Entries submitted

B1:Hellenic Data Protection Authority -Hellenic DPA
B2: Hellenic Data Protection Authority -Hellenic DPA
B3: National Commission for Informatics and Liberties -CNIL
B4: European Data Protection Supervisor – EDPS
B5: Dubai International Financial Centre
B6: Dubai International Financial Centre
B7: Dubai International Financial Centre
B8: Nacional Privacy Commission Philipinnes -NPC
B9: Information Commissioner’s Office -ICO
B10: The Swedish Authority for Privacy Protection – IMY
B11: Information Commissioner’s Office -ICO
B12: Information Commissioner’s Office -ICO
B13: Information Commissioner’s Office -ICO
B14: Spanish Data Protection Authority – AEPD
B15: Information Commissioner’s Office -ICO

B1- Entry by: Hellenic Data Protection Authority -Hellenic DPA

Description of the initiative:

The Hellenic DPA developed and deployed an online compliance toolkit in order to assist the large community of SMEs with regard to GDPR compliance. In this way data controllers and processors were given the opportunity and the means to automatically create information on and records of their processing activities, procedures, data protection policies, terms of use of digital services, consent forms, data subject

s’ rights forms and other compliance documents, based on a set of context-aware templates of essential documents.

The online toolkit was implemented in the context of the project “byDesign”, which received funding from the European Union’s Rights, Equality and Citizenship Programme (REC).

Why the initiative deserves to be recognised by an award?

  • The online compliance toolkit goes beyond existing tools, since it provides substantial and tangible support to data controllers by producing necessary compliance documents, going thus beyond mere information, as was mostly the practice until now.
  • The online toolkit aims to effectively assist the large community of SMEs, which have limited resources, in performing the necessary actions for achieving GDPR compliance.
  • Overall, the compliance toolkit will have a very positive impact on the compliance efforts of data controllers and processors in Greece and other Member States of EU.
  • Key figures: From the beginning of its full production phase in July 2022 until May 2023, 1468 people had accessed the tool questionnaire and 883 zip files of good practice material were generated.

View more information

B2 – Entry by: Hellenic Data Protection Authority -Hellenic DPA

Description of the initiative:

Aiming to promote the development of data protection by design compliant products and services by raising the awareness of the producers of the respective solutions (developers and other stakeholders of ICT products and services creation chain), the Hellenic DPA implemented in 2022 a comprehensive training programme and guidance documentation on Data Protection by Design. 

The training programme and the Guidance Documentation were implemented in the context of the project “byDesign”, which received funding from the European Union’s Rights, Equality and Citizenship Programme (REC).

Why the initiative deserves to be recognised by an award?

  • The training programme provided specialised knowledge and practical
    guidance to professionals active in ICT and new technologies in order to integrate into
    their products and services methodologies and modern techniques for data protection
    by design. It is unique in Greece and its value lies also in the fact that it is adaptable to different training methodologies.
  • The documentation provides essential guidance and explanation on key issues in data protection. It also focuses on the most crucial requirements deriving from the GDPR regarding data processing and provide practical guidance on how lawful processing may be accomplished.
  • It is a valuable  tool for those involved in the development of data-friendly products and services by design that helps them: a) to become familiar with the key data protection terms; b) to learn the obligations deriving from the GDPR regarding data processing and, in particular, the required principles for a lawful processing; c) to understand the specific grounds that a processing should be based on in order to be lawful; d) and of the obligations, preconditions and time limitations when handling a data subject request. Furthermore, the Guidance Documentation provides knowledge on technological and organizational mechanisms to protect personal data from privacy incidents and to handle those incidents.
  • Overall, a crucial gap is filled in this important aspect of data protection.
  • The Guidance Documentation on data protection by design will be updated, whenever it is necessary, in order to incorporate changes regarding privacy-by-design methodologies, or to present new methodologies and/or tools, or even to incorporate new legal or regulatory rules.

View more information.

