In the Information Accountability Foundations blog in Sept, the Effective Data Protection Governance (EDPG) project was introduced. The EDPG proposes a re-alignment of responsibilities, the introduction of new obligations and a different way to think about obligations for each participant in increasingly complex information ecosystems. The objective the framework is to better align responsibilities while improving overall data protection effectiveness and enabling the use of data to create value for all stakeholders. In the second release of EDPG content, a deeper look is taken at the five (5) interconnected components of the EDPG framework.
As a summary, in recent years, there has been much debate over current governance approaches and the emphasis on data collection and purpose specification. The EDPG Project recognises that BOTH collection AND data use are significant and should be part of a more mature and effective governance approach. In addition, the project contemplates considering ALL data, not just personally identifiable information.
The EDPG approach proposes new ways to think about individual participation (including consent), transparency and organisational accountability, while meeting the objectives of an effective privacy and data protection system to assure the fair use of information. It contemplates how and when meaningful control should be provided to individuals. It also recognises there are instances where the use of data should not directly involve the end user but, instead, where organisations should be subject to certain obligations that make sure the data and the individual are treated fairly and that data is properly protected.
As outlined in the Sept blog, the EDPG approach considers a full range of factors:
- All Participants in an information ecosystem are considered, from individuals to all involved business entities and regulatory bodies.
- All Data is considered and categorised into groups that may need different treatment.
- The appropriate level of Identifiability for the data is considered.
- The various Uses of each data category are taken into account.
- The Sensitivity of the data itself and independently the sensitivity of the data use is considered.
Each one of these factors is detailed in the deeper look at the EDPG framework.
It is envisioned that the EDPG approach would be implemented in ways that would be compatible with local law. This approach would have the flexibility to make use of codes of conduct or other similar mechanisms, where appropriate.
Today’s complex information flows and data uses demand the introduction of new Obligations and a new way of thinking about Obligations for each Participant in an ecosystem. These Obligations include more flexible, innovative yet meaningful ways to engage with individuals relative to their control over data about them. The EDPG approach suggests that Data/Use/Identifiability/Sensitivity all be thought about as part of a risk identification and mitigation process that establishes what Obligations are appropriate.
A cornerstone in this approach is an “assessment”, scaled to correspond with the Data/Use/Identifiability/Sensitivity intersection as part of the product, service or application. Thus, the EDGP approach calls for expanding basic Privacy Impact Assessments to a Comprehensive Data Impact Assessment (CDIA), particularly for data intensive applications (product, service, analysis).
The goal is to better align responsibilities while improving overall data protection effectiveness.
In addition to the detailed look at the EDPG components, a proposed assessment framework is being released that fills the Comprehensive Data Impact Assessment part of the EDPG framework.
The IAF has been working internally on the EDPG Project since early 2015, and while parts of the EDPG Project are more advanced and are ready to socialise, test and refine with other stakeholders, other parts are less developed. For example, the framework component parts addressing Accountability and by extension Oversight and Enforcement and a model to address types of data impact areas that should result in additional individual engagement, are areas where more development is planned.
Over the coming months, the IAF plans on further developing, testing and socialising this approach, including exploring how the entire approach and components may fit into or support the implementation of local laws. For example, the adoption of the European GDPR, with its elements of a risk-based approach utilising enhanced accountability, is the beginning of a global change process to assure modern information processes are governed in a fashion that protects individuals while facilitating digital economies.
The testing, socialising and further development of the EDPG approach will be accomplished through dialog with multiple stakeholders who all share the same goals of enabling the generation of opportunities and benefits from information while effectively protecting individuals and considering the broad range of interests relative to its use.