Tag: Moodle (page 1 of 2)

Weeknote 06/2020

This week, I’ve been based at home, settling into my new rhythm of working for Moodle on Mondays, Tuesdays, and Fridays, and We Are Open co-op on Wednesdays and Thursdays. I have to say, I like it.


When I tell people that I’m part of a co-op, people are often interested in what I can only refer to as power dynamics. How do decisions get made? Who’s in charge? How do you allocate work?

I can certainly answer those questions, but it’s the difference between explaining, for example, the act of swimming verbally, and getting into the water and doing it yourself. Like goldfish, we forget the ‘water’ we already swim in is one that takes for granted coercive power relationships. Instead, with the co-op, as members we rotate roles and discourage permission-seeking.

This week, we realised that, given the amount of potential work coming in, we really needed a project management solution. In an organisation with coercive power dynamics, this would be decided by fiat, or by the ‘management team’.

In our co-op, we instead took a different approach. Some members of We Are Open are available to work almost full-time. Some, like me, are available a couple of days per week. Others, right now, have very little availability.

So we allowed those who would be using the project management solution the most, and who were most interested, to do the research, and then suggest an option.

Project management tool comparison spreadsheet
Project management tool comparison spreadsheet

This doesn’t have to be complicated, nor does it have to be based entirely on functional requirements. In the end, Gráinne Hamilton and I spent some time, both synchronously and asynchronously, with a few solutions.

What I found particularly interesting was that Gráinne and I had quite different requirements and assumptions going into this, but managed to find something that satisfied the collective needs of the co-op. (Note that the requirements down the left-hand side of the spreadsheet came from our meet-up in London the week before last.)

Once we’d chosen a solution to put forward, we shared our spreadsheet (which also included some comments you can’t see in the screenshot) and put it to a vote in Slack. The options were ‘Yes’, ‘No’, and ‘Need more info’. Every member voted in favour of our proposed solution, which in this case happened to be Monday.com.


When describing this kind of approach, people tend to call it ‘democratic’ and, to some degree, it is. But that’s just part of it. The main piece of the puzzle for me is ensuring alignment, which you get through healthy power dynamics.

11 Steps Towards Healthy Power Dynamics at Work (Richard D. Bartlett)
11 Steps Towards Healthy Power Dynamics at Work (Richard D. Bartlett)

This is the kind of approach that you can use in any organisation. You don’t have to be yogurt-knitting vegans to get started with it.

For example, as Product Manager for MoodleNet, I meet 1:1 with every member of the team once per month. While I may not use the language in the above diagram, during these meetings what I have in mind during these meetings, as well as the weekly team meetings, is to increase reduce the ‘power-over’ that is implicit within hierarchies while increasing ‘power from within’.

Because of the intersecting injustices of modern societies, the degree of encouragement you receive when you’re growing up will vary greatly depending on many factors like your personality, gender, physical traits, and cultural background. If you want everyone in your org to have full access to their power-from-within, you need to account for these differences.

Richard D. Bartlett

What I’ve found in my career to date is that, no matter how they act in other situations, in 1:1 meetings, people are looking for reassurance and encouragement. The hard part is doing that without reinforcing a coercive power dynamic.


So this week was full of meetings, but thankfully not the boring type, but the kind that are focused on actions and outcomes. For example, in addition to meeting 1:1 with several of the MoodleNet team, I met with:

  • Sander Bangma who leads the Moodle LMS team about integration between our two products. We used a document we’d already been working on to make decisions about scope.
  • Martin Dougiamas, Moodle’s Founder and CEO, about MoodleNet resourcing and budgets. I then met with Mayel de Borniol to finalise a spreadsheet for the budget committee.
  • A potential client which I’ll not name right now. We keep these initial meetings to 30 minutes, investigate requirements, and then, if invited to, send a proposal.
  • Adam Procter who is a friend and generous supporter of Thought Shrapnel. He was looking for some advice about productivity and workload.
  • My therapist for my last CBT session for three months. I’m starting a period of consolidation after a marked improvement in my outlook on life over the past six sessions.
  • Olivier Wittorski and Emilio Lozano about gathering requirements for ways in which Moodle Workplace and MoodleNet could work together. This led to a document and a slidedeck with initial ideas and mock-ups.

