Two data protection officers delivered guest talks on data protection impact assessment to our students

On Tuesday 21 March 2023, two data protection officers (DPOs), Laura Pullin from the University of Kent and Adrian Leung from Equifax UK, delivered guest talks on data protection impact assessment (DPIA) for students of the module COMP8340/6660 “Information Security Management”. This module is designed for a wide range of students to gain knowledge about how real-world information security systems and processes can be managed, particularly for students studying the three cyber security degree courses of the School of Computing, University of Kent: MSc Cyber Security and MSc Computer Science (Cyber Security) and BSc Computer Science (Cyber Security). 

Professor Shujun Li, the module convenor, said: ‘I was very glad to see two DPOs coming to share their rich experience on DPIA and legal compliance matters about data protection with our students. The fact that they come from two very different sectors also allowed our students to see how different sectors and organisations could manage data protection matters and DPIA very differently. 

Laura Pullin, DPO of the University of Kent, said: ‘I was delighted to have been asked by Professor Li to contribute to this module and to see how engaged the students were. Data protection impact assessments (DPIAs) are a fundamental part of identifying the risks associated with data processing, and the technical and organisational controls required to mitigate and manage these risks. With so much personal data being processed electronically nowadays, it is inevitable that students on these degree courses will be required to contribute to DPIAs when they join the workforce and their interest and enthusiasm will no doubt be of great support to the Data Protection Officers that they work with!

Students at a Computing class

Adrian Leung, DPO of Equifax UK, said: ‘It was a great pleasure to deliver a guest lecture to a group of very engaging MSc students on a very pertinent Data Protection topic about Data Protection Impact Assessments (DPIAs). DPIAs should be a precursor to any business initiative that an organisation undertakes to help the early identification of privacy related risks and to then support the incorporation of any risk reduction mechanisms into projects from the outset. Students also had the opportunity to get their “hands dirty” and work on example DPIAs which led to some thought provoking discussions. It is extremely encouraging to see a curriculum that promotes and embeds the concept of responsible data use. 

Students at a Computing class

Many of our students enjoyed the guest talks of both DPOs, and below are two quotations from them. 

  • Cristina said, ‘Meeting both Data Protection Officers Adrian Leung and Laura Pullin during our 3rd class for Information Security Management was a pleasure. Having both of them share their extensive experience in Data Protection Laws with all of us as well as their personal experience in the field has helped me personally understand better how important Data Protection is and how Data Protection works from a professional perspective. During this class, we practised dummy DPIAs in groups with other students whilst having the support of Adrian and Laura, both helping us and giving us tips on how to fill in the ICO template to later share with the rest of the class. Overall, this session has helped me understand from a cyber security perspective just how important DPIAs are to identify and mitigate against any data protection related risks that businesses may have, and just how important it is to keep data as secure as possible following guidelines and laws to mitigate as much as possible any risk of a data leak. 
  • Frank said, ‘The DPOs help to give ideas on how businesses handle the data transfer needs between EU and US. European Court of Justice [ECJ] ruled down two data transfer agreements between EU and US. ECJ invalidated Safe Harbour agreement in 2015 and Privacy Shield agreement in 2020 with the same reason. It is hard to understand how businesses operate, and the DPOs helped to give rough ideas in how business contracts are structured to cover such data transfer needs.