SlideShare uma empresa Scribd logo

GDPR and personal data protection in EU research projects

Transferir como PPTX, PDF
Lorenzo Mannella
Lorenzo Mannella

This 20-minute presentation provides participants with a case study on data protection issues exposed by research partners awarded with a fictional Horizon 2020/Horizon Europe grant. Participants will follow the work of data controller and processors, committed to handle and store personal data of EU and Non-EU citizens for research purposes. Participants will be engaged to evaluate the compliance of research activities with the General Data Protection Regulation (GDPR), which defines principles relating to processing of personal data, the lawfulness of such processing and modalities to ensure transparent information, communication and rights of the data subjects. Rules and best practices in data processing are part of the essential toolbox for Research Managers and Administrators, answering the growing call of GDPR compliance along with Data Protection Officers. Beyond the understanding of accountability, privacy by design and by default principles, professionals are testing themselves with the constant update of data protection guidelines from the European Data Protection Board. This session is targeted to an audience of intermediate level, aware of the topic of data protection/GDPR and willing to engage with other professionals on a case study analysis. The session will benefit from a short Q&A and a follow-up survey to gather best practices in data management put in place by participants in their day-to-day work.

Liderança e gerenciamento
1 de 24
GDPR and Protection of Personal Data in Horizon 2020 and Horizon Europe: a Case Study for Research Managers and Administrators Lorenzo Mannella
My profile • Project manager at UNIBO • Focus on post-award, ethics Current Position • Proposal writing (SC2, BBI) • Freelance science writer Past experience • MA in Science Communication • MSc in Plant Biotechnology Background Lorenzo Mannella @Loremann
Heading 1 text Our goals Explore a fictional H2020/HEU project with research activities processing personal data Check compliance of research activities with the General Data Protection Regulation (GDPR) Beyond the case study: discuss best practices (Q&A) and collect feedback from participants
CrimeWords (a fictional project)  9 international partners analysing stereotypes in criminal trials and related news media  Research based on algorithms analysing language nuances of media products and confidential criminal record  Third parties provide access to datasets and confidential records  We are the Coordinator’s project manager
The Consortium Partners storing research data IE, UK Project Coordinator Partners processing personal data Partners handling web/social media data FI, PL DE, ES, FR, DK IT
The manager’s checklist  Read and understand the DoA  Meet with the research team  Comply with H2020/HEU rules  Contact Legal Office and DPO  Draft and submit deliverables  Monitor activities  Draft and submit reports  Predict the future
The best case scenario  Data subjects will give consent  Police and Court will mail confidential information  Personal data collected, digitalized, stored and processed on University’s premises despite COVID-19  Only anonymous data will be published Handling personal data
WEB DATA CRIMINAL RECORDS RESULTS ALGORITHMS The Research
Data management plan No personal data to external cloud services Data Storage Access Original criminal records Locked cabinet Each PI has keys Scanned criminal records University servers (LAN) Restricted to research group Transcription of criminal records Researchers’ Laptop/Tablet Restricted to device owner Pseudonymised criminal records Consortium private network Restricted to project partners Aggregated data Public Public
Everything goes well  Rights of data subjects are enforced  Project partners deliver great results and make an impact  Researchers and manager successfully archive the project and look forward to new opportunities CrimeWords succeeds
The worst case scenario  Brexit disrupts data flow: what if the UK partner needs to test algorithms on criminal records instead of anonymous data?  Cloud services at partner level are located in the US: what if the Privacy Shield is not valid anymore?  A partner leaves the consortium: what if data is lost? Issues with personal data
From: researcher@uni.edu Sent: 23/12/2020 To: manager@uni.edu Subject: FW: Just recalled this email. Shall we answer that? From: reg.office@police.gov Sent: 10/11/2020 To: researcher1@uni.edu Subject: R: Request for additional information Dear Researcher, our office reminds you that sharing sensitive personal data through an unencrypted email account may expose individuals to risks (unauthorized access to personal data). Concerning your request…
From: researcher@uni.edu Sent: 08/11/2020 To: reg.office@police.gov Subject: Request for additional information Hi, could you provide further information on criminal records? Some detail of Court documentation is missing. See attached documents as an example. Crime_record_MrOrange_scan.pdf
From: manager@uni.edu Sent: 03/01/2021 To: reg.office@police.gov Subject: Clarifications on previous requests To whom it may concern, our University ensures researchers employed on its premises adhere to internal regulation on data protection, section on criminal records (see pag. 134)… UniversityPrivacyRegulation.pdf
Audit by Data Protection Authority and fining  Findings go under the lens of the Authority  The researcher exposed personal data by using email and third party cloud services The University is fined for 54.000 €
GPDR infringement in the case study The Data Protection Authority states that our University:  has sent sensitive personal data through unencrypted email and via open network to the Police. The university has therefore processed personal data in contrary to Article 5 (1) (f) and Article 32 (1) and (2) of GDPR by failing to take appropriate technical measures to ensure an appropriate level of safety in relation to the risk.  has not reported the personal data incident to the Data Protection Authority and not documented the circumstances surrounding the incident as the university became aware of it. The university has therefore acted in breach of Article 33 (1) and (5) of GDPR.  in the processing of sensitive and privacy-sensitive personal data in a third party cloud service, not have taken appropriate technical and organizational measures to prevent unauthorized disclosure of or unauthorized access to personal data. The university has therefore treated personal data in breach of Article 5 (1) (f) and Article 32 (1) and (2) of GDPR.
Beyond the case study
Beyond a case study
Beyond a case study
Privacy issues are (un)predictable  it is hard to spot all of them in advance  it is hard to convince researchers to pay attention  other issues often prevail and privacy is deranked  we think they will stay frozen and forget them …until they explode
Gear up before the project begins  Team up with legal and data protection officers  Establish a set of common guidelines for data protection  Apply privacy-by-design principles  Set the boundary of your responsibility and know when to escalate issues is that enough?
Let’s collect best practices Provide your feedback by filling out a short online survey check this link: https://forms.office.com/r/tU103t3Q78 or scan the QR code below
Sources Images and icons: pixabay.com EDPB news #1: University failed to sufficiently protect sensitive personal data EDPB news #2: Polish DPA: University Fined for the lack of Data Breach Notifications EDPB news #3: Swedish DPA: Police unlawfully used facial recognition app
www.unibo.it Lorenzo Mannella Research Services Division (ARIC) European Programmes and Projects Unit lorenzo.mannella@unibo.it