As I discussed with Emilio, who became a father recently, when you have kids, your time becomes a lot more precious. This is doubly so when you split your time between two organisations. There’s less slack time, which is a good thing as it means you’re laser-focused on what needs to be done, and intolerant of distraction.


Next week, I’ll again be working from home all week. I’ve got some exciting co-op work to begin, as well as new functionality and features in MoodleNet to oversee. It’s the week before half-term, when I’ll probably be taking some time off to spend with the family.

As I’ve said in previous weeknotes, we’re getting our house ready to potentially sell, so I’ll be continuing to paint, and sand, and scrub, and buy random pieces of IKEA furniture…


Image cropped from photo by Cameron Venti on Unsplash

Rebalancing my focus for 2020

TL;DR: I’m cutting down my Moodle days to allocate more time to We Are Open Co-op. I’ll still be leading the MoodleNet project.


In May 2016 I helped set up a co-operative with friends and former Mozilla colleagues called We Are Open Co-op. Since that time, we’ve done some inspiring work with fantastic clients, learned a lot about the co-operative economy, and worked in solidarity with similar organisations.

Since January 2018, and particularly during the last six months, I had taken a bit of a back seat in the co-op, focusing on my work at Moodle. However, the time has come for me to refocus my efforts to help continue building an organisation that I not only co-own but see as part of my life’s work.

It’s been an amazing journey over the last couple of years to take MoodleNet from an idea to reality. We did so with a small, part-time team who have gone above and beyond to achieve the vision of a federated, resource-centric social network for educators.

The future is bright for MoodleNet and I’ll be continuing in my role as Product Manager, ensuring the project has the necessary team and budget to make the required impact. I think it’s going to make a huge difference in the lives of hundreds of thousands of educators.

I’m sure it’s not necessary to note, but shall do anyway, that this decision was purely mine and not forced on me by anyone at Moodle. Over time, I’ve come to realise that my interests and talents are in the area of early-stage innovation.

So, from January 2020, I’ll be cutting back to three days for Moodle, meaning I’ve got more headspace for consultancy work. I’m excited to broaden my horizons again, getting involved in some of the really interesting projects that my co-op colleagues have picked up during the last few months, and working with new clients!

If you have any questions, I’m happy to answer them below. And if you’d like to work with the co-op, you might want to email: doug@nullweareopen.coop

Weeknote 38/2019

This week I’ve been:

  • Striking as part of the Global Climate Strike. We took the kids out of school and through to Newcastle-upon-Tyne to give them their first sense of activism. We made signs and everything. Awesomely, Moodle employees were encouraged to join in the strikes.
  • Writing an updated version of the eulogy I’m going to give at the memorial for Dai Barnes next weekend. It can never capture all of his different facets, but I hope it gives people there some insight into them.
  • Attending a FabRiders Network-Centric Resources online session, which made great use of Zoom’s breakout rooms feature.
  • Continuing leading the work around MoodleNet. Mayel, our technical architect, is on parental leave, but Ivan (designer and front-end developer) is back, and we’re in pretty good shape at the moment. I’ve been talking with Moodle Partners about further development of the Moodle LMS plugin that our team prototyped.
  • Writing my usual Thought Shrapnel posts: All is petty, inconstant, and perishable, and Saturday strikings. I also wrote a rare post on on my Ambiguiti.es blog.

Next week is my last at home before a fair bit of travel between now and the end of November. Some of that is for a Mountain Leader course I’m going on (three weekends in different parts of the country), some for work, and some for what I’d loosely call ‘professional development’ (MozFest!)

World Mental Health Day: my story

Note: This is a slightly modified version of a post I made to the Moodle HQ forum earlier today as part of our Wellbeing Week.


