Entries submitted
C1- Entry by: Agency for Access to Public Information (AAIP)
Description of the initiative:
The RITE module was built collaboratively through a process of roundtables with key players in the world of data protection and integrity. The objective was the coconstruction of an instrument that serves organizations as a guide to know their status, promotes due diligence practices and accountability, and, at the same time, is an instrument to strengthen the privacy strategies of companies and entities.
The module is divided into seven components: Personal Data Protection Plan, Risk Assessment, Personal Data Protection Area, Senior Management Commitment, Accountability, Training, and Communication Channel. Each component covers institutional, organizational, budgetary, Privacy Impact Assessment and internal best practices and policies related to personal data protection.
The module addresses these issues by categorizing organizations into three levels: small, medium, and large. This approach segments the questionnaire based on the organization’s size, which allows self-assessment to be carried out taking into account the reality of each controller or processor.
In addition, the platform provides a toolbox containing various resources such as guides, regulations, and instructions to facilitate the implementation of Personal Data Protection legislation and the adoption of best practices within each organization.
The RITE and its module on personal data protection serve as valuable tools to help the public and private sectors adopt best practices and implement compliance and accountability policies. The OECD recognizes this in its publication “A Resource Guide on State Measures for Strengthening Business Integrity,” where it presents RITE as an example of public policy that supports private organizations and public companies in understanding regulations.
Why the initiative deserves to be recognised by an award?
The Personal Data Protection Module is the first free of charge online tool for personal data protection compliance in Argentina. It is a guide for data controllers and data processors based on the principle of accountability.
The PDPM is a collaborative outcome resulting from the coordination and cooperation among various public agencies.
The module was created through collaboration with business actors, cooperatives, public companies, and civil society organizations. The contribution of multistakeholders on the PDPM allowed development based on consensus.
This tool incorporates the needs and concerns of companies and entities during the design process.
The PDPM was designed to cater to the needs of companies and entities of various sizes, including small, medium, and large. The module not only identifies the status and level of compliance but also provides resources through its toolbox for SMEs companies and entities to develop data protection measures within their organization, such as due diligence best practices, privacy policies, PIA, accountability programs.
C2 – Entry by: Catalan Data Protection Agency
Description of the initiative:
The APDCAT has created ‘DPD en Xarxa’, a learning and collaboration community aimed at the DPOs in Catalonia. The aim of the Network is to provide a platform to promote training, expertise and the exchange of ideas and experiences between the people who ensure compliance with data protection regulations in Catalan organisations.
Courses and workshops, specialized documentation, working groups and forums are offered to provide knowledge and raise concerns or suggestions on relevant topics, such as privacy with the use of new technologies (AI), sensitive data or vulnerable groups (health sector, social…).
In this way, we want to enhance the figure of the DPO as a key part of compliance, consolidating their knowledge while identifying and promoting best practices. Thus, a model of relationship and cooperation is created and disseminated, helping to prevent non-compliance in all organizations and to protect the rights of citizens.
Despite being created by the APDCAT, it is expected that, in the medium term, the Network will be promoted by the DPOs themselves.
Both DPOs from the public sector of Catalonia (for example: the Government of Catalonia, City councils or Universities) can be part of it, as well as their data processors or other DPOs working at companies based in Catalan territory. Likewise, professionals or university professors who are experts in the field can collaborate.
‘DPD en Xarxa’ was publicly introduced in July 2023, and since then more than 200 DPOs have signed up. In this time, dozens of debates and 8 webinars have been held on topics as diverse as the new European legislation on artificial intelligence, data governance or eIDAS , transparency, security breaches or data management projects for Catalan universities. Likewise, the working group on “Methodological guidelines for the preparation of impact assessments on fundamental rights and freedoms in the field of Artificial Intelligence” is also in operation, which will embody its results in a code of good practices that will be shared with all DPOs in the Network. In addition, the platform offers all its members not only the possibility of participating in new training, debates and working groups but also the chance to propose improvements.
In October, the first face-to-face DPO meeting will be held, which will be repeated over the years as a new forum for relations and work between the DPOs of Catalonia.
Why the initiative deserves to be recognised by an award?
The DPO is, often, a misunderstood figure within organizations, since they do not have sufficient resources to do their job and are also not effectively incorporated into the decision-making processes. At the same time, they are also a solitary figure, with no surrounding team to discuss the best solutions.
