Data Privacy: GDPR & HIPAA Online Certificate
Boston College Continuing Education, in collaboration with Kevin Powers, Director of the M.S. in Cybersecurity Policy and Governance Program at Boston College, is launching a new, online, non-credit certificate program.
The Data Privacy: GDPR & HIPAA Certificate provides you with advanced knowledge in the major privacy and data protection laws and regulations in the U.S. and globally, including health care privacy and security laws (i.e., HIPAA / HITECH) and the European Union’s General Data Protection Regulation (GDPR) (e.g., policy and applicability, fundamental rights of data subjects, corporate requirements and obligations, breach notification rules, and fines and penalties).
The certificate consists of five online courses (approximately 90 minutes each in length). You may complete the courses in any order you choose and at your own pace. There is no obligation to complete the certificate; you may take any course(s) without committing to completing the certificate.
Some courses are approved for CLE credit in CA, CT, FL, NJ, and NY. Reporting requirements vary by state and we recommend that you check with your state's bar association for their guidelines on reporting requirements.
Target Audience: Attorneys, paralegals, accountants, business and government executives, managers and employees, human resources professionals, compliance and privacy officers, IT and project managers, health care professionals, and individuals seeking knowledge of U.S., EU, and health care privacy and data protection laws.
To maximize learning and build on information in previous courses, courses should ideally be taken in the order they are listed below.
Courses
Course Details
Privacy Law and Data Protection
Course Fee: $300
Course Description:
Course broadly examines the principles that underlie the laws and regulations pertaining to the protection of personal information. After discussing these common principles, the course provides an overview of some of the current laws protecting personal data in the United States and around the world, focusing on major Federal and State civil laws and regulations, as well as significant existing and proposed regulations that exist internationally. The course ends by discussing some of the practical considerations associated with operationalizing these requirements within an organization.
Learning Objectives:
- You will understand the principles that underlie various laws and regulations pertaining to personal data, both in the United States and abroad, and how they relate to cybersecurity.
- You will understand some of the major personal data protection laws and regulations that exist around the world.
- You will understand some of the practical considerations relevant to protecting personal data within an organization.
Katherine Fick, Esq. in her role as Senior Counsel at IBM, provides legal advice to the IBM Security business unit as it makes cybersecurity services and offerings available to external clients. She counsels IBM on legal issues associated with its own cybersecurity posture, and has served in IBM’s Privacy Office. She is an Adjunct Professor at the Woods College of Advancing Studies at Boston College, where she co-teaches a course on cybersecurity law and policy. Katherine also volunteers as a Response Team Member with ShelterBox, an international disaster relief organization that provides short-term shelter and recovery supplies to families rebuilding after natural and political disasters.
Sayoko Blodgett-Ford is a member of GTC Law Group PC & Affiliates. Her practice focuses on data privacy and security and intellectual property in mergers and acquisitions. She has extensive expertise in connection with technology M&A transactions. Sayoko is an Adjunct Professor at Boston College Law School, where she teaches a new Mobile App Development & Big Data class in the Spring and Privacy Law in the Fall. She is also a Lecturer in Law at the University of Hawai’i law school, where she has taught Internet Law & Policy, Intellectual Property, Contracts Drafting, High-Growth Entrepreneurship, and Administrative Law, among other subjects. She is rated AV Preeminent by Martindale-Hubbell. She serves as a Court Appointed Arbitrator for the Hawai’i State District Court – First Circuit.
Sayoko previously served as general counsel of Tetris Online, Inc. and as Senior Manager of the Intellectual Property Group at Nintendo of America Inc. in Redmond, Washington. At Nintendo, Sayoko was responsible for domestic and international intellectual property clearance, defense, registration, and enforcement. Her particular areas of focus included patent, trademark, copyright, trade secret, and advertising, as well as privacy law compliance and video game ratings compliance. Sayoko has also taught advertising law in the University of Washington IP LLM program. Prior to Nintendo, Sayoko practiced at Foley Hoag LLP and was a law clerk for Judge Douglas P. Woodlock, U.S. District Court for the District of Massachusetts. Sayoko holds a B.S. in Physics from the College of William and Mary, an M.S. in Physics from the University of Maryland, and a J.D. from Yale Law School.
