Lorenzo Mannella, profile picture
Uploaded byLorenzo Mannella
PPTX, PDF350 views

GDPR and personal data protection in EU research projects

The document discusses the compliance of research activities with the General Data Protection Regulation (GDPR) within a fictional Horizon 2020/Horizon Europe project, focusing on personal data processing and best practices. It outlines potential issues like data breaches, the responsibilities of research managers, and a case study highlighting compliance failures leading to fines. Recommendations are provided for establishing data protection guidelines and engaging legal expertise to minimize risks.

Embed presentation

Download to read offline
GDPR and Protection of Personal Data in Horizon 2020 and Horizon Europe: a Case Study for Research Managers and Administrators Lorenzo Mannella
My profile • Project manager at UNIBO • Focus on post-award, ethics Current Position • Proposal writing (SC2, BBI) • Freelance science writer Past experience • MA in Science Communication • MSc in Plant Biotechnology Background Lorenzo Mannella @Loremann
Heading 1 text Our goals Explore a fictional H2020/HEU project with research activities processing personal data Check compliance of research activities with the General Data Protection Regulation (GDPR) Beyond the case study: discuss best practices (Q&A) and collect feedback from participants
CrimeWords (a fictional project)  9 international partners analysing stereotypes in criminal trials and related news media  Research based on algorithms analysing language nuances of media products and confidential criminal record  Third parties provide access to datasets and confidential records  We are the Coordinator’s project manager
The Consortium Partners storing research data IE, UK Project Coordinator Partners processing personal data Partners handling web/social media data FI, PL DE, ES, FR, DK IT
The manager’s checklist  Read and understand the DoA  Meet with the research team  Comply with H2020/HEU rules  Contact Legal Office and DPO  Draft and submit deliverables  Monitor activities  Draft and submit reports  Predict the future
The best case scenario  Data subjects will give consent  Police and Court will mail confidential information  Personal data collected, digitalized, stored and processed on University’s premises despite COVID-19  Only anonymous data will be published Handling personal data
WEB DATA CRIMINAL RECORDS RESULTS ALGORITHMS The Research
Data management plan No personal data to external cloud services Data Storage Access Original criminal records Locked cabinet Each PI has keys Scanned criminal records University servers (LAN) Restricted to research group Transcription of criminal records Researchers’ Laptop/Tablet Restricted to device owner Pseudonymised criminal records Consortium private network Restricted to project partners Aggregated data Public Public
Everything goes well  Rights of data subjects are enforced  Project partners deliver great results and make an impact  Researchers and manager successfully archive the project and look forward to new opportunities CrimeWords succeeds
The worst case scenario  Brexit disrupts data flow: what if the UK partner needs to test algorithms on criminal records instead of anonymous data?  Cloud services at partner level are located in the US: what if the Privacy Shield is not valid anymore?  A partner leaves the consortium: what if data is lost? Issues with personal data
From: researcher@uni.edu Sent: 23/12/2020 To: manager@uni.edu Subject: FW: Just recalled this email. Shall we answer that? From: reg.office@police.gov Sent: 10/11/2020 To: researcher1@uni.edu Subject: R: Request for additional information Dear Researcher, our office reminds you that sharing sensitive personal data through an unencrypted email account may expose individuals to risks (unauthorized access to personal data). Concerning your request…
From: researcher@uni.edu Sent: 08/11/2020 To: reg.office@police.gov Subject: Request for additional information Hi, could you provide further information on criminal records? Some detail of Court documentation is missing. See attached documents as an example. Crime_record_MrOrange_scan.pdf
From: manager@uni.edu Sent: 03/01/2021 To: reg.office@police.gov Subject: Clarifications on previous requests To whom it may concern, our University ensures researchers employed on its premises adhere to internal regulation on data protection, section on criminal records (see pag. 134)… UniversityPrivacyRegulation.pdf
Audit by Data Protection Authority and fining  Findings go under the lens of the Authority  The researcher exposed personal data by using email and third party cloud services The University is fined for 54.000 €
GPDR infringement in the case study The Data Protection Authority states that our University:  has sent sensitive personal data through unencrypted email and via open network to the Police. The university has therefore processed personal data in contrary to Article 5 (1) (f) and Article 32 (1) and (2) of GDPR by failing to take appropriate technical measures to ensure an appropriate level of safety in relation to the risk.  has not reported the personal data incident to the Data Protection Authority and not documented the circumstances surrounding the incident as the university became aware of it. The university has therefore acted in breach of Article 33 (1) and (5) of GDPR.  in the processing of sensitive and privacy-sensitive personal data in a third party cloud service, not have taken appropriate technical and organizational measures to prevent unauthorized disclosure of or unauthorized access to personal data. The university has therefore treated personal data in breach of Article 5 (1) (f) and Article 32 (1) and (2) of GDPR.
Beyond the case study
Beyond a case study
Beyond a case study
Privacy issues are (un)predictable  it is hard to spot all of them in advance  it is hard to convince researchers to pay attention  other issues often prevail and privacy is deranked  we think they will stay frozen and forget them …until they explode
Gear up before the project begins  Team up with legal and data protection officers  Establish a set of common guidelines for data protection  Apply privacy-by-design principles  Set the boundary of your responsibility and know when to escalate issues is that enough?
Let’s collect best practices Provide your feedback by filling out a short online survey check this link: https://forms.office.com/r/tU103t3Q78 or scan the QR code below
Sources Images and icons: pixabay.com EDPB news #1: University failed to sufficiently protect sensitive personal data EDPB news #2: Polish DPA: University Fined for the lack of Data Breach Notifications EDPB news #3: Swedish DPA: Police unlawfully used facial recognition app
www.unibo.it Lorenzo Mannella Research Services Division (ARIC) European Programmes and Projects Unit lorenzo.mannella@unibo.it

