticipated and mitigated.

1. 1.

   Privacy management into the context of data protection, stakeholders,pets, and privacy management approaches, e.g.pdca (Plan–Do–Check–Act).

2. 2.

   The concept of “managed privacy”, including privacy management as a data processing administration task.

3. 3.

   pia and privacy risk analysis as integral part of privacy management, including threats to privacy and sources of risk information.

4. 4.

   The concept of privacy controls and properties, selection and risk mitigation.

5. Privacy Patterns for Software Design deals with privacy aspects during software design. It focuses on architectural tactics and patterns as reusable conceptual solutions to recurring privacy problems. It outlines how are these concepts used in agile development in order to engineer privacy into software.

1. 1.

   An introduction to software architecture and design.

2. 2.

   Privacy design strategies and as quality attribute of software systems.

3. 3.

   Privacy design patterns and applying them in agile development.

4. 4.

   Privacy anti and dark patterns.

3.2The Learning Outcomes

The learning outcomes were specified following the principle of constructive alignment [2] which aims at aligning learning outcomes, learning activities and examination [9]. Thesolo (structure of observed learning outcome) taxonomy [3] was used to express the expectations concerning the participants’ level of understanding after concluding a module. The learning outcomes range from uni-structural to extended abstract level of thesolo taxonomy.

Every module has its own set of learning goals. The first two modules (on fundamentals of privacy, thegdpr, andpets) provide the underlying building blocks for the learning material that follows.

TheIntroduction to Privacy and thegdpr module learning goals are:

• Give an account of basic legal privacy concepts, regulations and principles, and of major court decisions at national and European level.

• Analyze privacy challenges and the risks ofict and applications.

• Map legal privacy principles to technical privacy concepts.

ThePrivacy Enhancing Technologies module learning goals are:

• Give an account of the basic security and privacy enhancing technologies.

• Relate security and privacy goals to mechanisms and technologies.

• Explain when and how to apply different privacy enhancing technologies.

TheDesigning for Privacy module learning goals are:

• Give an account of the concepts of privacy, data protection, privacy enhancing technologies, privacy by design, and privacy impact assessment.

• Relate privacy by design to privacy, data protection, privacy enhancing technologies, and fundamental human rights.

• Explain how privacy by design and privacy impact assessments are used.

The first learning objective of Designing for Privacy (“[g]ive an account of the concepts of privacy...”) refers to the modules 1–2 and content introduced in module 3 (pias). This learning goal is included in the goals of the modules 4–5. At the beginning of modules 4–5 on a summary of the modules 1–3 is provided, and a summary of the modules 1–2 is given at the start of module 3.

ThePrivacy Management module learning goals are:

• Give an account of approaches for managing information privacy.

• Apply methods for managing information privacy.

• Analyze risks to information privacy.

• Compare and select privacy controls and methods.

ThePrivacy Patterns for Software Design module learning goals are:

• List relevant privacy patterns.

• Apply appropriate architectural tactics for privacy and privacy patterns in a given systems context and for a given set of privacy requirements.

• Explain the key principles of architectural tactics for privacy patterns.

• Analyze the usage/occurrence of privacy patterns in a given system context.

The teaching methods are adapted to the course contents and themooc model. The techniques used to deliver the modules are hypertext, digital content and three video production styles: slides with voice-over, talking heads and interviews. The videos’ length is in the range between four and twenty five minutes.

All modules were delivered using video and slides especially designed for thepbd course, with the exception of the “Privacy Management” module. All videos have the option for subtitles (provided by the video hosting platform). All course slides are available in their source file format (ms PowerPoint) and inpdf format under thecc by 4.0 (attribution) license. The amount of minutes of novel audio & video material present in each module is shown in Table 1. The videos length range of the n = 65 produced videos is [1:24, 24:35] minutes, with (avg = 7:40,sd = 4:17) and\({\bar{\mathrm{n}}}\) = 6:30,iqr = 4:09 (q1 = 4:51,q3 = 9:00).

All lectures are complemented with mandatory and optional reading material and self-assessment online quizzes. The optional reading material provides the literature and resources for further self-studies for the course participants that are interested on a given topic. In addition, all lectures from the modules “Introduction to Privacy and thegdpr” and “Privacy Patterns for Software Design” include transcripts. A discussion forum is embedded in themooc platform.