Chris Poulin has almost 35 years of experience in digital and physical security, spanning diverse roles from the deeply technical to executive management. He started his journey in the U.S. Air Force as a software developer for the DoD intelligence community and built his own boutique consultancy after separating from the military. Chris sold FireTower after ten years of growth and joined Q1 Labs as the Chief Security Officer, which was acquired by IBM in 2012. During his five years at Big Blue, Chris led threat research activities for the X-Force and built a prototype of Cyber Watson. He took an interest in the IoT and was instrumental in founding IBM’s IoT security practice, including authoring their points of view on connected car security. As a result, he was recruited into Booz Allen Hamilton as a Principal/Director leading the Dark Labs embedded systems vulnerability analysis practice. Chris returned to the startup community and is currently at BitSight Technologies, empowering enterprises to manage third- and first-party risk. He can be found speaking on a variety of infosec topics at conferences and private events when he’s not making or breaking new technology as a hobby, hiking, rock climbing, or appreciating fine wine and craft brews.
Caleb Barlow is the Vice President of Threat Intelligence at IBM Security. He is a globally recognized security professional and leads IBM’s X-Force Threat Intelligence Organization. In 2016, he built X-Force Command as part of a $200M investment in a global incident response service; it is the industry’s first immersive cyber range and incident command system for responding to major cyber incidents. Last year, Caleb invented the Cyber Tactical Operations Center, a first-of-its-kind training, simulation, and security operations center on wheels.
Caleb has a broad background of leading technical teams in product development, product management, strategy, marketing, and cloud service delivery. Caleb has appeared on the TED stage, the Today Show, and regularly appears on national news broadcasts. He has testified to the U.S. Congress and was invited by the president of the UN General Assembly to discuss his views at the United Nations.
GDPR Compliance: Scope, Concepts, and Applicability
Course Fee: $300
Course Description:
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) took effect. The GDPR is, arguably, the most significant legislation pertaining to the protection of personal data and, with its reach outside of the EU, impacts business entities on a global scale. This course examines the core concepts of the GDPR as set forth in the first 50 Articles. We will explore when and how the GDPR applies, key definitions and terms, the foundational principles, legal bases of processing and special protections for sensitive information. We will cover how to build a privacy notice, what are the data subject rights, and concepts such as data protection by design and default. This course will touch briefly on the role of controllers versus processors, but we will cover issues such as the role of the data protection officer, how to conduct a privacy impact assessment, what are the minimum security requirements, and obligations for breach notification. Finally, the course will cover certain business concepts including data mapping and how to make risk based determinations to help avoid boiling the ocean for compliance. By the end of this course, you will have a good overview of what it means to be “GDPR compliant” and provide an excellent foundation from which to build a GDPR compliance program.
Learning Objectives:
- You will understand when and to what extent the GDPR may apply to businesses and business functions around the world.
- You will understand the foundational principles and the key terms, roles, and responsibilities associated with the GDPR and the fundamental rights of data subjects.
- You will understand how the GDPR affects the business concerns (i.e., data management, processing, and protection) of entities within the EU and globally.
Heather Egan Sussman is Global Co-chair of Orrick’s Cyber, Privacy & Data Innovation practice, and the leader of Orrick’s Boston Office. Her practice focuses on privacy, cybersecurity and information management, and she is ranked by Chambers USA and The Legal 500 United States as a leader in her field.
Heather routinely guides clients through the existing patchwork of laws impacting privacy and cybersecurity around the globe. In the U.S. this includes advising on federal and state laws as well as existing self-regulatory frameworks, including those covering online advertising and payment card processing. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes. She drafts online privacy notices for global rollout and implements data transfer mechanisms for the free flow of data worldwide.
Heather frequently writes on current privacy and information security issues before trade and legal organizations and has been quoted in hundreds of major news outlets, including MSNBC.com, ABCNews.com, The New York Times, The Los Angeles Times, Bloomberg BusinessWeek, The San Francisco Chronicle, Washington Times, Houston Chronicle.
Alexis Goltra is Vice President, Legal & Global Data Protection Officer at Oracle. Alexis manages Oracle’s global privacy program, which includes advising all lines of business and internal organizations (including Cloud Services, Global Security, Information Technology, Marketing, Development, and HR) on the application of global data protection laws to Oracle’s services and operations. Alexis is also responsible for maintaining global privacy and security policies, coordinating security incident and regulatory inquiry responses, performing privacy by design system and product reviews, creating contract templates with required global data protection terms, and negotiating privacy and security terms to be included in customer and vendor contracts. Before joining Oracle in 2001, Alexis was an associate at Palmer & Dodge LLP in Boston. Alexis is a graduate of Harvard College, the University of Virginia School of Law, and Cambridge University.