According to Heads Up, an Australian organisation focused on mental health at work, there are nine attributes of a healthy workplace:

  1. Prioritising mental health
  2. Trusting, fair & respectful culture
  3. Open & honest leadership
  4. Good job
  5. Workload management
  6. Employee development
  7. Inclusion & influence
  8. Work/Life balance
  9. Mental health support

Just over a decade ago, I burned myself out while teaching, spending a few weeks signed off work and on antidepressants. It was undoubtedly the lowest point of my life. The experience has made me realise how fragile mental health can be, as other members of staff were struggling too. Ultimately, it was our workplace environment that was to blame, not individual human failings.

These days, I’m pleased to say that, most of the time everything is fine. Just like anyone who identifies strongly with the work they’re doing, it can be difficult to put into practice wisdom such as “prioritising family” and “putting health first”. Good places to work, however, encourage you to do this, which is part of what Wellbeing Week at Moodle is all about.

Currently, I work remotely for Moodle four days per week. I travel regularly, but have been based from home in various roles for the past six years. While others might find it lonely, boring, or too quiet, I find that, overall, it suits my temperament.

When I worked in offices and classrooms, I had an idea of remote working that was completely different from the reality of it. Being based in somewhere other than your colleagues can be stressful, as an article on Hacker Noon makes very clear. I haven’t experienced all of the following issues listed in the article, but I know people who have.

  • Dehumanisation: “communication tends to stick to structured channels”
  • Interruptions and multitasking: “being responsive on the chat accomplishes the same as being on time at work in an office: it gives an image of reliability”
  • Overworking: “this all amounts for me to the question of trust: your employer trusted you a lot, allowing you to work on your own terms , and in exchange, I have always felt compelled to actually work a lot more than if I was in an office.”
  • Being a stay at home dad: “When you spend a good part of your time at home, your family sees you as more available than they should.”
  • Loneliness: “I do enjoy being alone quite a lot, but even for me, after two weeks of only seeing colleagues through my screen, and then my family at night, I end up feeling quite sad. I miss feeling integrated in a community of pairs.”
  • Deciding where to work every day: “not knowing where I will be working everyday, and having to think about which hardware I need to take with me”
  • You never leave ‘work’: “working at home does not leave you time to cool off while coming back home from work”
  • Career risk: “working remotely makes you less visible in your company”

Wherever you spend the majority of your time, the physical environment only goes so far. That’s why the work the Culture Champs are doing at Moodle HQ is so important. Feeling supported to do a manageable job in a trusting and respectful culture is something independent of where your chair happens to be located.

So, I’d like to encourage everyone reading this to open up about your mental health. Talk about it with your family and friends, of course, but also to your colleagues. How are you feeling?


Image by Johan Blomström used under a Creative Commons license

Open source community calls in the wake of GDPR

I am a supporter of the intentions and sentiment behind the General Data Protection Regulation (GDPR) that came into force last month. However, it comes with some side effects.

Take community calls for the open source community, for example. Here’s how they often work:

  • Agenda — someone with a level of responsibility within the project creates an agenda using a service you don’t have to login to access and to which everyone can contribute (e.g. Etherpad)
  • Synchronous call — at the appointed time, those wishing to participate connect to some kind of audio and/or video conferencing services (e.g. Zoom)
  • Recordings — those who are interested in the project but couldn’t participate at the time catch up via the agenda and recording.

I’ve been running community calls using this kind of approach for the last five years or so. It’s an effective method and a process I do so automatically, I didn’t even think about the GDPR implications.

Yesterday, however, I was informed (very nicely!) by Carlo Polizzi, Moodle’s DPO and Legal Counsel, that I needed to delete the data I’d collected in this way and find a new way to do this.

GDPR requires that (unless community members contribute anonymously) we must, at the very least:

  1. Gain consent from each individual that we can store their personal data and that they agree to our privacy policy.
  2. Inform individuals what that data will be used for and how long we will be storing it.
  3. Give them the option of withdrawing that consent at any time and having their data deleted.

This means, of course, that community members are going to have to register and then log in to a system that tracks them over time. I’ve written before about creating an architecture of participation for episodic volunteering. This certainly prevents more of a challenge for the ‘easy onboarding’ part of that.