B3- Entry by: National Commission for Informatics and Liberties -CNIL

Description of the initiative:

The CNIL developed a possible implementation of an age-verification system that allows accessing restricted websites without sharing other personally identifiable data. This demonstrator proves that it is possible, through a third-party system, to guarantee individual identity protection as well as the principle of data minimization.

Why the initiative deserves to be recognised by an award?

Age verification is a very timely topic and we see many actors and institutions working on this topic. It is crucial to find an age verification system that could be deployed to ensure that minor do not get access to pornographic content while preserving the privacy of adult consuming adult content. Finding the right balance is a must if we don’t want the initiative to fail as it has in other countries.

In this project, both the method and the results are innovative.

Indeed, to build this project, we gathered different expertise and quickly worked with a leading cryptographic expert from the scientific community. Involving another administration was also useful to be more effective and not being the only one carrying the project nationally. Obviously, the project is open-sourced and the community is welcomed to contribute.

In the end, we had to use an innovative approach combining different cryptographic tools to address a very specific problem. To the best of our knowledge, this project is the first to propose such solution to age verification systems. Thanks to the cryptographic mechanism at play, the privacy of the user is preserved: the adult website just knows that the visitor is 18, the third party does not know which website is visited.

This project was then picked by the government to push for privacy preserving age verification systems.

View more information

 

B4- Entry by: European Data Protection Supervisor – EDPS

Description of the initiative:

TechSonar project answers to the following question: which technologies are worth monitoring today in order to be prepared for a more sustainable digital future? To this, the EDPS designed a shared public methodology. On a yearly base, our analysts put together data and internal collective intelligence to gather “weak signals” and trends that will unfold in the near future, with a preliminary analysis in terms of positive and negative impacts on data protection.

Why the initiative deserves to be recognised by an award?

TechSonar deserves the award for several reasons.

Firstly, it is the first European initiative that bridges the gap between data protection and strategic forecasting, foresight, and future studies. By combining these fields, it establishes a unique and comprehensive approach to addressing future technological challenges.

Secondly, TechSonar achieves dual outcomes, simultaneously increasing awareness of future technologies and enhancing the efficiency of the authority. By proactively staying informed about emerging trends and potential risks, the project ensures that the authority remains well-prepared and able to adapt swiftly to changing circumstances.

Furthermore, what sets TechSonar apart is its innovative utilization of internal resources within European institutions to tap into vast databases. By harnessing these resources, the project has been able to conduct detailed and comprehensive analyses on a wide range of information, enabling more accurate processing and forecasting of future technological trends. This original approach showcases TechSonar’s ability to maximize available resources and achieve high-level results through an efficient and sustainable approach.

Finally, TechSonar fosters an anticipatory mindset within the organization, making processes more agile and future-proof. By encouraging a proactive approach to identifying and analyzing technological developments, the project enables the authority to make well-informed decisions and effectively navigate the rapidly evolving landscape.

View more information.

 

B5- Entry by: Dubai International Financial Centre 

Description of the initiative:

In an attempt to creatively address several issues that DIFC entities would face with implementing model clauses, the Commissioner’s Office has:

  1. Compared / combined EU SCCs modules EU SCCs and blend with UK IDTA obligations, to eliminate risk and redundancy.
  2. Created a link to the DIFC, EU and UK SCCs as the primary options for DIFC exporters and importers.
  3. Prepared Article 24 suggested clauses and updating regulations to enforce them.

Why the initiative deserves to be recognised by an award?

The initiative is worthy of an award because it is yet another part of a holistic, multi-faceted supervisory function undertaken by the DIFC DP Commissioner’s Office.

Making the use of the SCCs simpler and more effective, while containing risk and helping individuals learn at the same time why these clauses are important and required meets the primary objectives of the DIFC Commissioner’s Office.  The feedback on the combined SCCs

View more information.

B6- Entry by: Dubai International Financial Centre 

Description of the initiative:

DIFC developed the Ethical Data Management Risk Index (EDMRI) and EDMRI+ in 2020, completing the research in 2022 and launching in August 2022.  EDMRI looks beyond equivalence in jurisdictions, and digs into propensity for compliance through a risk index, published as guidance, and with a due diligence tool to support outcomes based risk assessments for exporters to “know their importer”.  It aims to reduce “Privacy Corruption”.