‘DPD en Xarxa’ wants to adress this in a twofold manner: by strengthening their position in their organization, providing training and practical resources, and also breaking their isolation by encouraging the exchange of experiences and knowledge between all of them.
From the APDCAT we believe that this is an effective way to improve regulatory compliance and protect citizens’ rights: supporting the most relevant figure in the chain, the DPOs. And with this network, which can be replicated in other countries, we promote best practices and the immediate resolution of problems with the collaboration of the professionals themselves.
C3- Entry by: European Data Protection Supervisor (EDPS)
Description of the initiative:
The International Organizations’ Workshop, an initiative by the European Data Protection Supervisor, aims to cultivate and strengthen international collaborations in the field of data protection.
The EDPS co-organizes the workshop annually, each year in a different location and in collaboration with a different International Organization. The workshop provides a platform for International Organizations to exchange ideas, experiences, concerns and best practices in the field of data protection. It also serves as a forum to discuss the most recent regulatory developments at international level related to data protection and their implications on International Organisations.
The workshop aims to include both main sessions and breakout sessions to maximise engagement and learning opportunities. Main sessions serve as the workshop’s foundation, tackling overarching themes in data protection. Breakout sessions foster in-depth discussions within smaller groups. In these sessions, representatives of International Organizations delve deeper into specific areas of interest, sharing knowledge and exchanging diverse perspectives, experiences and insights, while fostering capacity building through shared best practices and strategies for developing data protection measures within their organizations. The collaborative nature of the workshop facilitates knowledge sharing between International Organisations, promotes accountability and contributes to the development of more robust and effective data protection practices on a global scale.
Building upon this collaborative format, the 2023 edition of the workshop, hosted by the EDPS in collaboration with INTERPOL, took place in Lyon, France in October 2023. This edition focused on privacy and data protection trends, data transfers to and between International organisations, management of digital identities and the reconciliation of Digital transformation and Data protection.
Expanding its horizons, the 2024 edition, organised in partnership with the World Bank, will be held for the first time outside Europe in Washington, D.C. This edition will focus on the development and use of artificial intelligence in International Organizations, data transfers to and among International Organisations, compliance of IT tools with privacy obligations, personal data breaches, as well as challenges and best practices of data protection professionals and DPOs in International Organisations.
Why the initiative deserves to be recognised by an award?
Firstly, the workshop successfully promotes data protection standards on a global scale, facilitating a discussion on data protection issues with a broad international perspective, which transcends geographical boundaries and regulatory frameworks. This approach is particularly crucial for International Organizations due to their operations spanning multiple jurisdictions.
Furthermore, the workshop serves as a platform for discussing pressing issues and promoting best practices in data protection, bringing together International Organizations to share knowledge and innovative strategies for safeguarding personal data. This collaborative approach fosters global cooperation and indicates a general commitment to shared responsibility in protecting individuals’ rights. Through knowledge sharing, networking and capacity building, the workshop helps International Organizations translate legal requirements into robust data protection practices, thereby ensuring accountability.
Lastly, the workshop, offering the opportunity for engagement in in-depth discussions about data protection issues, encourages participants to assess their current practices in relation to data protection and identify areas for improvement. Through this process, the workshop facilitates International Organizations in effectively implementing data protection measures and refining their approach to accountability.
Particularly, the 2024 edition, held for the first time outside of Europe, aims to further promote accountability within International Organizations by expanding the workshop’s global reach.
C4- Entry by: Hellenic Data Protection Authority
Description of the initiative:
The information and guidance tool for the notification of incidents of personal data breach to the DPA guides the data controller to an interactive wizard of questions, where depending on its answers regarding the circumstances of the specific incident, after being notified of relevant explanatory and informative material, is guided about the necessity to notify the incident to the DPA.
The data breach wizard identifies six broad categories of data breaches and for each one of them, though a series of questions that are easily answered (mostly yes/no) provides guidance on how a data controller should act to mitigate the breach, whether a notification to the HDPA is necessary and also if it is advisable/necessary to inform the affected data subjects on the data breach and its consequences.
The tool is available under https://eservices.dpa.gr/wizard/?id=1331560
The information material is enriched by short animations which provide useful examples of security incidents that can be characterized as a breach of personal data and include the appropriate way to react to them. They cover accidental disclosure of personal data and malicious security incidents.