So, not sure what to do, put up the Bat-Signal and asked my network. Out of that came suggestions to use:

  • An encrypted etherpad solution that auto-deletes after a specified amount of time (e.g. CryptPad)
  • Forum software that feels quite ‘realtime’ (e.g. Discourse)
  • A Moodle course with guest access open (e.g. MoodleCloud)

On a more meta level, I also had some feedback that synchronous communication discriminates users for whom English isn’t their first language and/or who are disabled.


For now, given the above feedback, we’re going to end community calls in their current guise. I’ve met with Mary Cooch, Moodle’s community educator to discuss a few options for how we could do things differently, and we’re going to explore using the existing MoodleNet discussion forum at moodle.org along with BigBlueButton.

If you’ve got any questions, comments, or suggestions, I’d love to hear them, as this is something that many other open source projects are going to have to grapple with, as well!


Image CC BY-SA opensource.com

My takeaways from Stephen Downes’ talk on personal learning

In general, I have great intentions to watch recorded presentations. However, in reality, just like the number of philosophy books I get around to reading in a given year, I can count the number I sit down to watch on the fingers of one hand.

I’ve been meaning to watch Stephen Downes’ talk on personal learning since he gave it at the at the Canada MoodleMoot back in February. Since I’m talking with him this afternoon about Project MoodleNet, that served as a prompt to get around to watching it.

(as an aside, it’s a blessing to be able to play YouTube videos at 1.5 or double speed — presentations, by their nature aren’t as information-dense as text!)

Groups vs Networks

Downes has been talking about groups vs networks since before 2006. In fact, I often reference this:

Groups vs Networks

CC BY-NC Stephen Downes

The presentation builds on this, and references a tool/environment he’s built called gRSShopper.

Groups vs Networks

Downes doesn’t link any of this to politics, but to my mind this is the difference between authoritarianism and left libertarianism. As such, I think it’s a wider thing than just an approach to learning. It’s an approach to society. My experience is that some people want paternalism as it provides a comfort blanket of security.

Personalized vs Personal

There’s plenty of differences between the two approaches. In his discussion of the following slide, Downes talks about the difference between a ‘custom’ car and a customised car, or an off-the-self suit versus one that’s tailored for you.

Personalized vs Personal

My position on all of this is very similar to Downes. However, I don’t think we can dismiss the other view quite so easily. There has to be an element of summative assessment and comparison for society to function — at least the way we currently structure it…

Personal Learning Environments

Downes’ custom-build system, gRSShopper, is built with him (the learner) in the middle. It’s a PLE, a Personal Learning Environment:

gRSShopper workflow

All of this is based on APIs that pull data from various systems, allow him to manipulate it in various ways, and then publish outputs in different formats.

Note that all of this, of course, depends upon open APIs, data, and resources. It’s a future I’d like to see, but depends upon improving the average technical knowledge and skills of a global population. At the same time, centralised data-harvesting services such Facebook are pointing in the opposite direction, and dumbing things down.

Personal Learning Record

So gRSShopper creates what Downes calls a Personal Learning Record, complete with ‘personal graph’ that is private to the learner. This is all very much in keeping with the GDPR.

Data aggregation and analytics

The real value in all of this comes in being able to aggregate learning data from across platforms to provide insights, much as Exist does with your personal and health data.

Analytics and Big Data

Downes made comments about pulling resources and data between systems, about embedding social networks within the PLE, and browser plugins/extensions to make life easier for learners. I particularly liked his mention of not just using OERs as you learn, but creating them through the process of learning.

Conclusion

I’m looking forward to our conversation this afternoon, as I’m hoping it will either validate, or force me to rethink the current approach to Project MoodleNet.


Main image CC0 Marvin Meyer

Moodling around with a Jetpack metaphor

I’m busy ideating, and talking to people around, Project MoodleNet. When you’re explaining something that doesn’t yet exist, you’ve got to use touchstones and metaphors, starting from where people are to help them understand where you want to go.