Recomendados

Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and SolutionsUlf Mattsson
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
GDPR
GDPRGDPR
GDPRGopi PD
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR PresentationCILIP Ireland
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role HackerOne
 
Multimedia db system
Multimedia db systemMultimedia db system
Multimedia db systemYojana Nanaware
 
introduction to data mining tutorial
introduction to data mining tutorial introduction to data mining tutorial
introduction to data mining tutorial Salah Amean
 

Recomendados

Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and SolutionsUlf Mattsson
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
GDPR
GDPRGDPR
GDPRGopi PD
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR PresentationCILIP Ireland
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role HackerOne
 
Multimedia db system
Multimedia db systemMultimedia db system
Multimedia db systemYojana Nanaware
 
introduction to data mining tutorial
introduction to data mining tutorial introduction to data mining tutorial
introduction to data mining tutorial Salah Amean
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulationGreg Ezeilo
 
Introduction to Artificial Intelligence.pptx
Introduction to Artificial Intelligence.pptxIntroduction to Artificial Intelligence.pptx
Introduction to Artificial Intelligence.pptxRSAISHANKAR
 
Machine Learning With Python | Machine Learning Algorithms | Machine Learning...
Machine Learning With Python | Machine Learning Algorithms | Machine Learning...Machine Learning With Python | Machine Learning Algorithms | Machine Learning...
Machine Learning With Python | Machine Learning Algorithms | Machine Learning...Simplilearn
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentationSudarsan Reddy
 
IoT Security
IoT SecurityIoT Security
IoT SecurityNarudom Roongsiriwong, CISSP
 
The Incredible Ways Artificial Intelligence Is Now Used In Mental Health
The Incredible Ways Artificial Intelligence Is Now Used In Mental HealthThe Incredible Ways Artificial Intelligence Is Now Used In Mental Health
The Incredible Ways Artificial Intelligence Is Now Used In Mental HealthBernard Marr
 
The Future of Data Science
The Future of Data ScienceThe Future of Data Science
The Future of Data ScienceDataWorks Summit
 
