Entries submitted
B1- Entry by: Information Commissioner’s Office (UK)
Description of the initiative:
The Children’s code (formally known as the Age Appropriate Design Code) is a code of practice that sets out how online services likely to be accessed by children (eg apps, online games, and social media) should protect them in the digital world.
To support businesses in complying with the code, the ICO has created:
– an award-winning design guidance that shows how to apply some of the standards in practice; and
– a best interests of the child guidance.
Why the initiative deserves to be recognised by an award?
The Children’s code has already prompted changes by industry in how it protects children’s data.
We have seen large digital economy companies applying the standards of the code to reduce or prevent children’s data being used for targeted advertising. Further improvements can be seen in safe searching, the banning of direct messaging from strangers to teens, and significant improvements in transparency information that Children can understand.
The Children’s code and its innovative UX design and best interest guidance shows technology companies how to design and function in a way that protects children’s rights.
It has also allowed the ICO to be a more engaged and proactive regulator, working closely with industry to guide code related improvements, and taking a more hands on approach to gathering evidence of conformance.
The Code has been an inspiration for similar child data protection initiatives in Europe and North America, which should help ensure that children everywhere are protected.
B2 – Entry by: Office of the Privacy Commissioner of Canada
Description of the initiative:
The RROSH Assessment Tool is an innovative automated solution to assess whether a privacy breach presents a real risk of significant harm (RROSH) to affected individuals. The Tool was developed recognizing that privacy breaches were increasing in volume and complexity, and that stakeholders were expressing challenges associated with identifying and assessing risks and harms to data subjects. The Tool is rooted in risk science principles to withstand analytical scrutiny and potential challenges.
Why the initiative deserves to be recognised by an award?
While other privacy breach reporting tools exist, the RROSH Assessment Tool takes the assessment of complex concepts to the next level. The Tool’s automation also creates efficiencies allowing for a fast and consistent determination of RROSH. Similarly, the Tool allows for the processing of a greater number of breach reports using fewer OPC investigative resources. Since mandatory breach reporting under PIPEDA came into effect in 2018, the OPC saw at one point a 700% increase in volume of breaches reported to the Office without a corresponding increase in resources. The Tool is proving effective in avoiding a backlog of unassessed breach report.
The Tool is also providing a rich source of business intelligence, identifying trends and/or populations at greater risks. This data will also help identify industry sectors in need of targeted outreach, or topics for guidance and education.
Finally, the Tool is adaptable, and was created knowing that legislative requirements and definitions will change following law reform. As such, the Tool can be easily modified to meet the Office’s future needs, as well as those of Data Protection Authorities in other jurisdictions.
In summary, the Tool is effective, automates complex processes, creates efficiencies, standardizes assessments, is adaptable, and of critical importance to stakeholders, provides a greater level of predictability and consistency. At its core, the Tool was designed to allow for timely management of privacy breaches, thereby reducing risks and harms to affected individuals.
B3- Entry by: Office of Data Protection, Abu Dhabi Global Market
Description of the initiative:
ADGM Office of Data Protection (“ODP”) has solved the issue of identifying Data Controllers in its jurisdiction and collecting all data protection registration fees from them through a strategic partnership with the ADGM Registrar of Companies (“Registrar”). In addition, the partnership allowed the ODP to gather insights and intelligence about the processing activities of all entities at a Controller level.
Why the initiative deserves to be recognised by an award?
The ODP’s initiative seeks to fill a gap currently impacting many data protection authorities globally. Resourcing is an issue globally impacting both new and existing authorities. Whilst many data protection laws provide the legal basis to receive fees from Controllers– the collection of the fee itself can pose an even bigger challenge. We recognised this challenge early on and sought to explore ways to address it.
This initiative aims to demonstrate that strategic partnerships such as ones with the Registrar can provide data protection authorities with an innovative opportunity for a mutual win-win with limited cost implications. Ensuring Controllers comply with their notification and fee obligation whilst establishing good relations with the Registrar of Companies has many mutual benefits. For instance:
- Transparency of statutory fees, in particular, for SMEs.
- DP notification aligned with annual renewal filing date (one-stop-shop).
- Reduces non-payment risk for entities.
- Better service experience for regulated entities (i.e., no bulk emails/letters).
Since implementing this initiative, the ODP has collected 100% of all data protection registration fees for new businesses. In addition, we have collected from approximately 98% of existing businesses which are captured through our integration into the annual renewal filing process. There are currently 4800 entities in our jurisdiction.
B4- Entry by: Commission for personal data protection (Bulgaria)
Description of the initiative:
“GDPR in your pocket” is an innovative awareness raising software package – mobile and desktop application, designed to introduce applicable privacy legislation to citizens and small and medium-sized enterprises in an easy to use and understand way and give them practical knowledge and advice on their rights or obligations under the European Union and national law in the field of personal data protection. The application’s content is currently available in English, Italian, Bulgarian, German and French.
Why the initiative deserves to be recognised by an award?
“GDPR in your pocket” is an interactive tool aimed to facilitate businesses all over the world in demonstrating compliance with the EU legal framework. It is a reliable source of first-hand contemporary information and at the same time free advisory tool in the field of privacy and personal data protection providing proven content about the applicable legislation. Although initially funded by the EU for its citizens and legal entities, its direct effect is global privacy, supporting businesses from North America, Africa, Asia, Australia, New Zealand and Middle East through prompt and detailed privacy and data protection knowledge. It is delivered in a consciously developed palette of frequently used languages (next version will be the Spanish one) in order to support the efforts of SMEs when entering the EU Single Market. Added value of the solution is spread widely beyond Europe by saving significant amounts of money for consultations, legal advices, etc. potentially spent by the SMEs across the globe. The algorithm of the tool finds evidence-based solutions of key issues related to the protection of privacy and personal data. Referring to the recent dynamic technological development the proposed pioneering approach can be easy multiplied in other close knowledge areas.
B5- Entry by: European Data Protection Supervisor (EDPS)
Description of the initiative:
The EDPS has launched a public pilot phase of two social media platforms: EU Voice and EU Video.
The two platforms are part of decentralised, free and open-source social media networks that connect users in a privacy-oriented environment, based on Mastodon and PeerTube software.
EU institutions, bodies, offices and agencies can register and interact with users on EU Voice on a micro-blogging social media and upload videos on EU Video.
Why the initiative deserves to be recognised by an award?
The EDPS promotes data protection and privacy in the field of technological development and advice on the principles of data protection by design and data protection by default.
EU Voice and EU Video demonstrate the importance for the EDPS to steer innovation and concretely provide innovative, open-source, free and privacy respectful solutions that protect the fundamental rights of citizens. At the same time, our role is to raise awareness of the need for alternative solutions at European level and to provide citizens with effective tools.
The two alternative social media platforms prioritise individuals and their rights to privacy and data protection. In concrete terms this means that EU Voice and EU Video do not rely on transfers of personal data to countries outside the European Union and the European Economic Area; there are no advertisements on the platforms; there is no profiling of individuals that may use the platforms; and the platforms are not based on algorithms that feed users with user-tailored content.
As the leader of a broader project that involves all EU institutions, bodies and agencies, the EDPS has worked in close cooperation with the European Commission to provide a friendly and secure social media environment.