Category Archives: Effective Data Protection Governance

Detailed Overview of the Effective Data Protection Governance Framework and Components—A Data- and Use-Based Approach

In the Information Accountability Foundations blog in Sept, the Effective Data Protection Governance (EDPG) project was introduced. The EDPG proposes a re-alignment of responsibilities, the introduction of new obligations and a different way to think about obligations for each participant in increasingly complex information ecosystems. The objective the framework is to better align responsibilities while improving overall data protection effectiveness and enabling the use of data to create value for all stakeholders. In the second release of EDPG content, a deeper look is taken at the five (5) interconnected components of the EDPG framework.

As a summary, in recent years, there has been much debate over current governance approaches and the emphasis on data collection and purpose specification. The EDPG Project recognises that BOTH collection AND data use are significant and should be part of a more mature and effective governance approach. In addition, the project contemplates considering ALL data, not just personally identifiable information.

The EDPG approach proposes new ways to think about individual participation (including consent), transparency and organisational accountability, while meeting the objectives of an effective privacy and data protection system to assure the fair use of information. It contemplates how and when meaningful control should be provided to individuals. It also recognises there are instances where the use of data should not directly involve the end user but, instead, where organisations should be subject to certain obligations that make sure the data and the individual are treated fairly and that data is properly protected.

As outlined in the Sept blog, the EDPG approach considers a full range of factors:

  • All Participants in an information ecosystem are considered, from individuals to all involved business entities and regulatory bodies.
  • All Data is considered and categorised into groups that may need different treatment.
  • The appropriate level of Identifiability for the data is considered.
  • The various Uses of each data category are taken into account.
  • The Sensitivity of the data itself and independently the sensitivity of the data use is considered.

Each one of these factors is detailed in the deeper look at the EDPG framework.

It is envisioned that the EDPG approach would be implemented in ways that would be compatible with local law. This approach would have the flexibility to make use of codes of conduct or other similar mechanisms, where appropriate.

Today’s complex information flows and data uses demand the introduction of new Obligations and a new way of thinking about Obligations for each Participant in an ecosystem. These Obligations include more flexible, innovative yet meaningful ways to engage with individuals relative to their control over data about them. The EDPG approach suggests that Data/Use/Identifiability/Sensitivity all be thought about as part of a risk identification and mitigation process that establishes what Obligations are appropriate.

A cornerstone in this approach is an “assessment”, scaled to correspond with the Data/Use/Identifiability/Sensitivity intersection as part of the product, service or application. Thus, the EDGP approach calls for expanding basic Privacy Impact Assessments to a Comprehensive Data Impact Assessment (CDIA), particularly for data intensive applications (product, service, analysis).

The goal is to better align responsibilities while improving overall data protection effectiveness.

In addition to the detailed look at the EDPG components, a proposed assessment framework is being released that fills the Comprehensive Data Impact Assessment part of the EDPG framework.

The IAF has been working internally on the EDPG Project since early 2015, and while parts of the EDPG Project are more advanced and are ready to socialise, test and refine with other stakeholders, other parts are less developed. For example, the framework component parts addressing Accountability and by extension Oversight and Enforcement and a model to address types of data impact areas that should result in additional individual engagement, are areas where more development is planned.

Over the coming months, the IAF plans on further developing, testing and socialising this approach, including exploring how the entire approach and components may fit into or support the implementation of local laws. For example, the adoption of the European GDPR, with its elements of a risk-based approach utilising enhanced accountability, is the beginning of a global change process to assure modern information processes are governed in a fashion that protects individuals while facilitating digital economies.

The testing, socialising and further development of the EDPG approach will be accomplished through dialog with multiple stakeholders who all share the same goals of enabling the generation of opportunities and benefits from information while effectively protecting individuals and considering the broad range of interests relative to its use.

EDPG Update Call

To discuss a number pf accomplishments and next steps related to the EDPG project, IAF will hold a one-hour update call on the project’s work during 28 November. The EDPG project was created as a means to mitigate a business risk related to a growing focus on data use as an integral part of business… Continue Reading

The Data Use Imperatives – Effective Data Protection Governance

We are on a cusp of many dramatically new ways to think about data and data use that will increasingly place pressure on public policy models and organisational governance. This overall challenge was introduced in our blog last month and is the cornerstone of The Information Accountability Foundation (IAF) work on an Effective Data Protection Governance… Continue Reading

Observation, Values, Effective Data Protection and Digital Accountability

We are in the midst of an explosion in the generation of observational data that feeds artificial intelligence, big data, and the operation of the ever expanding Internet of Things. In 2007, when I began working on big data, the pundits claimed we would have a doubling of data created reaching 5 Exabytes per year.… Continue Reading

IAF Background Material for Marrakech Side Event

The Information Accountability Foundation looks forward co-hosting with the Future of Privacy Forum a side event entitled “Technology, Challenges and Effective Governance”.  The session will be held at the 38th International Data Protection and Privacy Commissioners Conference in Marrakech during 18 October. To provide a better understanding of issues and questions to be discussed during… Continue Reading

IAF/FPF Side Event at ICDPPC – 18 October 2016

Technology, Challenges and Effective Governance Side Event, Co-Hosted by Future of Privacy Forum and IAF DATE: 18 October 2016 TIME: 14.15 to 16.15 LOCATION: Roseraie Room, Conference Center of the Palmeraie Golf Palace EVENT: 38th International Data Protection and Privacy Commissioners Conference ADMISSION: To register for this event, contact us at, or RSVP via… Continue Reading

EDPG Project: Enhancing Benefits from Information Flows While Improving Regulatory Certainty in a Digital Age

Today’s information ecosystems are complex and set to become even more complicated. Business, today, is making increasing use of information as a means to create new products and services and drive value creation. IoT environments offer a terrific example of this complexity as does the whole area of Big Data analytics, which can involve the… Continue Reading

Look North

Canada, from a data protection perspective, has often been the bridge between U.S. harms-based approaches to privacy and European rights-based approaches to data protection. Canada is again showing its leadership, and this time has done so in the discussion and consultation paper released by the Office of the Privacy Commissioner on 11 May  2016. The title… Continue Reading