Peter Lefkowitz is Chief Privacy and Digital Risk Officer at Citrix Systems. Peter oversees legal and regulatory risk associated with data, products, and systems, as well as public policy engagement on digital issues. Prior to joining Citrix, Peter served as Chief Privacy Officer at Oracle and General Electric. He is a member of the Boston Bar Association Council and was 2018 Chairman of the Board of the International Association of Privacy Professionals. Peter attended Yale College and Harvard Law School.
Sara Cooper Berkson is Chief Privacy Officer and Global Data Protection Officer at Vertex Pharmaceuticals Incorporated, a leading biotechnology company focused on creating new possibilities in medicine to cure diseases and improve people’s lives. In this role, she leads the company’s privacy program, advising the company on privacy issues around the globe. Sara has practiced in the privacy space since the advent of HIPAA in 2003, focusing on the implications of various international, federal, and state privacy laws on the health care and life sciences industries. She has spent time both in private practice and in-house in the biotech industry, advising clients on a myriad of regulatory issues, including privacy, human subjects research, and general pharmaceutical compliance. Sara spent several years in the healthcare group at Ropes & Gray, LLP, before moving on to Genzyme Corporation, where she worked on privacy related issues in the context of the company’s genetic laboratory, rare disease registries, and clinical trials. Immediately prior to joining Vertex, Sara helped lead the life sciences group at the Boston office of Verrill Dana LLP. Sara received her J.D. from Yale Law School and clerked for the Honorable Lewis A. Kaplan in the Southern District of New York.
GDPR: Requirements for Data Controllers and Data Processors
Course Fee: $300
Course Description:
On May 25, 2018, the European Union's General Data Protection Regulation (GDPR) went into effect. The GDPR is, arguably, the most significant legislation pertaining to the protection of privacy and personal information and, with its reach outside of the EU, will impact business entities on a global scale. This course examines the role and responsibilities of business entities subject to the GDPR (i.e., data controllers and data processors). The course addresses and expands upon key GDPR requirements for data controllers and data processors, including the relationship between data controllers, processors, and supervisory authorities, appointment of a data protection officer, privacy by design, data protection impact assessment, data protection and storage, data transfers, and lawful processing of data.
Learning Objectives:
- You will understand the major roles and obligations for business entities covered by the GDPR (i.e., data controllers and data processors).
- You will understand the relationship between data controllers and data processors, including the differences between the two, their interactions with each other, and respective relationships to supervisory authorities.
- You will understand the role of the data protection officer and the key GDPR requirements facing data controllers and data processors (e.g., lawful processing of data, privacy by design, data protection impact statement, data protection and storage).
Kevin Powers is the founding Director for the M.S. in Cybersecurity Program at Boston College, and an Assistant Professor of the Practice at Boston College Law School and in Boston College’s Carroll School of Management’s Business Law and Society Department. With a combined 20 years of law enforcement, military, national security, business, higher education, and teaching experience, he has worked as an analyst and an attorney for the U.S. Department of Justice, U.S. Navy, U.S. Department of Defense, law firms in Boston and Washington, D.C., and as the General Counsel for an international software company based in Seattle, Washington. Along with his teaching at Boston College, Kevin is a Research Affiliate at the MIT Sloan School of Management and he has taught courses at the U.S. Naval Justice School and the U.S. Naval Academy, where he was also the Deputy General Counsel to the Superintendent. From 2016-2017, he was the Panel Lead for the Collegiate Working Group for the U.S. Department of Homeland Security's National Initiative for Cybersecurity Education (NICE). Kevin also serves as a Board Member for the Boston College Law School Business Advisory Council, a regional bank, and an international software company. Kevin regularly provides expert commentary regarding cybersecurity and national security issues for varying local, national, and international media outlets.
Susan L. Foster, Ph.D. is a commercial lawyer with extensive experience advising clients regarding EU privacy regulations as well as life sciences and technology transactions. Sue is based in the U.K., and her work is frequently international in nature. Sue is qualified in England and Wales and California, as well as being a Certified Information Privacy Professional/Europe. Start-ups to global companies seek her counsel on European data protection matters. For her life sciences clients, she has advised extensively on the application of the GDPR to informed consents for clinical studies and international data transfers, as well as structuring GDPR compliance programs.