Introduction to Privacy and thegdpr uses two video production styles: alternate talking head and slides with voice-over, and interviews. The module content covers legal and social privacy debates. Alternating a talking head with slides with voice-over video style was deemed an appropriate format to deliver this module’s content because it allows the audience to follow the lecturer’s face and expressions when voicing her viewpoints, which conveys relevant information. Twelve lectures were produced using this video production style.

The video interviews featured legal and technical experts from a German Data Protection Authority,^Footnote1 thedpo from the main authors’ home institution, and a specialist from the industry. The overall topic of the interviews is on challenges and solutions for applying the legal requirements, especially thegdpr, in practice. This module featured six interviews. In addition, this module uses two existing anecdotal videos as support material.

Privacy Enhancing Technologies uses three video production styles: slides with voice-over, alternate talking head and slides with voice-over, and interviews. The module content covers technical aspects. Slides with voice-over offers a fitting alternative for technical subjects as animations help to illustrate how security and privacy protocols, tools and mechanisms work. Seventeen lectures were produced using this video production style.

Alternate talking heads and slides are used in the two videos ontets. Tets is a subject with a strong human-computer interaction aspect connected to its technical aspects. Therefore, we judged that lecturer’s face and expressions may improve the teaching quality for these two videos. This module feature an interview with an specialist in Tor from the University College London and four external videos: three presentations from specialists in selected subjects and one animation on Mix-Nets.

Designing for Privacy uses two video production styles: slides with voice-over and interviews. The module content covers technical aspects. Three interviews were recorded in audio format only. The lectures on Tor andpbd principles were delivered following the flipped classroom paradigm [8], as these topics requires a deeper analysis and criticism than the rest of module’s content. These lectures reflect on the provided reading material and are supported by an external video (of Ann Cavoukian on thepbd principles).

Privacy Management uses a hypertext-based approach with elements of blended learning [7] and follows the flipped classroom paradigm. It discusses, illustrates and reviews the mandatory reading material. This module is supported by three external videos.

Privacy Patterns for Software Design uses three video production styles: slides with voice-over, alternate talking head and slides with voice-over, and interviews. Slides with voice-over were used to cover to main module contents. The other video styles were used as support material for short introductions on thegdpr andpets. The main module contents are delivered following the flipped classroom paradigm.

A summary of the number of videos in each module, sorted according to the production style used, is presented in Table 2.

4.1Course Deployment

Thepbd course is deployed using Canvas, an open-source Learning Management System (lms) andmooc platform. It is locally deployed and managed.^Footnote2 A discussion forum and sharing of hand-in-assignments (the latter only to the “Privacy Management” module) are elements from the platform that are present in the courses. These tools aim at increasing student participation and interaction, and also help to reduce the drop-out rate, as shown by Anderson et al. [1].

The videos are hosted by YouTube (www.youtube.com), but not publicly indexed, i.e., they do not return as result of searches and can only be reached with a specific link to the video. Thepbd course is available athttps://kau.se/cs/pbd.

4.2Enrollment and Participants

The course opened in two stages. In mid-January 2018 it was available for enrolled students and in March 2018 it opened for the general (non-enrolled) public. We initially set a limit for 100 enrolled students/module (to accommodate for the limitations on examining student essays). The exception is “Introduction to Privacy and thegdpr” which was planned to accommodate additional participants. The total number of students enrolled per module shown in Table 3.

4.3Examination

Thepbd course has quizzes for formative self-assessment [10] in all its modules. The quizzes are either multiple choice of true/false statements. As pointed out in Sect. 2, the assessment of the participants is based on individual assignments and a short oral exam. In this section, we discuss the content of the assignments.

InIntroduction to Privacy and thegdpr the assignment is the design of valid consent forms including privacy policy statements. The task is twofold: (i) to evaluate the consent forms used for social login with Facebook according to the legal requirements of thegdpr, taking into consideration the Guidelines of the Art. 29 Data Protection Working Party on Consent.^Footnote3 The goal is to point out the legal requirements of thegdpr, such as for consent (art. 7gdpr) and data protection by default (art. 25gdpr), are not met. And (ii) to discuss how user interfaces could be designed to begdpr compliant. This exercise has a high practical relevance, as most consent forms (as in January 2018) are not yet fullygdpr compliant. This exercise also relates to basic privacy principles (art. 5gdpr) connected to the design of policy and consent forms.

Inpets the assignment evaluates the extended abstract level of understanding of a participant into two out of four selected topics. Additional literature is provided in form of academic papers, online manuals and reports. The assignment was designed in two parts: (i) to discuss the benefits and limitations of apet (Tor or Let’s Encrypt) and (ii) to analyze the properties and privacy guarantees offered when aiming for anonymizing the contents of database or to analyze and assess the privacy properties of a crypto currency (bitcoin).