Big Data analytics
Big Data analyticsBig Data analytics
Big Data analyticsArunKumar5524
 
Data science applications and usecases
Data science applications and usecasesData science applications and usecases
Data science applications and usecasesSreenatha Reddy K R
 
A Brief Introduction to Machine Learning.pptx
A Brief Introduction to Machine Learning.pptxA Brief Introduction to Machine Learning.pptx
A Brief Introduction to Machine Learning.pptxMinhazulAbedin27
 
Applications of Big Data Analytics in Businesses
Applications of Big Data Analytics in BusinessesApplications of Big Data Analytics in Businesses
Applications of Big Data Analytics in BusinessesT.S. Lim
 
Data Literacy -- Necessity and challenges
Data Literacy -- Necessity and challengesData Literacy -- Necessity and challenges
Data Literacy -- Necessity and challengesSrdjan Verbić
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and PrivacyVertex Holdings
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
AI Product Manager
AI Product Manager AI Product Manager
AI Product Manager Datentreiber
 
RFID with INTERNET OF THINGS
RFID with INTERNET OF THINGSRFID with INTERNET OF THINGS
RFID with INTERNET OF THINGSBino Mathew Varghese
 
Big data and analytics
Big data and analyticsBig data and analytics
Big data and analyticsBohitesh Misra, PMP
 
Ethical Issues in Machine Learning Algorithms. (Part 1)
Ethical Issues in Machine Learning Algorithms. (Part 1)Ethical Issues in Machine Learning Algorithms. (Part 1)
Ethical Issues in Machine Learning Algorithms. (Part 1)Vladimir Kanchev
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data ScienceSrishti44
 
Data Security & Data Privacy: Data Anonymization
Data Security & Data Privacy: Data AnonymizationData Security & Data Privacy: Data Anonymization
Data Security & Data Privacy: Data AnonymizationPatric Dahse
 
The ugly, the bad and the good of cloud computing
The ugly, the bad and the good of cloud computingThe ugly, the bad and the good of cloud computing
The ugly, the bad and the good of cloud computingDan Michaluk
 
GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.James Seville
 

Mais conteúdo relacionado

Mais procurados

Data protection regulation
Data protection regulationData protection regulation
Data protection regulationGreg Ezeilo
 
Introduction to Artificial Intelligence.pptx
Introduction to Artificial Intelligence.pptxIntroduction to Artificial Intelligence.pptx
Introduction to Artificial Intelligence.pptxRSAISHANKAR
 
Machine Learning With Python | Machine Learning Algorithms | Machine Learning...
Machine Learning With Python | Machine Learning Algorithms | Machine Learning...Machine Learning With Python | Machine Learning Algorithms | Machine Learning...
Machine Learning With Python | Machine Learning Algorithms | Machine Learning...Simplilearn
 
The Incredible Ways Artificial Intelligence Is Now Used In Mental Health
The Incredible Ways Artificial Intelligence Is Now Used In Mental HealthThe Incredible Ways Artificial Intelligence Is Now Used In Mental Health
The Incredible Ways Artificial Intelligence Is Now Used In Mental HealthBernard Marr
 
The Future of Data Science
The Future of Data ScienceThe Future of Data Science
The Future of Data ScienceDataWorks Summit
 
Data science applications and usecases
Data science applications and usecasesData science applications and usecases
Data science applications and usecasesSreenatha Reddy K R
 
A Brief Introduction to Machine Learning.pptx
A Brief Introduction to Machine Learning.pptxA Brief Introduction to Machine Learning.pptx
A Brief Introduction to Machine Learning.pptxMinhazulAbedin27
 
Applications of Big Data Analytics in Businesses
Applications of Big Data Analytics in BusinessesApplications of Big Data Analytics in Businesses
Applications of Big Data Analytics in BusinessesT.S. Lim
 
Data Literacy -- Necessity and challenges
Data Literacy -- Necessity and challengesData Literacy -- Necessity and challenges
Data Literacy -- Necessity and challengesSrdjan Verbić
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and PrivacyVertex Holdings
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
AI Product Manager
AI Product Manager AI Product Manager
AI Product Manager Datentreiber
 