Katherine Fick, Esq. in her role as Senior Counsel at IBM, provides legal advice to the IBM Security business unit as it makes cybersecurity services and offerings available to external clients. She counsels IBM on legal issues associated with its own cybersecurity posture, and has served in IBM’s Privacy Office. She is an Adjunct Professor at the Woods College of Advancing Studies at Boston College, where she co-teaches a course on cybersecurity law and policy. Katherine also volunteers as a Response Team Member with ShelterBox, an international disaster relief organization that provides short-term shelter and recovery supplies to families rebuilding after natural and political disasters.
GDPR: Breach Notification and Penalties
Course Fee: $300
Course Description:
On May 25, 2018, the European Union's General Data Protection Regulation (GDPR) went into effect. The GDPR is, arguably, the most significant legislation pertaining to the protection of privacy and personal information and, with its reach outside of the EU, will impact business entities on a global scale. This course focuses on the GDPR's breach notification requirements for data controllers and data processors, including reporting and record-keeping requirements. This course also examines the decision-making process (i.e., the role of, and interactions with, supervisory authorities) and the types of fines and penalties for non-compliance with the GDPR.
Learning Objectives:
- You will understand the breach notification requirements for both data controllers and data processors.
- You will understand the role of the supervisory authority in the breach notification process and the requirements for data controllers and data processors in dealing with same.
- You will understand the types of fines and penalties for non-compliance with the GDPR and know the factors considered by the supervisory authority in determining the appropriate punishment, if any, under the GDPR.
Dr. Undine von Diemar, LL.M. (Michigan) leads Jones Day's European Privacy & Cybersecurity Practice. Her practice focuses on data protection matters, including international data transfers, incident response, internal investigations, and global compliance projects. Undine regularly advises on data protection legal issues in M&A transactions and represents clients in proceedings before data protection authorities and courts. Undine has strong IT sector specific expertise, including negotiating high-profile technology transactions related to cloud computing, big data, artificial intelligence, and supercomputer technologies. She is also an experienced privacy advisor in the life sciences sector. Undine is an Acritas "Star Lawyer" (2019), highly recommended by Chambers as a leading data protection specialist (Chambers Europe/Data Protection/Band 2) and selected by Legal 500 as one of nine leading names for data protection in Germany, noting that clients praise her as an "invaluable expert in data protection matters on national and global level" with "first-class work results".
Dr. Jörg Hladjk leads Jones Day’s Cybersecurity, Privacy & Data Protection Practice in Brussels. He advises multinational clients across all industries, with a focus on automotive, IT, energy, and life sciences. His work covers all areas of EU data protection, including GDPR and ePrivacy compliance programs, and he has successfully represented clients before data protection authorities. Jörg has specific expertise on EU Cybersecurity and critical infrastructure matters. He chairs the advisory board of the industry association Trust in Digital Life and is co-chair of the IAPP Publications Advisory Board. Jörg has authored more than 40 legal articles and is a co-author of the book Ehmann/Selmayr, GDPR, 1st/2nd edition, 2017/2018. His practice is recommended in Tier 1 in The Legal 500 EMEA for EU Regulatory: Privacy and data protection (2016-2018) and he is recognized by The International Who´s Who of Data Privacy & Protection Lawyers (2019) and Information Technology Lawyers (2013-2018).
Dorit Buschmann is a Computer Scientist (B.Sc) and Germanist (M.A.) with several years of professional experience both in adult education and in the development of medical devices. She is a computer scientist at the Bavarian Data Protection Authority for the Private Sector (BayLDA) in the department for Cyber Security and Privacy Engineering. Her main areas of expertise include IT forensics and cyber security. She gives regular presentations on the interaction between cyber security and data protection.
Alexander Filip is a lawyer and Head of the Department for, among others, International Data Transfers at the Bavarian Data Protection Authority. He has been a long-term representative for the German Länder Data Protection Authorities in the Article 29 Working Party’s and European Data Protection Board’s working groups dedicated to International Data Transfers. He is, among others, in charge for his authority of applications for approval of Binding Corporate Rules (BCR) for data transfers to third countries and has worked on a large number of BCR applications. Alexander is an author of many articles and publications on data protection and, in particular, international data transfers, e.g., for one of the major German legal commentaries on the EU General Data Protection Regulation (Beck’scher Onlinekommentar zum Datenschutzrecht). He is a regular lecturer for courses and workshops dedicated to formation and training of data protection officers and privacy experts.