Why the initiative deserves to be recognised by an award?

It is a one of a kind tool that sets out risk from the regulator’s view, with an abundance of information above the jurisdiction, but also how to address the risks.  DIFC created it as a tool that in our view most closely addresses a fundamental issue in the Schrems cases – how much trust do you have in your importer in a place where there may be significant “privacy corruption”?

View more information.

B7- Entry by: Dubai International Financial Centre 

Description of the initiative:

DIFC consulted in November 2022 on the concept of multi-lateral “adequacy” through an AI based principles, and derived on the basis of DIFC proposed AI regulations.  A project is underway to build a platform that will in real time, using advance generative technology, create a consortium environment for inform regulators and controllers / processors of the current compliance and supervisory status in any given jurisdiction.

Why the initiative deserves to be recognised by an award?

It is a one of a kind project that sets out to tackle data flows with trust in a way that reduces the unilateral or bilateral nature of transfer mechanism while keying in on “Schrems” related issues.

View more information

B8- Entry by: Nacional Privacy Commission Philipinnes -NPC

Description of the initiative:

The Data Breach Notification Management System is a custom-built, web-based application developed for managing Data Breach Notifications and Annual Security Incident Reports received by the Commission. It provides an efficient manner of receiving and evaluating notifications through an assessment tool for Personal Information Controllers as well as real-time updates of status of these cases through notifications via emails and the System. It also provides for real time transmittal of evaluation reports for review and approval.

Why the initiative deserves to be recognised by an award?

The Data Breach Notification Management System (“DBNMS”) deserves to be recognized as it embodies privacy principles and considers, as paramount, the interest of data subjects especially those affected by security incidents.

Since its development, the DBNMS has been following industry best practices in privacy and software development such as Privacy by Design and DevSecOps. Hence, the implementation of user-based access controls and system-generated email coupled by in-app notification to prevent security incidents related to emails.

The DBNMS also ensures continuity of the service rendered by the National Privacy Commission even in case of health and other national emergencies by providing an online mechanism for reporting and evaluation. Moreover, the DBNMS has increased awareness and understanding on data breach and security incident reporting through the tools provided to its users.

It also increased the efficiency and effectiveness of reporting by ensuring that notifications are submitted completely and only those that are required to be notified are submitted to the Commission. Hence, the burden of weeding out invalid notifications are done away.

Lastly, the efficient generation of data through the system will make it easier for the Commission to come up with better standards on privacy that ultimately protect the data subjects.

 View more information.

B9- Entry by: Information Commissioner’s Office -ICO

Description of the initiative:

The ICO’s Technology Department published draft guidance on Privacy Enhancing Technologies (PETs) in September 2022 helping organisations unlock the potential of data using a data protection by design approach.

The ICO Innovation Hub with support from the Technology Department acted as data protection mentors for participating teams in the UK-US PETs Prize Challenges.

Using insights gathered from the prize challenges, the final version of our ground-breaking PETs guidance will be published in June 2023.

Why the initiative deserves to be recognised by an award?

The PETs guidance and the Hub’s work in the prize challenges have increased industry’s understanding of how to develop privacy enhancing solutions by putting a data protection by design approach into practice. Our work has given industry regulatory certainty about how to develop end to end privacy preserving solutions and this will protect individuals from harm.

The ICO PETs guidance is the first of its kind from any data protection authority, both in Europe and Worldwide. The guidance is a valuable resource for DPOs within organisations who would like to learn more about how PETs provide protection and how they can be used to reduce risks and aid compliance with the UK GDPR. Additionally, the ICO will be publishing PETs case studies to demonstrate how PETs can be used to process personal data while mitigating the risks to individuals. These case studies will be informed by the insights we have gathered during the prize challenges.