Ethical Issues in Machine Learning Algorithms. (Part 1)
Ethical Issues in Machine Learning Algorithms. (Part 1)Ethical Issues in Machine Learning Algorithms. (Part 1)
Ethical Issues in Machine Learning Algorithms. (Part 1)Vladimir Kanchev
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data ScienceSrishti44
 
Data Security & Data Privacy: Data Anonymization
Data Security & Data Privacy: Data AnonymizationData Security & Data Privacy: Data Anonymization
Data Security & Data Privacy: Data AnonymizationPatric Dahse
 

Mais procurados (20)

Data protection regulation
Data protection regulationData protection regulation
Data protection regulation
 
Introduction to Artificial Intelligence.pptx
Introduction to Artificial Intelligence.pptxIntroduction to Artificial Intelligence.pptx
Introduction to Artificial Intelligence.pptx
 
Machine Learning With Python | Machine Learning Algorithms | Machine Learning...
Machine Learning With Python | Machine Learning Algorithms | Machine Learning...Machine Learning With Python | Machine Learning Algorithms | Machine Learning...
Machine Learning With Python | Machine Learning Algorithms | Machine Learning...
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
The Incredible Ways Artificial Intelligence Is Now Used In Mental Health
The Incredible Ways Artificial Intelligence Is Now Used In Mental HealthThe Incredible Ways Artificial Intelligence Is Now Used In Mental Health
The Incredible Ways Artificial Intelligence Is Now Used In Mental Health
 
The Future of Data Science
The Future of Data ScienceThe Future of Data Science
The Future of Data Science
 
Big Data analytics
Big Data analyticsBig Data analytics
Big Data analytics
 
Data science applications and usecases
Data science applications and usecasesData science applications and usecases
Data science applications and usecases
 
A Brief Introduction to Machine Learning.pptx
A Brief Introduction to Machine Learning.pptxA Brief Introduction to Machine Learning.pptx
A Brief Introduction to Machine Learning.pptx
 
Applications of Big Data Analytics in Businesses
Applications of Big Data Analytics in BusinessesApplications of Big Data Analytics in Businesses
Applications of Big Data Analytics in Businesses
 
Data Literacy -- Necessity and challenges
Data Literacy -- Necessity and challengesData Literacy -- Necessity and challenges
Data Literacy -- Necessity and challenges
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
AI Product Manager
AI Product Manager AI Product Manager
AI Product Manager
 
RFID with INTERNET OF THINGS
RFID with INTERNET OF THINGSRFID with INTERNET OF THINGS
RFID with INTERNET OF THINGS
 
Big data and analytics
Big data and analyticsBig data and analytics
Big data and analytics
 
Ethical Issues in Machine Learning Algorithms. (Part 1)
Ethical Issues in Machine Learning Algorithms. (Part 1)Ethical Issues in Machine Learning Algorithms. (Part 1)
Ethical Issues in Machine Learning Algorithms. (Part 1)
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Data Security & Data Privacy: Data Anonymization
Data Security & Data Privacy: Data AnonymizationData Security & Data Privacy: Data Anonymization
Data Security & Data Privacy: Data Anonymization
 

Semelhante a GDPR and personal data protection in EU research projects

The ugly, the bad and the good of cloud computing
The ugly, the bad and the good of cloud computingThe ugly, the bad and the good of cloud computing
The ugly, the bad and the good of cloud computingDan Michaluk
 
GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.James Seville
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 yearsMehedi Hasan
 
The ugly, the bad and the good of cloud computing for government institutions
The ugly, the bad and the good of cloud computing for government institutionsThe ugly, the bad and the good of cloud computing for government institutions
The ugly, the bad and the good of cloud computing for government institutionsDan Michaluk
 
Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010mleyden
 
Open Science in Research Libraries: Research, Research Integrity and Legal As...
Open Science in Research Libraries: Research, Research Integrity and Legal As...Open Science in Research Libraries: Research, Research Integrity and Legal As...
Open Science in Research Libraries: Research, Research Integrity and Legal As...Marlon Domingus
 
An itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and researchAn itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and researchMarlon Domingus
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR ComplianceGabor Farkas
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Adriana Sanford
 
Lily lim data privacy ownership and ethics
Lily lim data privacy ownership and ethicsLily lim data privacy ownership and ethics
Lily lim data privacy ownership and ethicsMassTLC
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKSally Hunt
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?Patrick Soenen
 