The animations are available under: https://www.dpa.gr/index.php/el/foreis/asfaleia_dedomenwn/gnwstopoiisi_paraviasis
Why the initiative deserves to be recognised by an award?
The HDPA has identified that it receives a relatively small number of data breaches, in comparison to other EU/EEA countries. Since Greek businesses are mostly SMEs (and notably most of them belonging to the small SMEs category), providing practical and easy guidance is crucial for such enterprises.
The rationale behind this tool is to provide SMEs with a relatively simple tool, that they can easily use when they face the potential of a data breach, without having to read large texts with legal terminology.
C5- Entry by: Hellenic Data Protection Authority
Description of the initiative:
The initial version of the Platform became operational in September 2023 with:
- a space for discussion and exchange of views (for registered users – data protection professionals). See here https://collab.dpa.gr/community/
- and a digital library with supporting material (open to all). See here https://collab.dpa.gr/%cf%88%ce%b7%cf%86%ce%b9%ce%b1%ce%ba%ce%ae-%ce%b2%ce%b9%ce%b2%ce%bb%ce%b9%ce%bf%ce%b8%ce%ae%ce%ba%ce%b7/
It operates under the guidance and supervision of the Hellenic DPA’s staff, but is not intended to provide specific advice or answers in individual cases or to replace DPOs.
The aim of the platform is to share specialised knowledge by topic, in order to facilitate the practical application of data protection principles by data protection professionals (DPOs, specialists with a relevant background, IT professionals involved in/implementing relevant projects, etc.).
The discussions and the information available on the platform are categorized into 10 thematic areas (topics). Professionals can browse the library without any need for registration, while, if they wish to ask a question or raise an issue of interest among their peers, they have the opportunity to register (using just an email) to the platform and post their question under the appropriate thematic area. Staff from the HDPA is also participating in the discussions. The HDPA is also able to receive feedback from the platform, to be considered during its prioritization process.
The platform aims to bring a solution to the need of DPOs and Data Protection Professionals for specialised guidance and the limited HDPA resources, mobilizing its participants to share knowledge and ideas.
For the creation of an e-platform for the cooperation and exchange of views of DPOs and data protection professionals it was necessary to carry out a survey, among privacy professionals, first of all to identify those professionals and furthermore to point out as accurately as possible their needs and concerns on data protection related matters and to specify the main thematic areas on which the platform should focus on during its initial operation.
After the submission and evaluation of the questionnaires two workshops were organized in the second quarter of 2023 in order to discuss the findings of the survey, to present basic functionalities of the platform and to determine precisely its content and how it works.
The first seminar took place on Monday 29 May 2023 at the University of Piraeus and the second one (with the same content) was held on-line on Thursday 1 June 2023. During the seminars the participants became acquainted with the e-platform. They also had the opportunity to raise questions on the platform operation and make constructive comments in relation to its use.
360 DPOs and professionals that had already expressed their interest to participate in the events were invited and most of them accepted and registered to the events. In the end, 59 DPOs and privacy professionals participated in the F2F event and 82 participated in the remote event.
Following the identification of the needs of privacy professionals and the results of the survey carried out for this purpose, the collaboration platform was developed.
Up to now, more than 300 DPOs and Data Protection Professionals have registered to the platform (which is available in Greek).
Why the initiative deserves to be recognised by an award?
The platform (named collab.dpa.gr) introduces a new approach to the guidance of DPOs and Data Protection Professionals. The HDPA, recognized the need to provide specialized guidance, beyond a basic level (e.g. beyond a general knowledge of the GDPR and relevant legislation and the official guidance offered by the EDPB). At the same time, the HDPA (as mοst DPAs) suffers from limited resources and a large number of cases to be handled.
In order to find a proper balance, the HDPA decided to bring the principles of “crowdsourcing” to the field of Data Protection. Thus, the platform is used as a “safe” space for the exchange of knowledge of professionals of the field. The HDPA expects that in the future, as more items are discussed on the platform, DPOs and Data Protection Professionals will be able to use a valuable space of specialized resources.
At the same time, the electronic library acts as a repository of guidance texts that are recognized by the HDPA as of importance for the specific item. These texts include open resources, like court judgments, official authority guidance, and technical guidance by recognized organizations or international standards. Each participant can propose a text, thus contributing to the improvement of the platform.