View more information

B10- Entry by: The Swedish Authority for Privacy Protection – IMY 

Description of the initiative:

IMY is providing guidance and support to innovators on privacy and data protection matters. This is a permanent part of our organisation, with dedicated budget and resources working at our “innovation hub”.

The activities include:

  • A regulatory sandbox, where innovators get in-depth, dialogue-based guidance which is later on presented in public exit reports.
  • Learning activities, such as webinars, lectures and dedicated information on our website
  • Extensive stakeholder cooperation with academia, tech organizations and the public sector.

Why the initiative deserves to be recognised by an award?

A sustainable digitalization requires innovation stakeholders who develop new technology and services with strong data protection and privacy by default. We note that there is often insecurity in how to reconcile innovation with the rules in the GDPR. It is therefore an important part of our work to give guidance and support to innovation stakeholders on these matters.

We are developing a broad spectrum of channels, projects and co-creation practises, involving stakeholders in identifying the needs and using different formats. Our work is getting very positive feedback from innovators. We have made it a permanent, ambitious part of our authority, with its own budget and resources.

Our work is guided by the OECD: as principles for innovation in the public sector. We appreciate the multifaceted nature of innovation processes and stakeholders and have taken on a systemic portfolio approach in establishing long term partnerships with academia, public, private and not-for-profit organisations.

We also recognise the learning that comes from exploration and appreciate the development for our staff and our agency that comes from this approach.

View more information

B11- Entry by: Information Commissioner’s Office – ICO

Description of the initiative:

The ICO’s inaugural Tech Horizons Report examines the privacy implications of some of the most significant technologies we expect to emerge in the next two to five years.

This report, which specifically looks at consumer healthtech, next generation IoT, immersive technologies and decentralised finance, is the product of a rigorous horizon scan process and aims to put the ICO, and regulators and policymakers more generally, in a strong position to respond to rapid technological change.

Why the initiative deserves to be recognised by an award?

The report is an example of the ICO’s dedication to rigorous foresight methods, which will help it to be a more effective regulator in the face of ever accelerating innovation and technological change.

Our extensive engagement with third parties over the course of the report’s composition demonstrates the ICO is an outward looking regulator and evidences its willingness to engage with a wide range of stakeholders to inform its work, and commitment to empowering the public through information.

The report offered valuable information and analysis about new technologies and their possible privacy implications, especially for the most vulnerable groups in society. It opened up the public discussions about likely technological developments and their potential impact on our privacy through accessible language, style and format. The report also offered value to data controllers and businesses by offering advice on how innovators might meet their data protection obligations whilst continuing to innovate.

The report also set the stage for further futures-based public and stakeholder engagement, including through a second edition of the report, which will be released later this year. The ICO will continue to analyse emerging trends in technology to ensure it stays at the forefront of these key developments.
View more information.

 

B12- Entry by: Information Commissioner’s Office – ICO

Description of the initiative:

The Information Commissioner’s Office (ICO) has produced a landmark report which warns that newly emerging neurotechnologies risk discriminating against the most vulnerable in society if people are not put at the heart of its development. The report predicts that the use of technology to monitor neurodata, the information coming directly from the brain and nervous system, will become widespread over the next decade. Without appropriate testing and development, neurotech risks being embedded with inherent biases.

Why the initiative deserves to be recognised by an award?

This initiative represents the cutting edge of foresight in data protection and privacy. As an industry, neurotechnology may be in its early stages, however that is set to change over the next decade.

The processing of neurodata is potentially extremely sensitive and impactful and may represent an unprecedented level of intrusion into individuals’ lives. This is why the neurotechnology report is so important. By highlighting potential concerns in new and developing technologies, those developing them are made aware of challenges and obligations at the earliest possible stage. It means that developers factor in data protection by design and alerts them to the possibilities of systemic biases ahead of those becoming ingrained into products and services, particularly where processing is undertaken automatically.

The report is also important in beginning to inform the public of the potential benefits and challenges of neurotechnology, and to open the conversation with them about the processing of neurodata. As such, the initiative marks the start, rather than the end of the ICO’s work on neurotechnology. It will form the basis of ongoing conversations with critical stakeholders, and the kernel of developing specific neurodata guidance.