Date Use Rules in Different Business Scenarios: It's All Contectual it is all...
Date Use Rules in Different Business Scenarios: It's All Contectual it is all...Date Use Rules in Different Business Scenarios: It's All Contectual it is all...
Date Use Rules in Different Business Scenarios: It's All Contectual it is all...William Tanenbaum
 
Behind The Firewall In-House E Disco Final
Behind The Firewall In-House E Disco FinalBehind The Firewall In-House E Disco Final
Behind The Firewall In-House E Disco FinalJ. David Morris
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securitySamo Zavašnik
 

Semelhante a GDPR and personal data protection in EU research projects (20)

The ugly, the bad and the good of cloud computing
The ugly, the bad and the good of cloud computingThe ugly, the bad and the good of cloud computing
The ugly, the bad and the good of cloud computing
 
GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 years
 
The ugly, the bad and the good of cloud computing for government institutions
The ugly, the bad and the good of cloud computing for government institutionsThe ugly, the bad and the good of cloud computing for government institutions
The ugly, the bad and the good of cloud computing for government institutions
 
Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010
 
Paul Louis Arslanian, Former Director Bureau d´Enteques et d´Analyses until 2...
Paul Louis Arslanian, Former Director Bureau d´Enteques et d´Analyses until 2...Paul Louis Arslanian, Former Director Bureau d´Enteques et d´Analyses until 2...
Paul Louis Arslanian, Former Director Bureau d´Enteques et d´Analyses until 2...
 
Open Science in Research Libraries: Research, Research Integrity and Legal As...
Open Science in Research Libraries: Research, Research Integrity and Legal As...Open Science in Research Libraries: Research, Research Integrity and Legal As...
Open Science in Research Libraries: Research, Research Integrity and Legal As...
 
ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR
 
An itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and researchAn itinerary for FAIR and privacy respecting data-driven innovation and research
An itinerary for FAIR and privacy respecting data-driven innovation and research
 
GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014
 
Sible 09
Sible 09Sible 09
Sible 09
 
Lily lim data privacy ownership and ethics
Lily lim data privacy ownership and ethicsLily lim data privacy ownership and ethics
Lily lim data privacy ownership and ethics
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UK
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?
 
Date Use Rules in Different Business Scenarios: It's All Contectual it is all...
Date Use Rules in Different Business Scenarios: It's All Contectual it is all...Date Use Rules in Different Business Scenarios: It's All Contectual it is all...
Date Use Rules in Different Business Scenarios: It's All Contectual it is all...
 
Behind The Firewall In-House E Disco Final
Behind The Firewall In-House E Disco FinalBehind The Firewall In-House E Disco Final
Behind The Firewall In-House E Disco Final
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL security
 

Último

Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...Pooja Nehwal
 
internal analysis on strategic management
internal analysis on strategic managementinternal analysis on strategic management
internal analysis on strategic managementharfimakarim
 
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...Pooja Nehwal
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentNimot Muili
 
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607dollysharma2066
 
Strategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal AnalsysisStrategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal Analsysistanmayarora45
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxAss.Prof. Dr. Mogeeb Mosleh
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdfAlejandromexEspino
 
Day 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC BootcampDay 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC BootcampPLCLeadershipDevelop
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Hedda Bird
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxalinstan901
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field ArtilleryKennethSwanberg
 

Último (15)

Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
 
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
 
internal analysis on strategic management
internal analysis on strategic managementinternal analysis on strategic management
internal analysis on strategic management
 
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
 
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
 
Strategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal AnalsysisStrategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal Analsysis
 
Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptx
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptx
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdf
 
Day 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC BootcampDay 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC Bootcamp
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
 
