A homepage section

INTRODUCTION

Responsible data sharing and re-usage

Open innovation acceleration programmes strive for the development of high impact, cutting-edge products and services. In order to bring these innovative ideas to fruition, participants are often required to share and re-use data.

It is crucial that all those involved with data sharing and re-usage within open acceleration programmes act responsibly by remaining-complaint with all applicable legal and ethical obligations (from contractual obligations to intellectual property rights). Non-compliance can have severe consequences – such as litigation and reputational damage.

The Legal and Privacy Toolkit

The Legal and Privacy Toolkit – provided by the Data Pitch programme – aims to better-position those participating in open acceleration programmes to navigate the wide-range of key legal considerations that arise in relation to data sharing and re-usage. The first version of the toolkit is available via the Data Pitch website: https://datapitch.eu/privacytoolkit/

Mapping data flows

Definition

One practical step towards legal and ethical compliance is data flow mapping. Data flow mapping is defined as: a graphical representation that charts the actual and potential movement of a (particular version of) a dataset as it is collected, managed, shared and (re)used across various data environments. A data flow map can include information such as:

  • The chain of custody pertaining to a specific dataset.
  • Planned and completed disclosure and re-usage activities.
  • The organisations and persons involved in its collection, management and re-usage.
  • Any pseudonymisation and/or anonymisation measures applied, including details of data protection impact assessments.
  • Security measures.

Key benefits

Four main reasons[1] why data flow mapping is beneficial for open acceleration programmes:

  1. Reveal gaps. Data flow mapping can help to highlight any gaps between the regulatory framework with how data are collected, managed, shared and (re)used in practice.
  2. Risk mitigation. It can draw attention to (potential) high-risk data processing activities before data are shared and re-used within an open innovation environment. It can further help to identify the appropriate technical and organisational measures required to assist with the desired level of control over a dataset.
  3. Robust decision-making. It can provide a knowledge-base for robust decision-making about if and how best to share and re-use data.
  4. Legal training. By understanding where the gaps between practice and the regulatory framework lie, open acceleration programmes can better-target the areas that require further legal training.
[1] These key benefits together with further advantages of data flow mapping appear in the following IAPP Global Summit Presentation: Kristen Knight, “Data Flow Mapping: The Good, The Bad, and The Ugly”, 7 March 2013, Washington DC. See Slide 8 https://iapp.org/media/presentations/13Summit/S13_Good_Bad_Ugly_PPT.pdf [last accessed 12 May 2018].

e-Learning Tool Overview

The purpose of this e-learning tool is to raise-awareness of the important role that data flow mapping can play in responsible data sharing and re-usage within open innovation programmes. While data flow mapping can be used as a practical approach towards legal and ethical compliance in a wide-range of areas (e.g. intellectual property law – rights management and clearance), this tool focuses on its application to data protection compliance – in particular the European General Data Protection Regulation (GDPR) <http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN> .

Together with guidance information, we have designed four exercises to facilitate critical thinking around the basics of mapping data flows for GDPR-compliance. This e-learning tool is split into two parts:

PART 1 – Understanding the data spectrum

Before we examine the basics of data flow mapping, it is crucial that we first understand what we are mapping in terms of data protection. Only with this legal insight, we will be able to create useful data flow maps. Part 1 therefore focuses on three main areas for concern:

  1. How personal and non-personal data are legally-defined.
  2. The types of processing are considered as likely to be a high-risk under the GDPR.
  3. The different types and levels of measures that are required to control different processing activities.

PART 2 – The basics of mapping data flows

Part 2 then focuses on a couple of useful, practical approaches to data flow mapping. You will be asked to create some sketches of data flow maps based on fictional scenarios.

We hope that this workshop will either help to better or re-affirm your understanding of the basics of data flow mapping as part of an overall approach to GDPR-compliance. 

Please note: This e-learning tool is still a prototype. We would be grateful for any feedback you may have.

Disclaimer: The content of this interactive e-learning tool does not constitute legal advice. If in doubt, you should always contact a lawyer.