Effective Data Protection Governance Project

Improving Operational Efficiency and Regulatory Certainty in a Digital Age

As regulators and policymakers grapple with data-driven innovation, they seek to address not just what policy response is correct, but how organisations can and should demonstrate the governance of this data. As more and more organisations become dependent upon data use, they are at risk from how the current policy debate might be resolved. Put simply, absent a workable governance model, the risk of prohibitions on having data and making innovative uses of that data is growing, creating regulatory risk, customer trust risk and reticence risk; information will simply not be used because decision drivers are unclear.

To address these risks, The IAF created the Effective Data Protection Governance (EDPG) Project to give focus to the full range of issues related to the legal, fair and just processing of information given the growing complexity of information ecosystems. (For an in-depth review of the project and related issues, see the paper entitled “Improving Operational Efficiency and Regulatory Certainty in a Digital Age“.) The EDPG (formerly the Holistic Governance and Policy Model Project) will conduct research to define a workable, outcome-focused framework to bring to policymakers, regulators and industry. As part of this objective, the project will provide guidance to support values-based public policy, to explain how this policy could be implemented and to define the roles of various actors.

Key project goals include:

  • Demonstration of an organisation governance framework and capability to leverage information use through effective and fair information governance systems; how a revised model can be implemented.
  • How the implementation of key information-use values (centered on innovation and fairness) can work, enabling and reflecting the dual goals of beneficial information use and effective data protection.
  • How individuals are to be protected, participate, and have appropriate and relevant control over information about them.
  • Policymaker/Regulator confidence that the dual goals of economic/societal value and enforceable data protection can be realised.
  • Guidance to inform industry and to help develop workable private-sector approaches including codes of practice.

The project is divided into three overlapping phases: (1) develop the model, (2) develop how business will implement it, (3) collaborate with policymakers, regulators and other stakeholders to demonstrate how a governance model is workable.

The EDPG approach proposes new ways to think about individual participation (including consent), transparency and organizational accountability, while meeting the objectives of an effective privacy and data protection system to assure the fair use of information. It contemplates how and when meaningful control should be provided to individuals. It also recognizes there are instances where the use of data should not directly involve the end user but, instead, where organizations should be subject to certain obligations that make sure the data and the individual are treated fairly and that data is properly protected.

As outlined in the Sept blog, the EDPG approach considers a full range of factors. Each one of these factors is detailed in the deeper look at the EDPG framework and an associated blog. This deeper overview includes a sample assessment decisioning process.

This project will use output from and inform other related Foundation projects, for example, the Big Data Ethical Framework, Information Accountability 2.0 and Legitimate Interests.

For more information, contact Peter Cullen at pcullen@informationaccountability.org.