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field Artillery
 

GDPR and personal data protection in EU research projects

  • 1. GDPR and Protection of Personal Data in Horizon 2020 and Horizon Europe: a Case Study for Research Managers and Administrators Lorenzo Mannella
  • 2. My profile • Project manager at UNIBO • Focus on post-award, ethics Current Position • Proposal writing (SC2, BBI) • Freelance science writer Past experience • MA in Science Communication • MSc in Plant Biotechnology Background Lorenzo Mannella @Loremann
  • 3. Heading 1 text Our goals Explore a fictional H2020/HEU project with research activities processing personal data Check compliance of research activities with the General Data Protection Regulation (GDPR) Beyond the case study: discuss best practices (Q&A) and collect feedback from participants
  • 4. CrimeWords (a fictional project)  9 international partners analysing stereotypes in criminal trials and related news media  Research based on algorithms analysing language nuances of media products and confidential criminal record  Third parties provide access to datasets and confidential records  We are the Coordinator’s project manager
  • 5. The Consortium Partners storing research data IE, UK Project Coordinator Partners processing personal data Partners handling web/social media data FI, PL DE, ES, FR, DK IT
  • 6. The manager’s checklist  Read and understand the DoA  Meet with the research team  Comply with H2020/HEU rules  Contact Legal Office and DPO  Draft and submit deliverables  Monitor activities  Draft and submit reports  Predict the future
  • 7. The best case scenario  Data subjects will give consent  Police and Court will mail confidential information  Personal data collected, digitalized, stored and processed on University’s premises despite COVID-19  Only anonymous data will be published Handling personal data
  • 9. Data management plan No personal data to external cloud services Data Storage Access Original criminal records Locked cabinet Each PI has keys Scanned criminal records University servers (LAN) Restricted to research group Transcription of criminal records Researchers’ Laptop/Tablet Restricted to device owner Pseudonymised criminal records Consortium private network Restricted to project partners Aggregated data Public Public
  • 10. Everything goes well  Rights of data subjects are enforced  Project partners deliver great results and make an impact  Researchers and manager successfully archive the project and look forward to new opportunities CrimeWords succeeds
  • 11. The worst case scenario  Brexit disrupts data flow: what if the UK partner needs to test algorithms on criminal records instead of anonymous data?  Cloud services at partner level are located in the US: what if the Privacy Shield is not valid anymore?  A partner leaves the consortium: what if data is lost? Issues with personal data
  • 12. From: researcher@uni.edu Sent: 23/12/2020 To: manager@uni.edu Subject: FW: Just recalled this email. Shall we answer that? From: reg.office@police.gov Sent: 10/11/2020 To: researcher1@uni.edu Subject: R: Request for additional information Dear Researcher, our office reminds you that sharing sensitive personal data through an unencrypted email account may expose individuals to risks (unauthorized access to personal data). Concerning your request…
  • 13. From: researcher@uni.edu Sent: 08/11/2020 To: reg.office@police.gov Subject: Request for additional information Hi, could you provide further information on criminal records? Some detail of Court documentation is missing. See attached documents as an example. Crime_record_MrOrange_scan.pdf
  • 14. From: manager@uni.edu Sent: 03/01/2021 To: reg.office@police.gov Subject: Clarifications on previous requests To whom it may concern, our University ensures researchers employed on its premises adhere to internal regulation on data protection, section on criminal records (see pag. 134)… UniversityPrivacyRegulation.pdf
  • 15. Audit by Data Protection Authority and fining  Findings go under the lens of the Authority  The researcher exposed personal data by using email and third party cloud services The University is fined for 54.000 €
  • 16. GPDR infringement in the case study The Data Protection Authority states that our University:  has sent sensitive personal data through unencrypted email and via open network to the Police. The university has therefore processed personal data in contrary to Article 5 (1) (f) and Article 32 (1) and (2) of GDPR by failing to take appropriate technical measures to ensure an appropriate level of safety in relation to the risk.  has not reported the personal data incident to the Data Protection Authority and not documented the circumstances surrounding the incident as the university became aware of it. The university has therefore acted in breach of Article 33 (1) and (5) of GDPR.  in the processing of sensitive and privacy-sensitive personal data in a third party cloud service, not have taken appropriate technical and organizational measures to prevent unauthorized disclosure of or unauthorized access to personal data. The university has therefore treated personal data in breach of Article 5 (1) (f) and Article 32 (1) and (2) of GDPR.
  • 18. Beyond a case study
  • 19. Beyond a case study
  • 20. Privacy issues are (un)predictable  it is hard to spot all of them in advance  it is hard to convince researchers to pay attention  other issues often prevail and privacy is deranked  we think they will stay frozen and forget them …until they explode
  • 21. Gear up before the project begins  Team up with legal and data protection officers  Establish a set of common guidelines for data protection  Apply privacy-by-design principles  Set the boundary of your responsibility and know when to escalate issues is that enough?
  • 22. Let’s collect best practices Provide your feedback by filling out a short online survey check this link: https://forms.office.com/r/tU103t3Q78 or scan the QR code below
  • 23. Sources Images and icons: pixabay.com EDPB news #1: University failed to sufficiently protect sensitive personal data EDPB news #2: Polish DPA: University Fined for the lack of Data Breach Notifications EDPB news #3: Swedish DPA: Police unlawfully used facial recognition app
  • 24. www.unibo.it Lorenzo Mannella Research Services Division (ARIC) European Programmes and Projects Unit lorenzo.mannella@unibo.it