Ultan O'Carroll is the Assistant Commissioner for Technology at the Data Protection Commission (DPC) in Ireland. He works in a supervisory and awareness role in relation to technology usage with entities based in Ireland undertaking cross-border processing operations and also supports a variety of enforcement activities of the office. Ultan also represents the DPC at the European Data Protection Board, attending and contributing to Technology Subgroup meetings and events. Ultan has worked in private industry in the U.K. and Ireland prior to working at the Commissioner's office.
Health Care: Privacy and Security Law
Course Fee: $300
Course Description:
This course provides an overview of the major health care privacy and security laws in the U.S., focusing on the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) and their state counterparts. The course examines: HIPAA/HITECH policy and applicability; types of health care information; individual rights; compliance and data breach notification requirements; appropriate administrative, physical, and technical safeguards; and penalties for violations.
Learning Objectives:
- You will understand the key aspects of the major health care privacy and security laws in the U.S., including HIPAA/HITECH, and will be able to identify the entities and information for which HIPAA/HITECH applies.
- You will understand the compliance obligations pertaining to protected health information (PHI) and the requirements of, and differences between, the HIPAA Privacy and Security Rules.
- You will understand the breach notification requirements under HIPAA/HITECH and the penalties for violations of such notification requirements.
Dianne J. Bourque, Esq is a Partner at Mintz, where she advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, as well as patient care. As former in-house counsel to an academic medical center, a large part of her practice involves counseling researchers and research sponsors in matters related to FDA and OHRP regulated clinical research, including patient consent, access to and use of tissue and associated patient information, and the Institutional Review Board process.
She also counsels health care clients and other business entities on a broad range of privacy and data security issues, including the HIPAA Privacy Rule and Security Standards, requirements under HITECH and the HIPAA Omnibus Rule, 42 CFR Part 2, and state-imposed medical privacy laws.
Dianne regularly assists clients with data breach response and mitigation, the implementation of HIPAA-mandated policies and procedures, privacy audits, third-party requests for information, and review of HIPAA-related contracts and forms. She has successfully defended clients in both civil and criminal HIPAA enforcement actions and regularly assists clients with the management of data breaches and other losses of protected health information.
Dianne has a B.A. degree from Boston College and a J.D. from Suffolk University Law School.
Amanda Blackmer serves as Corporate Counsel for Boston Health Economics (BHE), a health analytics research firm that has been providing outcomes research, epidemiology, and informatics services for over 20 years. BHE also enables life sciences companies to perform rapid analysis across disparate data sets through the use of their flagship analytics platform, Instant Health Data. Prior to BHE, Amanda was Associate General Counsel for Life Image, the world’s largest medical evidence network, which provides access to points of care and curated clinical and imaging data worldwide. She received her Bachelor’s degree in Business Management from Babson College and her Juris Doctor from Suffolk University Law School. Amanda has been admitted to the bar in Illinois, New York, and Massachusetts, actively continuing to practice in the latter two.
Dr. Huy Nguyen began his work at DotHouse Health as a pediatrician in 2003, leading efforts to promote early childhood literacy, evidence-based care for adolescents, and culturally sensitive care. In 2017, he became Chief Medical Officer. In this role he oversees patient care, population health initiatives, clinician recruitment and retention, and strategic planning and implementation. He continues to care for children and adolescents.
Previously, he served as Medical Director and Interim Executive Director at the Boston Public Health Commission. There, he led new multi-sector collaborations to strengthen community-clinical linkages, led Boston’s public health response to Ebola, and developed new policies to prevent teen tobacco initiation.
Dr. Nguyen studied Biology at Harvard College, received his medical degree from Harvard Medical School, and completed his pediatric residency training at the University of Washington in Seattle.
Certificate Pricing
General Admission
General Admission for each online course is $300.
Active duty military, veterans, and law enforcement government agencies may contact continuinged@bc.edu for discounted pricing.
Organizations that plan to have 10+ employees complete the certificate program may contact continuinged@bc.edu for discounted pricing.
General Information:
You must be 18 years old to participate in the Data Privacy: GDPR & HIPAA courses. All sales are final; we are not able to offer refunds. Registrations may not be transferred to another person or to another course, workshop, or program.
Online registration is required to participate in a course. Tuition for each certificate course is $300 to be paid by debit or credit card. Registrations will be processed upon receipt of payment. Payment is due in full in order to enroll.
These five courses are approved for continuing legal education (CLE) credit in CA, CT, FL, NJ, and NY. See specific details on CLE credits in the description for each course. Reporting requirements vary by state and we recommend that you check with your state's bar association for their guidelines on reporting requirements.