20655 - CYBER RISK AND DATA PROTECTION LAW
Course taught in English
Go to class group/s: 25
Lezioni della classe erogate in forma blended (in parte online e in parte in presenza)
The course aims at identifying the main legal issues connected to the risk management that a cyber-company faces in light of the current European regulatory framework. The first part of the course deals with the topic of EU data protection. After describing the GDPR’s main provisions, it addresses the rules governing data processing and, in particular, the duties cast upon controllers and processors. In this context the role and obligations of data protection officers are illustrated. The second part of the course focuses on cybersecurity. After having described the main threats and vulnerabilities of networks, it illustrates the best practices and rules used to tackle them. In particular, it analyses the NIS Directive and the Cybersecurity Act in force into the European Union. It concludes with the discussion of how these rules are tailored within specific industries.
Part I. European Data Protection Law:
- General provisions.
- Principles and rights related to data processing and data subjects.
- Controller and processor.
- Security of personal data.
- Data protection officer.
Part II. Cybersecurity:
- Threats and Vulnerabilities.
- Best Practices and rules.
- The NIS Directive 2016.
- Cybersecurity Act 2017.
- Cybersecurity Governance.
- Industry specific cybersecurity rules.
- Identify the risks linked to the processing of data and the use of networks
- Identify the legal tools that cyber companies need to tackle the risks brought about by the digital environment in order to comply with within the current EU regulation.
- Assess practical situations related to the risks of processing data and the use of technologies
- Apply the legal rules ot practical situations in which cyber companies need to tackle the risks brought about by the digital environment in order to comply with within the current EU regulation.
- Face-to-face lectures
- Guest speaker's talks (in class or in distance)
- Face to face classes are taught by Bocconi faculty members.
- Some classes are covered by specific guest – professionals operating in cyber companies in the capacity of data protection officer and risk manager – to provide a more concrete understanding of the roles and duties that the law require them to perform.
The exam aims at verifying the ability of students in identifying legal issues that can arise in relation to risk management and data processing and applying the legal solutions to them.
- The questions test the students' ability to reason and apply legal provisions to case scenario, which means: unpacking the scenario, identifying the legal challenges, providing - where possible - the solution; if no solution is possible, then laying out the alternatives
- The active class participation in the tutorials tests the students' ability to reason using the knowledge acquired in class
Students can take a partial written exam covering the first part of the course and complete the written exam at the end of the course with the second part. The weight is: 50% for the partial exam and 50% for the end of term exam.
Alternatively, students can take a general written exam covering both parts of the course and accounting for 100% of the final grade (50%+50%, as mentioned above). The detailed structure of the exams will be announced at the beginning of the course.
Active participation in the four tutorials of this course can bring up to 4 additional points towards the final mark of the students (on top of their exam mark).
Students are required to have the slides and read, for each of the topics discussed in class, a scientific paper. All materials are available on the Bboard.