Operation of the platform is governed by a flexible regulation, issued by the HDPA and drafted in cooperation with its participants.
C6- Entry by: Information Commissioners Office (ICO)
Description of the initiative:
Over the last two years we have introduced a formal approach to impact, ensuring our work drives change and improves the accountability of organisations. Our approach hinges on a suite of frameworks to implement impact thinking throughout the policy and decision-making cycle. It ensures we learn from our mistakes, celebrate our successes and hold ourselves accountable. It empowers others to transition their accountability measures from law to practice. It also provides a formal mechanism for reporting and evidencing this. Our approach includes the introduction of new frameworks and enhancement of existing frameworks:
- Impact Assessment Framework: an overview and strong signal of our commitment to accountability. Impact assessments are a useful tool for assessing and recording the impacts of our activities but the framework has much wider implications for our development of policy and other initiatives. The principles within the framework have spread into all areas of our work.
- Regulatory Policy Methodology: framework for evidence-based decision-making in policy development with accountability built into each step.
- Taxonomy of Data Protection Harms: for formalising and communicating our understanding of the types of harms that can come from poor compliance and accountability.
- Consultation Policy: our policy on the use of consultation to gather the views of others.
- Ex-post Impact Framework (currently under development): framework for assessing initiatives that have already taken place.
For every significant proposal, impacts are considered and our impact assessments and evaluations are published on our website. This can include:
- Theory of change: a comprehensive description and illustration of how and why a desired change is expected to happen in a particular context;
- Ex-ante impact assessment: an assessment of the potential consequences (positive and negative) of a future course of action, the context surrounding it, and the potential options available to us; and
- Ex-post impact assessment: an evaluation or review of the context, process and impact of a course of action that has already occurred with a view to providing accountability, transparency, and lessons for the future.
The approach has been well-received and has enhanced the dialogue with those we regulate as well as other regulators, civil society organisations, and government.
Why the initiative deserves to be recognised by an award?
Our work on impacts provides an innovative and ambitious approach to improving accountability. It allows us to reach stakeholders on a topic that they care about (the impacts on them) and are much more likely to engage on. Demonstrating our own accountability is the most important step in helping to transition this more implicit requirement from law into practice and will allow us to speak much more confidently on this issue with our stakeholders.
As far as we are aware, this approach is the first of its kind (and hopefully the first of many) developed by a data protection authority. We hope that this and our future work in this area, can serve as a useful blueprint for others and look forward to working with other authorities to help them take it forwards. Our work on theory of change, impact assessments and evaluations, is also best-in-class. We have already had conversation with other data protection authorities to support them in implementing similar initiatives.
Our approach targets one of the poorest understood principles of data protection and aims for as broad an audience as possible. Recognising ambitious and innovative initiatives encourages others to push boundaries and think outside of the box.
C7- Entry by: National Data Protection Commission of Luxembourg
Description of the initiative:
The CNPD launched the ALTO project (« dAta Protection compLiance supporT tOolkit ») in 2022 based on the following observations. Despite many initiatives launched by the CNPD during the preparation and launch phase of the GDPR in 2018, awareness of small organisations regarding basic data protection principles and compliance obligations is considered still poor thus calling for a new approach in awareness raising and training.
SMEs and very small entrepreneur businesses are still much immature regarding personal data protection challenges whereas they represent in Luxembourg (and on average in the EU economy) more than 90% of the employment and of the GDP.
In addition, SMEs are often at disadvantage compared to large organisations in terms of resources and expertise.
Finally, these small players operate in complex economic environments, characterised by a strong increase of data processing across all business processes (B2B, B2C, B2G), the rise of artificial intelligence and evolving legal frameworks on data governance, data sharing, social media and cybersecurity.
Based on this, the CNPD, with the support of the Luxembourg House of Cybersecurity, submitted the ALTO proposal in the call “Citizens, Equality, Rights and Values Programme (CERV)” of the European Commission (DG JUST) which was selected as a project to be cofounded.
DAAZ is a simple, intuitive, anonymous, and free online tool to push education of small economic actors regarding personal data protection principles, to increase their awareness and understanding of their obligations towards GDPR and to help them assessing and improving their measures for GDPR compliance in their daily business activities.
