Entries submitted

C1: Hellenic Data Protection Authority- Hellenic DPA
C2: Spanish Data Protection Authority – AEPD
C3: Dubai International Financial Centre
C4: National Institute for Transparency, Access to Information and Personal Data Protection (INAI)
C5: Information Commissioner’s Office (UK)

C1- Entry by: Hellenic Data Protection Authority- Hellenic DPA

Description of the initiative:

The Hellenic DPA developed and deployed an online compliance toolkit in order to assist the large community of SMEs with regard to GDPR compliance. In this way data controllers and processors were given the opportunity and the means to automatically create information on and records of their processing activities, procedures, data protection policies, terms of use of digital services, consent forms, data subjects’ rights forms and other compliance documents, based on a set of context-aware templates of essential documents.

The online toolkit was implemented in the context of the project “byDesign”, which received funding from the European Union’s Rights, Equality and Citizenship Programme (REC).

Why the initiative deserves to be recognised by an award?

  • The online compliance toolkit goes beyond existing tools, since it provides substantial and tangible support to data controllers by producing necessary compliance documents, going thus beyond mere information, as was mostly the practice until now.
  • The online toolkit aims to effectively assist the large community of SMEs, which have limited resources, in performing the necessary actions for achieving GDPR compliance.
  • Overall, the compliance toolkit will have a very positive impact on the compliance efforts of data controllers and processors in Greece and other Member States of EU.
  • Key figures: From the beginning of its full production phase in July 2022 until May 2023, 1468 people had accessed the tool questionnaire and 883 zip files of good practice material were generated.

View more information.  

C2- Entry by: Spanish Data Protection Authority – AEPD

Description of the initiative:

GESTIONA EIPD v2 (manage DPIA) is a free web tool that assists controllers/processors to keep a record of processing activities, carries out the risk analysis of each processing, assesses the obligation/need to carry out a DPIA, and the whole risk management: it provides a set of measures and safeguards (organizational, legal, and technical) that could be taken to address each specific risk factor. It runs locally in the browser, stores locally, and generate several reports.

Why the initiative deserves to be recognised by an award?

This tool allows to implement a full GDPR management of multiple processing activities without economic expenditure, is specifically adapted to SME´s, in a web-based interface, with total confidentiality and portability.

It implements in a practical and easy way to understand the guidelines, checklist, templates, and lists released by the Spanish DPA (see below).

It implements the identification, assessment, and mitigation of the risks for the rights and freedoms in the processing of personal data that are defined in 35.3 GDPR, lists regarding 35.4, in the guidelines of the EDPB and other regulations.

It allows to assess the duty or the recommendation to carry out DPIAs.

The user can select from a different set of safeguards that allow to manage every specific risk factor, and to assess the residual risk.

It also generates documentation that is not only a support to comply with the GDPR but also a useful resource for any company or professional (when dealing with low-risk processing activities such as informative and contractual clauses, etc).

View more information.

C3- Entry by: Dubai International Financial Centre

Description of the initiative:

When DIFC updated its 2007 data protection law in 2020, it built in added accountability measures to ensure that businesses processing personal data would implement robust compliance frameworks, and do so on a risk and outcomes based assessment.  The DPO Annual Assessment (DPO AA), set out in Article 19 of the DP Law 2020 provides the automated framework to build such a framework, and provides a regulator-assessed risk register based on the DPO AA responses.

Why the initiative deserves to be recognised by an award?

The DPO Annual Assessment inspires accountability in an organisation, while creating for them a risk register that can be used to mitigate any issues identified in the responses provided.  It is automated, as well, so it not only make compliance clear and detailed in terms of the breakdown of questions and details to be provided, but it makes it easy and efficient.  The result is that DPOs are appointed voluntarily even where high risk processing is not undertaken.  As such, the DIFC Annual Assessment fosters a culture of compliance and accountability.

View more information.

C4- Entry by: National Institute for Transparency, Access to Information, and Personal Data Protection – INAI

Description of the initiative:

Since 2022, there is the “Herramienta en línea INAI-EIPDP” (Herramienta en línea de Evaluaciones de Impacto en Materia de Protección de Datos Personales), which is a web application in which the entire process of the procedures related to the impact assessments on the protection of personal data can be elaborated, presented and carried out, provides facilities for online processing, from presentation to conclusion. Currently, it is aimed exclusively at the Mexican public sector.

Why the initiative deserves to be recognised by an award?

“Herramienta en línea INAI-EIPDP” was developed from the needs that arose from the health emergency caused by the Covid-19 pandemic; a situation which has strengthened the digitization of impact assessment processes, has contributed to the promotion of technological means and the presentation of such preventive actions, optimize and make efficient processes inside and outside the institution, in a growing digital context.

It also promotes compliance with the personal data protection standard by data controllers and encourages best practices, specifically impact assessments on the protection of personal data and accountability for such compliance.

The technological tool proposed today seeks to become not only a secure mechanism for the processing of procedures relating to impact assessments on the protection of personal data, but it is expected to be scalable to incorporate new functionalities and make use of other digital mechanisms.

View more information.

 C5- Entry by: Information Commissioner’s Office -ICO

Description of the initiative:

The Children’s Code Self-Assessment Risk Tool has been created with medium to large private, public and third sector organisations in mind.

This tool helps online service providers conduct their own risk assessment of how both the UK General Data Protection Regulation and the Children’s code applies in the context of their digital service and gives them practical steps to apply a proportionate and risk-based approach to ensuring children’s protection and privacy.

Why the initiative deserves to be recognised by an award?

Data sits at the heart of the digital services children use every day. From the moment a young person opens an app, plays a game or loads a website, personal data begins to be gathered. For all the benefits the digital economy can offer children, we are not currently creating a safe space for them to learn, explore and play. The Children’s code looks to change that, not by seeking to protect children from the digital world, but by protecting them within it. This tool is an enabler to online service providers to demonstrate their accountability in the protection of children’s rights and privacy (and adherence to the code) by giving them the means to conduct their own data protection risk assessment and document the outcomes and intended mitigating actions. It also serves to highlight and support the best interests of children and is unique in its design and content. It has received very positive feedback from users, particularly in the gaming industry.

View more information