As a part of our FutureFriday+ series on April 6 focussing on data responsibility and the General Data Protection Regulation (GDPR), Josje Spierings, Monique Snijder and myself (Joanna van der Merwe) hosted a discussion on the challenges faced when implementing the changes necessary to handle data responsibly and becoming GDPR compliant. The idea was to provide a space in which these challenges could be discussed and connections made between those facing challenges and those who may have the solutions. The GDPR aims to protect the personal data of EU citizens.
The challenges of meeting the standards for data protection will be different according to the specific sector(s) in which an organisation falls and the types of data they handle. For example, one of the questions faced by our HumanityX lab in the humanitarian sector is - how do you collect, store and use data to the serve the people you are attempting to aid without putting them at risk? The ways in which they have been exploring the answers to this question can now be of some help to those trying to answer similar questions in regards to the GDPR, whether you’re working in the humanitarian sector or any other sector. Trying to solve this question together and learn from each other is more effective than everybody trying to find the solutions on their own.
During the workshop we asked people to write down the main challenges they faced or had questions about, placing them in one of the following five categories: 1) Technical, 2) Organisational - Cultural, 3) Knowledge, 4) Resources, and 5) Other. The number of challenges that were identified were numerous and broad ranging. In a blog series, of which this is the first one, I will talk about those challenges many of which were shared at the Centre and how we are going about, or have already, addressed them.
Two of the main challenges identified in the first category, technical, is establishing what constitutes Personally Identifiable Information (PII) and the hosting of data (including the physical data that is being digitised).
Identifying the boundaries of PII
When trying to identify what classifies as personal data and what does not, there are some really helpful resources already available, especially concerning data ethics and responsibility in humanitarian contexts. The European Commission provides a large amount of resources for answering this question, specifically with the aim of assisting those implementing the necessary reforms. You can find the specific answer to “What is personal data?” here. Another great resource is their data protection page where you can find their answers what to do when data is transferred outside of the European Union as well as what reforms are needed in case of PII when it comes to GDPR compliance.
There are a number of resources that provide great insight into data responsibility and vulnerable populations. Josje Spierings, the head of the Secretariat of the International Data Responsibility Group (IDRG), works on these issues within HumanityX. Although not directly related to the GDPR, the humanitarian sector has a number of lessons concerning the handling of personal data that can be used by those implementing the new regulation in their organisation. The GovLab’s (one of the IDRG members) Selected Readings on Data Responsibility on Data Responsibility, Refugees and Migration provides an annotated list of publications on this topic.The United Nations Office for the Coordination of Humanitarian Affairs (UNOCHA) published a Think Brief identifying the challenges faced by humanitarians as they attempt to integrate data responsibility into their working practices.Lastly, a personal favourite, which I keep a copy of on my desk, is the International Committee of the Red Cross (ICRC)’s Handbook on Data Protection in Humanitarian Action.
In addressing the challenge of hosting data, data minimisation is one of the key principles that we follow at the Centre. Part of achieving data minimisation is to keep questioning whether the data you have is actually necessary for the task at hand, and whether you really need it at the aggregate or personal level. Maciej Ceglowski put it really succinctly in his Haunted by Data talk when he said “Don’t collect it - If you have to collect it, don’t store it - If you have to store it, don’t keep it”. We try to keep the amount of data that we need to host to a minimum and are currently in the process of reassessing all the data which we host or process. In this review process we will be determining whether it is absolutely necessary for us to be handling this data in order to do our jobs. When working with with partners, on projects that involve data sharing (with us in particular), our policy is to ensure that the data remains hosted by the partner and we ‘go to them’, minimising the number of points at which a breach could take place.
This blog entry was written by Joanna van der Merwe, if you have any questions or comments you can reach her here.
Keep an eye out on this page for more blog posts in this series.