Notas do Editor

  1. Hello, welcome to this session. My name is Lorenzo Mannella and I am going to present a case study for Research Managers and Administrators involved in personal data protection under post-award Horizon 2020 and Horizon Europe projects.
  2. Let me introduce myself. I work as Horizon 2020 project manager at the University of Bologna, where I focus on broad post-award topics such as reporting, internal communication and ethics. Before that, I have been writing H2020 proposals with researchers. I have also wrote about researchers, as I was a freelance journalist too. That’s why I am going to use a bit of imagination here in my presentation.
  3. And jump direclty to our goals within this presentation. We are going to talk about personal data protection in a fictional research project. That’s were imagination is going to work for us, setting fictional research activities and validating them in terms of compliance with the General Data Protection Regulation (2016/679 GDPR) – I guess you are familiar with GDPR. If not, I hope this presentation will push you to read it. If you are familiar with GDPR—well, there is no need for explanation. Let’s say you are just curious about other managers’ sorrows. Let’s help each other: I would really like to have a discussion with you on best practices to manage personal data and share some feedback with EARMA.
  4. Let’s introduce our fictional project: CrimeWords. Nine international partners will analyse stereotypes in criminal trials and the news. They will collect a set of research data, including personal data, and analyse them trought algorithms. Third parties will share confidential data, such as criminal records, with researchers and let them draw a broader picture of common perception of justice in Europe, considering nuances and prejudices against minorities, etc. A bold, ambitious project. And we are the Coordinator’s project manager called to keep an eye on the whole thing.
  5. Let’s focus on the Consortium. I have summarised some roles for partners and assigned them different nationalities. Let’s assume the coordinator is Italian, just to help us empathize. The coordinator will coordinate and perform research as other partners do. A group will process personal data in different countries by collecting criminal records. A second group will process data available on the web and social media, while the third one will store research data collected by others, analyse them through algortihms and generate public results.
  6. Considering the consortium I have presented you, we as managers will follow a checklist and make sure everything is set and perfectly working. [LIST]… you see – rules, clearances, indicators and deadlines: it is all written there on the checklist. We stick to it but we cannot tick the last box: the real world is out there. Issues happen and our project is not immune to them.
  7. You know, we are managers and of course we can predict a little bit of the future ahead. In my experience, I play a «what if» game based on the DoA. What if we have to run a project that collects personal data related to criminal convictions and offences? Well, personal data processing will be based on consent, confidential data will travel by mail and once in the hands of researchers we will make sure they are handled with care despite COVID-19. At the end, only anonymous data will be published. Nice. Let’s call it «What if everything is going to be ok?».
  8. Everything is going to be ok if we do some background work. This is the planned data flow for our research. It is just a sketch, showing the elements we need to put together in order to deliver results and achieve goals. We have criminal records, compared to data collected from web news. Then, a set of algorithms is performing the hard work: generating results that have an impact on society. We learn something more on nuances and prejudice in the way we speak about crimes.
  9. Behind the previous sketch stands a complex structure, almost invisible outside of the project consortium. We help establish a data management plan shared among partners that ensures hard copies of personal data are stored securely, digital copies are stored on local servers, so researchers from each beneficiary can process data, pseudonymise it, collect it together at project level and have it analysed by algortihms before going public with aggregated data.
  10. Eventually, our work is successful. This is the obvious outcome of the «what if» scenario we are talking about. The research is good. The data management is good. We can turn the next page and work on something new. […] I call this: daydreaming. A positve thinking telling me what to do, like reading instructions. But, in a remote corner of my mind, stands another question: «what if everything goes wrong?».
