GDPR: Challenges and Opportunities in Innovation

What does your job as the Data Protection Officer at the Centre for Innovation entail?

The introduction of GDPR laws has provided a framework to ensuring that individuals’ data protection is taken into consideration in the innovation industry. However, given the fast-changing environment surrounding data, its potential uses, and with the ever-increasing disruptions that accompany new technologies, a data protection officer needs to remain on top of developments as well as what new applications of data become possible overnight.

My work entails making sure that the Centre for Innovation is not only compliant with the GDPR framework but also working towards a level of data responsibility that may be outside of the requirements of this law. And part of what makes my work interesting is I have to do this in a cross-sectoral way when creating new innovations in Higher Education, the workplace, and in the humanitarian sector. In setting a vision based on principles of data responsibility and putting people first in a digital age, my job is to align implementation of projects at Centre for Innovation with our privacy policy as well as explore how new technologies will challenge existing views on data protection.

Of course this can only be achieved through exploration of how data protection is evolving in terms of relevant societal, political, legal, and technical trends and developments. That way we prepare Leiden University for a future that is digital.

How do you see compliance and regulatory responsibilities as much more than the narrow compliance requirements of the GDPR?

We see data protection and the GDPR as a part of the broader picture of what we refer to as data responsibility. At the Centre for Innovation we run projects that use data to achieve goals in the peace and justice and the humanitarian sector. In our work, especially with the former International Data Responsibility Group, we had familiarised ourselves with principles that are included under the GDPR.

Our experience in this field equipped us with the knowledge about potential dangers addressed by such GDPR principles, and also with the challenges posed in trying to practically implement such principles. Now we are in the process of formaliSing these practices within the organisation.

The GDPR is a piece of legislation that gives us a solid foundation off of which to build our discussion, but it is a piece of a larger data responsibility puzzle which entails factors which are ethical, technical, legal, governance, processes, capacity and learning. Most importantly, our vision prioritises people first in a digital age, and that highlights the other pieces of the puzzle to achieve data responsibility, namely capacity in terms of people, learning through networking with experts, and  ethical considerations.

Can you talk about some of the challenges, innovations and success stories in strategic responses to GDPR?

The intersection of innovations and challenges is exactly where my job lies – assisting the Centre in using innovation in order overcome challenges but also overcoming challenges in order to enable innovation. Some of the challenges we currently see include, and this list is far from exhaustive:

• Digital literacy
• Navigating data protection/privacy frameworks – regional legislation, international frameworks, institutional policies, state laws etc.
• Recognising that what compliance looks like is not static – being compliant today does not mean being compliant tomorrow – especially with the complexity of emerging technologies and the speed at which technology evolves
• Aligning of business models (especially from different sectors) and how to manage partnerships in light of these differences
• Mapping of risk, such as:
  • Technical
  • Reputational
  • Operational
  • Metadata – we are currently working on exploring the relationship between metadata and the privacy of individuals and groups – this is where I think research needs to go next
  • Guidance – weeding out the ‘hype’ advice that surrounds GDPR and finding the real advice and looking outside of your sector for ideas and recommendations
  • Differentiating between the capabilities that only data privacy/protection experts need versus what capabilities all employees need
  • How to teach data responsibility and ensure that teaching takes into account ever changing data protection requirements

One of the main innovation that I see when it comes to GDPR is the essence of what a Data Protection Officer should be. A lot of the elements I listed above as making up data responsibility tend to be in silos in an organisation, and the experts from each area tend to speak their own language. I think the idea of the Data Protection Officer as an ambassador who can speak all these languages and understand how an organisation can implement and facilitate each of the viewpoints can not only enhance on organisation ability to provide a high level of data protection but also enable innovation.