View more information.

B13- Entry by: Information Commissioner’s Office – ICO

Description of the initiative:

As an example of its commitment to proactive data protection output, the ICO’s Biometrics Technologies twin Insight and Foresight reports support businesses and organisations at the development stage of novel biometrics products and services. They provide an understanding of what processing biometric data might encompass in the future, as well as insight for organisations to assess the public risks of using these technologies before implementation.

Why the initiative deserves to be recognised by an award?

The ICO’s foresight programme is designed to enable the ICO to be a more effective and proactive regulator, supporting innovation. This initiative is one of the first outputs from that process, and demonstrates the ICO’s commitment to empowering organisations and the  public through information.

Looking beyond current legislation and technology deployments, this initiative marks an important inflection point in the processing of biometric data. The ICO’s biometrics technology reports seek to arm organisations with the tools they need to begin future biometric processing in a manner compliant with current UK GDPR and best practice. Additionally, where novel technologies are unproven, but carry potentially high risk of harm, the report raises concerns around how those data should be used, particularly in processing which is automated.

The insight report details types, modalities and contexts of data which might and might not be considered biometric data under UK GDPR.

Considering possible futures, the foresight report projects the potential rewards and challenges of biometric processing through scenario-based foresight.

Approaching biometric data processing ahead of that processing taking place not only enables organisations to understand their obligations before implementation but gives other DPAs foundations for their own work in this area.

View more information.

B14- Entry by: Spanish Data Protection Authority – AEPD

Description of the initiative:

IMY is providing guidance and support to innovators on privacy and data protection matters. This is a permanent part of our organisation, with dedicated budget and resources working at our “innovation hub”.

The activities include:

  • A regulatory sandbox, where innovators get in-depth, dialogue-based guidance which is later on presented in public exit reports.
  • Learning activities, such as webinars, lectures and dedicated information on our website
  • Extensive stakeholder cooperation with academia, tech organizations and the public sector.

Why the initiative deserves to be recognised by an award?

A sustainable digitalization requires innovation stakeholders who develop new technology and services with strong data protection and privacy by default. We note that there is often insecurity in how to reconcile innovation with the rules in the GDPR. It is therefore an important part of our work to give guidance and support to innovation stakeholders on these matters.

We are developing a broad spectrum of channels, projects and co-creation practises, involving stakeholders in identifying the needs and using different formats. Our work is getting very positive feedback from innovators. We have made it a permanent, ambitious part of our authority, with its own budget and resources.

Our work is guided by the OECD: as principles for innovation in the public sector. We appreciate the multifaceted nature of innovation processes and stakeholders and have taken on a systemic portfolio approach in establishing long term partnerships with academia, public, private and not-for-profit organisations.

We also recognise the learning that comes from exploration and appreciate the development for our staff and our agency that comes from this approach.

View more information.

B15- Entry by: Information Commissioner’s Office – ICO

Description of the initiative:

Innovation Advice is a dedicated service to provide direct, bespoke, and fast advice. The service is available to any organisation, of any size, during the design phase of their project, where they are looking to innovate with personal data.

The service offers organisations the opportunity to consult with the ICO directly, to receive assured regulatory advice in response to a question they have about compliance with the legislation.

Why the initiative deserves to be recognised by an award?

In identifying and delivering a service that has been sought by UK enterprises, the ICO recognises the value in providing support to new and emerging projects that underpin the use of personal data in driving the economy through innovation.

By listening and evolving to the market requirements, the ICO is setting the standard in taking a ‘whole economy’ approach to regulation and evolving to adapt to the needs of our customers in their desire to grow.

The Innovation Advice service is a leading example in the ICO’s deployment of its knowledge and experience to assist project developers. In offering a range of services to suit different needs, the ICO continues to demonstrate that regulatory oversight should include a partnership approach that promotes and shares best practice, building in good data protection practice from the start.

View more information