  11. Yes, what if everything goes wrong? We start thinking of all possible issue out there. [LIST] Have you noticed this detail? In the best case scenario we have a checklist of to-do actions. Here in the worst case scenario we have a list of questions. A set of «what if…» nested in a wider «what if everything goes wrong?». It can go wrong this way, the other way, or the other way. So we rush to think of possible back-up plans for Brexit, US Privacy Shield and other major events. It is stressful: not because these problems are bigger than the project, but because they drain our time and attention. That is the precise moment when an unexpected issue hits us.
  12. Like this one. Out of the blue, possibly nearby Christmas time, a researcher from our University forwards us an email. Let’s take a look at it [EMAIL]. Why is the police writing about sharing criminal records via email? We established a mail only protocol to get those documents. The frame is not that clear, so we need some time to scroll to previous messages on the bottom and find this…
  13. [EMAIL] … an email from our researcher containing a scan of confidential criminal records sent to the Police in November, on a Sunday, without any encription, probably from a home or public connection. Really? I mean, the researcher was not supposed to do that. But, as managers do we really need to worry? I am sharing this question with you right now.
  14. Ok, so let’s assume we just do this. We struggle during Christmas time, find some time to check our internal regulations and try to explain the situation to the Police. Our University cares about privacy, we have a set of rules to ensure data subjects’ rights are enforced, our storage protocols are strong, this was a single mistake, we sincerely apologise. It will not happen again. We promise. Done? Is that enough? No, it is not. We are missing the bigger picture. Our University is in breach and we didn’t do nothing to inform the Data Protection Authority.
  15. This negligence in handling personal data noticed by the Police is forwarded to the Data Protection Authority itself. The Authorithy organizes inspections and finds out the researcher violated GDPR by sending criminal records via unencrypted email, but also used a third party cloud service to manage the transfer of criminal records from the workstation to laptop at home. Our University is fined for 54.000 €. Come on, really?
  16. Let’s focus on the infringement of GDPR articles in detail. Our researcher potentially exposed personal data. Our University discovered the violation but failed to report to the Authority and ignored risks. The audit finds out the researcher also used a third party cloud service, which was not allowed by our protocol. This «what if…» looks too bad? Is this a worst case scenario that could not possibly happen in real life? What if this is true?
  17. In fact, this case study is inspired by a true story. A research group at Umeå University (Sweden) requested from the police preliminary investigation reports concerning cases of male rape. When the research group sent an e-mail to the police requesting further information, one of the scanned reports was attached as a reference. The event triggered an investigation of the Swedish Data Protection Authority, showing that the research group stored over a hundred scanned preliminary investigation reports in American cloud service Box, despite the University internal guidelines said special categories of data should not be stored in the cloud service in question. An administrative fine of 54.000 € was issued against the University.
  18. I invite you to follow the National News section of the European Data Protection Board. You will find many detailed cases of data protection issues across European companies, hospitals and research centres. It happens all the time, like to this Polish University disclosing video recording of students showing their IDs during exams...
  19. … or the Swedish police – some of their personnel unlawfully used a facial recognition app. No one is flawless. So, what can we learn from this case study?
  20. We can say privacy issues are both predictable and unpredictable at the same time. Predicatable, as we know what can go possibly wrong (data is exposed, cloud service is insecure, data collections are lost). Unpredictable, as we are not able to notice all issues or lose track of them until they are exposed by a critical event. So, what can we do?
  21. We shall be ready even before the project begins. We are not alone in enforcing data protection, so we might want to team up with legal and data protection officers to establish guidelines in advance and explain reasearchers that privacy comes first. Since we make this clear, we shall also be able to set the boundary of our responsibility and know when to escalate and involve others. It doesn’t mean «I don’t care», but «I really care a lot, and you shall too». I know, what if this slide is not telling enough? Well, what if you tell your part of the story?
  22. Let’s go beyond the case study, share the benefit of participating in EARMA 2021 and collect our individual best practices. We can spread our experience and knowledge, while discussing feedback from other colleagues. In a face-to-face convention we would had a coffee together and had a chat. On this virtual session, you can take your time and visit the link published in this slide. I look forward to your questions.