Project MoodleNet landscape

In these discussions I’ve been using three things to help me:

  1. A great ‘landscape’ image from Bryan Mathers (see above)
  2. The 3D printing social network Thingiverse (which I wrote about here)
  3. The Jetpack plugin for WordPress

It’s worth, I think, unpacking the third of these — if only so I’ve got a public URL to point people towards when I reference it elsewhere! It’s an imperfect metaphor, as it involves more technical understanding than we’ll require for Project MoodleNet.

Anyway, here goes…

WordPress and Moodle are similar

  • Free (as in freedom)
  • Open Source
  • Host your own version
  • Have it hosted for you
  • Partnership network

How Jetpack works

Jetpack is a meta-plugin, a ‘plugin of plugins’ that adds lots of functionality to self-hosted instances of WordPress. In fact, it’s pretty much a no-brainer to activate Jetpack if you’re self-hosting. It connects your instance to your wordpress.com account, giving you:

  • Faster page loading (via CDN)
  • Additional security
  • Detailed site stats
  • Faster logins
  • Payment integration

Install Jetpack

Where’s the value for the organisation behind WordPress?

So lots of value for users, but (you may think), what’s in it for Automattic, the organisation behind WordPress? Well…

  • Secure, fast WordPress sites maintain brand value
  • Better metrics around installation numbers
  • Ability to upsell to customers direct from dashboard

Jetpack dashboard

Why is this a good metaphor for what we’re doing?

Project MoodleNet will be a standalone social network for educators focused on professional development and open content. It can be supercharged, however, by using a similar model to what WordPress have done with Jetpack.

Imagine users logging into a institutionally-hosted Moodle instance using their Project MoodleNet credentials because the two are connected in a similar way to how Jetpack works for the WordPress ecosystem.

To be clear, I’m not proposing that Project MoodleNet offers the same services as Jetpack, I’m saying that it serves as an example where you can create value in two places and additional value by linking them together.

This would mean…

  • Teachers: professional social networking within their existing learning platform.
  • Instructional designers: faster access to curated open resources.
  • Sysadmins: better security and potentially reduced hosting costs.

(if you’re wondering about ‘reduced hosting costs’ it’s because we’re tentatively looking at how IPFS could be used in the wider Moodle ecosystem)

Finally…

This isn’t a perfect metaphor by any means, and so I’m looking for other ways to explain what we’re trying to achieve. However, the combination of Bryan’s image, referencing Thingiverse, and explaining JetPack is helping those I’m talking with to understand the kind of thing we’re trying to build.

What kind of metaphor would you use?


Main image CC BY-NC Fir0002/Flagstaffotos

Final steps in my GDPR journey

After being away for a couple of weeks in Australia and the USA, I’m back home. It’s time, therefore, to finish off the Futurelearn course I started around Understanding the General Data Protection Regulation (GDPR).

It’s a four-week course, and I’ve written about what I’ve learned over the past three weeks’ worth of material in the following posts:

What follows, therefore, is about the final week — entitled ‘Responsibilities, liabilities and penalties’. I’m digging into in this area because I’m leading the  MoodleNet project. However, I’m writing here instead of on the project blog as I’m still coming to grips with all that GDPR means in practice.


I like the way that the course organisers frame the final section of this course:

As individuals or natural persons, you should know that most of the activities that you daily perform, all the forms that you are asked to fill in and most of the technology that you use on a daily basis leave a trail of personal data behind. Collecting data, analysing and linking different databases create the possibility to learn very personal information about you and obtain details about your life and life of those who you care about. More than you would have ever thought. More than you even remember. To give but one example: 4 pictures of you placed on the Internet allow facial recognition programs to find you again when crossing the street. Given this situation, you need protection.

Supervisory bodies

As per the title of this week’s course title, the focus is all about how GDPR will be enforced:

These enforcement mechanisms include a number of measures and instruments:

  • The establishment of national supervisory authorities (and the Lead Supervisory Authority in case of cross-border data transfers) and of the European Data Protection Board (Chapter 6);
  • Arrangements to streamline legal compliance, including codes of conduct (Article 40), data protection certifications (Article 42), binding corporate rules (Article 47) and standard (contractual) data protection clauses (Article 46);
  • Rights of data subjects, including the right to lodge a complaint and the right to an effective judicial remedy (Chapter VIII);
  • A multi-layered mechanism to protect the transfer of personal data of EU citizens outside the EU (Chapter V);
  • Liabilities and sanctions for violation of laws (Chapter VIII);
  • The role of Member States in compliance and implementation.