InDesigning for Privacy the assignment focus on the deeper learning objectives of the module, namely having to analyze or evaluate one out of five selected topics discussed in the module, such as comparing and motivating preferences for onepia framework over another, or arguing for why a particular type of security technology in a setting is a reasonable measure that should be taken for the data protection by design requirement in thegdpr being fulfilled.

ThePrivacy Management assignment is twofold: (i) a written essay on the handling of legacy data under the light of thegdpr and report on data protection and user consent aspects, and (ii) using a mobile dating application as a case study, and perform a partial privacy risk assessment.

InPrivacy Patterns for Software Design the assignment covers applying privacy design strategies and privacy patterns. The course participants are asked to describe a system and the personal data processed in it. They are asked to elaborate on several privacy design strategies that could be applied in this context and explain potentially applicable patterns implementing them.

The first round of examinations for the enrolled students ended in June 2018. The total number that completed the course modules is shown in Table 3. Three participants completed all five modules and four only one module.

To the best of our knowledge, one of the first academic courses for data protection professionals that implemented an interdisciplinary perspective was introduced at the Hochschule Ulm in 1988. The program evolved into a certification course program for professionals in data protection [6]. Its curriculum has three parts: legal, information security and privacy management. It is a three weeks full-time regular course. The technical aspects of this course, however, do not includepets (only generalit security).

There are private offerings forgdpr courses.^Footnote4\(^{,}\)^Footnote5\(^{,}\)^Footnote6 They are shorter than ourpbd andgdpr course and/or focus only on thegdpr principles and core obligations ofdpos (such as privacy management), while not sufficiently addressing technical aspects that are important for thepbd process, such aspets.

The International Association of Privacy Professionals (iapp) lists institutes that offer privacy-related courses.^Footnote7 In its list, the majority are offered by law schools. To the best of our knowledge, there is no othermooc onpbd and thegdpr targeting both undergraduate students and professionals.

The course was released in January 2018 to participants enrolled to it through the official channels and opened to the general public in March 2018. The difference between the two groups is that the enrolled students have their written assignments graded and receiveects credits upon the successful completion of the course. At the time of writing, not enough student feedback is available for meaningful quantitative conclusions to be reached. Nonetheless, in this section we discuss some insights from the feedback obtained so far and from the background of the students enrolled in thepbd course.

Target group: an objective of the course is to teach skills that are needed bydpos to undergraduate students and professionals, including those with major legal background andit professionals who aim forgdpr compliance. Thepbd course curriculum blends the legal, technical and managerial skills. It was designed for an audience with basicit knowledge, with an equivalent of a semester of upper education studies in computer science or other technical subjects related toit, or equivalent work experience. The first cohort of enrolled students is mainly composed ofit professionals,dpos, and undergraduates.

On-line teaching styles: the modularized structure of the course allowed for experimentation with multiple presentation styles within the course, as seen in Sect. 4. The content of the modules is delivered using various audio&video styles, and even a hypertext only module. The flipped classroom paradigm is present in three out of five modules. In our course evaluation, we plan to assess the impact of our pedagogic choices using the students’ feedback as input data.

The interaction with students was, so far, low compared to teaching in classroom. This was expected in a self-paced, with student interaction happening only via the platform’s forum or by email, which is the general case formoocs.

Limited student feedback was obtained from: (a) online feedback forms distributed by the university and (b) informally after examination and grading. All feedback was provided voluntarily. So far, it is positive, with participants pointing out their personal and professional needs for such course. All but one course participants favor video lectures over text only material, and short videos (up to 10 min) were preferred rather than to long videos. The results from the online feedback forms are available at:https://www3.kau.se/kurstorget/. Feedback is nonetheless limited, with a small subset of participants completing the (anonymous) feedback forms. Praise on the course material was received from the industry, public sector agencies, and colleagues from universities in Sweden, Germany, Italy and Switzerland.

With thepbd course, we produced and deployed the first open, free, online course on interdisciplinary aspects of privacy,pbd and thegdpr. The course includes legal, technological andit management perspectives. It is designed to capacitateit professionals and undergraduateit students with knowledge required bydpos. It enables self-paced studies both in and out an academic program.

By opening the course to the general public we not only reach a much broader audience but also opened another channel to collect feedback to our teaching material and methods. By providing thepbd course in thegdpr transition year, we expect to provide an invaluable support not only to all course participants but to the whole society.