The platform application is multilingual (French, English from July 2024 on, German from September 2024 on) and can be translated into other languages. The platform was created in two main steps. First, the identification of the real needs of SMEs through an anonymous online survey with the assistance of all major professional business associations of SMEs in Luxembourg, Second, the development of the pedagogical goals to be achieved and the specific format and platform technology for implementation. This second step was done in an agile development mode based on constant feedback loops with SMEs test users.
Why the initiative deserves to be recognised by an award?
- DAAZ is the result of an innovative approach to help SMEs (the predominant type of companies in the national and European economic landscape) being accountable with regards their GDPR obligations.
- As GDPR principles and obligations are often seen by those actors as too legalistic and difficult to implement in their daily business, DAAZ makes privacy and GDPR accessible in a non-legal language, with concrete examples that address SME’s typical issues.
- DAAZ is a multilingual online tool potentially adaptable for an international use beyond Luxembourg and its Greater region borders.
- DAAZ was developed as the main deliverable of a project selected in a competitive call for proposals of the EC specifically aimed towards awareness raising activities of DPAs.
- DAAZ was designed and developed in collaboration with the national cybersecurity competence centre NC3 providing strong competence and expertise for building a robust, reliable, and secured platform.
- The use of DAAZ is completely free and truly anonymous and secured.
- As a modular tool designed for use on tablet, desktop or mobile, it offers flexibility and scalability, promotes accessibility and inclusivity and allow for expansion with diverse themes and technologies.
C8- Entry by: National Privacy Commission Philippines (NPC)
Description of the initiative:
The National Privacy Commission (“Commission”), the Philippines’ data privacy regulator, is the primary agency mandated to implement the provisions of the Data Privacy Act of 2012 (“DPA”). With the end-goal of cultivating a culture of privacy throughout the country and to implement the registration provision of the DPA the Commission issued NPC Circular No. 2022-04. Through this circular, the NPC mandates covered Personal Information Controllers to register its Data Processing System and its Data Protection Officer with the regulator.
The National Privacy Commission Registration System, was developed to answer the call to protect the rights and freedom of all data subjects. Through mandatory registration, the PICs demonstrate their commitment in data protection and data privacy. The mandatory display of the NPC Seal of Registration now achieves its purpose of increasing trust of data subjects to data processing activities of PICs.
PICs can simply generate their own Certificate of Registration and a Seal of Registration by creating an account, filling up the form, and submitting the requirements to the system. A PIC needs to populate specific items for information relating to its data processing system/s. Through this the data privacy regulator holds the PIC accountable for implementations of security measures as per submitted registration record.
The rationale behind the online system is to allow PICs and PIPs throughout the country to easily comply with the requirements of the DPA and Circular 22-04. Since all submissions are done online, PICs will be able to submit their application for registration and easily generate both their Seal of Registration and Certificate of Registration.
While providing convenience to PICs in complying with rules and regulations, the NPCRS also allows data subjects to exercise judgement in dealing with PICs and PIPs. Since display of the Seal of Registration is mandatory for covered PIC/s, all Data Subjects can therefore check before transacting with the PIC. Verification is Done through scanning of a QR code redirecting to an affirmative page under the domain privacy.gov.ph.
Why the initiative deserves to be recognised by an award?
The National Privacy Commission Registration System implementing the Seal of Registration deserves to be recognized by an award as it emphasizes the inherent obligation of a Personal Information Controller (PIC) to keep personal data secure and protected. It enables for a stronger calling for accountability in the processing of sensitive personal information.
Obtaining the Seal of Registration would entail that the PIC has successfully registered with the Commission, registered its Data Processing System/s, and designated its Data Protection Officer. It showcases that the PIC has duly complied with the primary requirements of Commission to enable a more efficient compliance monitoring process and to uphold the exercise of data subject rights under the DPA.
Section 32 of the NPC Circular No. 2022-04, mandates the display of the Seal of Registration at the most conspicuous place to ensure visibility to all data subjects. A PIC is also required to display the Seal of Registration in its main website, or at least the webpage specifically pertaining to the Philippines for global websites.
The NPCRS and Seal of Registration has increased awareness and understanding of the data privacy rights of data subjects and the role of PICs to promote and ensure accountability and transparency.