The EU provides a way to ensure local colour and context is respected, while enforcing a European-wide framework. The aim is to prevent safe havens for bad actors:

Each national supervisory authority is empowered to monitor any data processing activity that takes place within its territory (jurisdiction). It is also charged with the task to monitor any data processing activities that target data subjects residing in its territory, even in those situations where the activities are carried out by non-EU data controllers or processors. However, since in an online environment data does not always respect borders, the territorial jurisdiction of a national supervisory authority is not always clear cut.

As a result:

For avoiding situations in which more than one national supervisory authority are competent, the GDPR has introduced the legal concept of the lead supervisory authority or LSA.

When national supervisory authorities realise that a case brought before them has a cross-border dimension… they refer the case to the LSA which decides if it will handle the case or not within three weeks. Article 56 GDPR provides that the lead supervisory authority for cross-border processing of data will be the authority that is competent to supervise the entity engaged in data processing of individuals in different countries or, the authority competent to supervise the main establishment of the data controller or processor in case this has different establishments in several Member States.

So taking the example of the UK (where I live) there’s a national supervisory authority which is then subject to the lead supervisory authority. That, in turn, is subject to the European Data Protection Board:

To ensure the consistent application of the GDPR throughout the EU an important role will be played by the European Data Protection Board (the Board).

Even though the denomination looks new, the Board in itself is the continuation of the existing Article 29 Working Party which was established under the old Data Protection Directive 95/46/EC.

[…]

The old Article 29 Working Party was often criticised for not adequately consulting stakeholders before taking decisions. In reaction to this criticism, the Board is required to consult interested parties where appropriate. This would of course benefit data controllers or processors that might be affected by the decisions adopted.

So it sounds like the EU have learned their lesson:

Similarly with the Article 29 Working Party, the Board is composed of the heads of national supervisory authorities and the European Data Protection Supervisor (EDPS), or their representatives. The EDPS’s voting powers are restricted to those decisions that would be applicable to the EU institutions.

The Board also includes a representative of the European Commission who, however, does not have a right to vote so as to ensure the independence of the Board. There seems to be an implicit suggestion that the European Commission has exercised too much influence over the Article 29 Working Party in the past and the GDPR wants to ensure that this will not be the case in the future.

There’s some great provisions in the GDPR but I have to wonder just how quickly some of the decisions and actions will be taken:

Together with the establishment of the Lead Supervisory Authority presented in the previous step, the consistency mechanism is intended to avoid such situations. When it is clear that the decision of a supervisory authority will have an EU-wide impact, or when a request comes from a national supervisory authority, the Chair of the European Data Protection Board or from the European Commission, the Board issues a non-binding decision on a specific case. The national supervisory authority dealing with the case shall take utmost account of the decision of the Board or shall inform the Board in the case in which it does not intend to follow its opinion.

Codes of conduct

Part of any compliance system involves self-regulation, and the GDPR is no different. I like the ‘code of conduct’ approach in this regard:

For controllers and processors, codes of conduct are an important tool for achieving legal compliance and creating evidence to support this. Member states’ supervisory authorities, the board, and the commission encourage drafting codes of conduct. Such codes of conduct can be prepared, amended, or extended by associations and other bodies representing categories of controllers and processors. Codes of conduct need to include measures specifying the application of the GDPR, This includes, for example, the collection and pseudonymisation of personal data, exercise of data subjects’ rights, and notification of a data breach. Codes of conduct contain mechanisms that enable supervisory authorities to carry out mandatory monitoring of compliance. Drafts, amendments, or extensions of codes of conduct need to be submitted to the supervisory authority for approval.

Companies and other organisations have to ‘walk the walk’, though, and not just have their documentation in place:

Apart from supervisory authorities, other competent bodies with an appropriate level of expertise and accreditation can also monitor compliance with codes of conduct. Drafting codes of conduct is one thing. Committing to them is another. It is important in the sense that it can provide evidence that controllers and processors comply with the GDPR. This not only counts for controllers and processors within the EU, but also for those who are not subject to the GDPR in order to provide appropriate data protection safeguards.

Binding corporate rules

One way of moving beyond a code of conduct is for large, multi-national organisations to implement ‘binding corporate rules’:

Binding corporate rules (BCRs) are internal rules adopted by multinational groups of companies. They define the group’s global policy with regard to the international transfers of personal data to companies within the same group that are located in countries which do not provide an adequate level of protection. They are legally binding and approved by the competent supervisory authority in accordance with the consistency mechanism.

These rules are beneficial for the organisation (efficiency / consistency), for the EU (compliance) and for the end user (transparency).

The GDPR allows for personal data to be transferred outside the EU, but not just anywhere:

As a general rule, transfers of personal data to countries outside the European Economic Area may take place if these countries are deemed to ensure an adequate level of data protection.

Article 45 GDPR provides that the third countries’ level of personal data protection is assessed by the European Commission. According to the GDPR, the Commission’s adequacy decision may be limited also to specific territories or to more specific sectors within a country. A current list of countries that have been evaluated as having an adequate level of data protection can be found here.

The example given in the course is of Japan, which isn’t currently listed as having adequate protections. However:

Personal data can be transferred to a third country even in the absence of an adequacy decision:

(i) if the controller or processor exporting the data has himself provided for appropriate safeguards; and

(ii) on the condition that enforceable data subject rights and effective legal remedies are available in the given country.

At the end of the day, it’s the organisation’s responsibility as the data controller to comply wih the GDPR:

In accordance with the provisions in Chapter VIII, controllers and processors are legally liable for damages caused by data processing activities which infringe the GDPR. A controller is liable for all damages caused by processing activities. A processor is liable for not complying with its obligations or for acting outside or contrary to lawful instructions of a controller. A data subject who has suffered material or non-material damages as a result of a violation of the GDPR has the right to receive compensation for damages…

Fines

So now we get to the interesting part. What can the EU actually do about GDPR infringement?

According to Article 83 GDPR, the fines may, depending on the infringed provision of the GDPR, amount to a maximum of 20 million Euros, or, if this is a higher amount, to 4% of the total worldwide annual turnover of an undertaking. For example, a failure to implement the data protection by design and by default is subject to a maximum fine of only 10 million Euros or 2% of the total worldwide annual turnover of an undertaking. On the other hand, violating the basic principles of data processing, including the conditions for obtaining a valid consent as well as non-compliance with a supervisory authority’s order may result in the highest fine of 20 million Euros or 4% of the total worldwide annual turnover.

That’s obviously a lot of money, but it’s a sliding scale:

What the amount of a fine will be at the end will depend on the nature, gravity and duration of the infringement as well as on its character – if there was intention or negligence from the undertaking. The supervisory authority must ensure that the administrative fines would be in each specific case proportionate to the infringement and at the same time also effective and dissuasive. As a result, not all infringements of the GDPR will lead to those serious fines mentioned above.

The good thing, however, is that the fines are calculated on global revenues, rather than just the amount the organisation makes in the EU:

Once the GDPR becomes applicable, the impact of a fine on data controllers and processors, even if not reaching the maximum amount established in Article 83 GDPR, could be significant. Also, in those situations in which a global organisation has only a small establishment in the territory of the European Union, or is completely based in third countries but it targets the processing of personal data of EU citizens, the fine would be based on the total worldwide annual turnover. Thus, following the data protection rules as established by the GDPR should be taken seriously both by EU and foreign organisations.

Conclusion

I’m hopeful that the GDPR is going to help the legal system catch up with some of the technology that’s permeated our lives over the last couple of decades. Time will tell, of course…


Image by the Latvian State Chancellery used under a Creative Commons Attribution-NonCommercial-NoDerivs 2.0 Generic license

Weeknote 01/2018

So here we are! The first weeknote of 2018. You know the drill.

This week I’ve been:

  • Celebrating the New Year. I spent Christmas at home with just my wife and children, but we went down to Devon to the in-laws for New Year and had a great time.
  • Redesigning Thought Shrapnel, which is now not only a weekly newsletter, but also a blog! I think you’ll agree that Bryan Mathers did a great job with the logo. Read more about that here. You can become a supporter to show your appreciation for this work, and to ensure it continues!
  • Returning to life as an employee! As I mentioned before Christmas, I’m leading a new innovation project for Moodle. This involves working for them four days per week, and I can do so from home (with a bit of travel). So in a sense, lots has changed, and nothing at all. Note I’m still doing some consultancy, mostly through We Are Open co-op.
  • Meeting with Moodle colleague Tom Murdock about various things.
  • Introducing myself on the forum for the upcoming Learn Moodle Basics course. It’s been a few years since I used Moodle, so I thought I’d get back up-to-speed along with Mary Cooch and the community!
  • Working a short week due to New Year’s Day on Monday. My ‘Doug day’ (or, more likely, ‘consultancy / admin / catch-up-with-all-the-things day’) is likely to be Fridays, most weeks. This time around it was full of admin and my children begging me to play with them instead, — as they don’t go back to school until next week.
  • Sorting out various things as Secretary of the Executive Committee for 6th Morpeth Scouts.  I’m trying to streamline some stuff around meetings, calendaring, etc.
  • Facepalming at Dell, who want to charge me over £900 to fix a my less than one-year old XPS 13 laptop which has a threaded screw in the base. This is causing it come apart near the screen. As a result of their greed and poor customer service, I’ve used duct tape to patch it up as best I can, and bought a £60 battery to resurrect my Lenovo X220. I prefer the keyboard on the latter anyway, and in fact I’m using it to type this!
  • Writing:

Next week I’m at home all week, and celebrating my daughter’s birthday towards the end of it. I’ll be in London twice this month, the week after next for a co-op meetup, and then the week after that, I’ll be at BETT on the Friday.

Photo taken by me on New Years’ Day at Branscombe beach, Devon.

Why I didn’t go on ‘Belshaw Black Ops’ at the end of 2017

At the end of every year since 2010 I have, to the greatest extent possible, disappeared back into the analogue world to recharge. This has been known as Belshaw Black Ops after Paul Lewis decided that just calling it a ‘hiatus’ wasn’t rock ‘n’ roll enough.

I’ve greatly appreciated these periods away from social media, blogging, and personal email as a time when I can be ‘more myself’. Why, then, a few people have asked me, didn’t I continue this routine at the end of 2017? The simple answer is that I’ve achieved the kind of balance that means it didn’t feel necessary.

There are a number of factors here:

  1. Switching from Twitter to social.coop half-way through the year. Given that I still get the most-shared stuff from my Twitter network filtering through to me via Nuzzel, that’s been a revelation.
  2. Looking after myself a bit better health-wise, including deciding to follow a mostly plant-based diet, starting running again, and taking supplements such as multivitamins, high doses of Vitamin D, and L-Theanine.
  3. Enjoying the sunnier weather where I live (it makes a difference!)
  4. Blogging in a more short-form way via Discours.es and Thought Shrapnel Live!
  5. Prioritising what’s important in my life. I find reading Stoic philosophy every morning helps greatly in that regard.

Today is my first day back as an employee. I’m working for Moodle, makers of the world’s largest (open source!) learning platform. I’m working four days per week leading an innovation project for them aimed at creating a new open social media platform for educators, focused on professional development and open content. I’ll still be consulting through We Are Open Co-op.

It was my birthday just before Christmas, and I’ve now spent most of my thirties working from home. There’s benefits and drawbacks to doing so, but the main upside for me is much more control over my schedule. I’ll still have a lot of autonomy at Moodle, so I anticipate that, while I’ll be away during the summer, there won’t be a need for Belshaw Black Ops in 2018, either.

Photo by Paul Green available under a CC0 license

css.php