More Related Content

PDF
Proximal Policy Optimization (Reinforcement Learning)
byThom Lane
 
PPTX
Apriori algorithm
byAshis Kumar Chanda
 
PPTX
Defending deep learning from adversarial attacks
bySvetlana Levitan, PhD
 
PDF
Graph-Powered Machine Learning
byDatabricks
 
PDF
Recommendation Systems in banking and Financial Services
byAndrea Gigli
 
PDF
Privacy preserving machine learning
byMichał Kuźba
 
PDF
Big Data Analytics to Enhance Security
byData Science Thailand
 
PDF
Data engineering zoomcamp introduction
byAlexey Grigorev
 
Proximal Policy Optimization (Reinforcement Learning)
byThom Lane
 
Apriori algorithm
byAshis Kumar Chanda
 
Defending deep learning from adversarial attacks
bySvetlana Levitan, PhD
 
Graph-Powered Machine Learning
byDatabricks
 
Recommendation Systems in banking and Financial Services
byAndrea Gigli
 
Privacy preserving machine learning
byMichał Kuźba
 
Big Data Analytics to Enhance Security
byData Science Thailand
 
Data engineering zoomcamp introduction
byAlexey Grigorev
 

What's hot

PDF
GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing,...
byAlan McSweeney
 
PPTX
Anomaly Detection and Spark Implementation - Meetup Presentation.pptx
byImpetus Technologies
 
PPTX
Web Mining & Text Mining
byHemant Sharma
 
PDF
CRISP-DM - Agile Approach To Data Mining Projects
byMichał Łopuszyński
 
PDF
Le GDPR (General Data Protection Regulation) - Diaporama
byJean-Michel Tyszka
 
PDF
Lecture13 - Association Rules
byAlbert Orriols-Puig
 
PPT
Lecture5 Expert Systems And Artificial Intelligence
byKodok Ngorex
 
PDF
GDSC NSUT Orientation 2023
byMOHITCHAURASIYA6
 
PDF
Reinforcement learning
bySKS
 
PDF
Gdpr overview ciso platform presentation
byPriyanka Aash
 
PPTX
The 5 Biggest Data Science Trends In 2022
byBernard Marr
 
PPTX
Introduction to Ethics of Big Data
by28 Burnside
 
PPTX
Association rule mining and Apriori algorithm
byhina firdaus
 
PDF
Machine Learning Algorithm - KNN
byKush Kulshrestha
 
PPTX
Data Cleaning Techniques
byAmir Masoud Sefidian
 
PPTX
Data fusion
byyousef emami
 
PPT
Cns 13f-lec03- Classical Encryption Techniques
bybabak danyal
 
PDF
Data governance – an essential foundation to good cyber security practice
byKate Carruthers
 
PDF
静的型付け言語Python
bykiki utagawa
 
PDF
Data Science Introduction
byGang Tao
 
GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing,...
byAlan McSweeney
 
Anomaly Detection and Spark Implementation - Meetup Presentation.pptx
byImpetus Technologies
 
Web Mining & Text Mining
byHemant Sharma
 
CRISP-DM - Agile Approach To Data Mining Projects
byMichał Łopuszyński
 
Le GDPR (General Data Protection Regulation) - Diaporama
byJean-Michel Tyszka
 
Lecture13 - Association Rules
byAlbert Orriols-Puig
 
Lecture5 Expert Systems And Artificial Intelligence
byKodok Ngorex
 
GDSC NSUT Orientation 2023
byMOHITCHAURASIYA6
 
Reinforcement learning
bySKS
 
Gdpr overview ciso platform presentation
byPriyanka Aash
 
The 5 Biggest Data Science Trends In 2022
byBernard Marr
 
Introduction to Ethics of Big Data
by28 Burnside
 
Association rule mining and Apriori algorithm
byhina firdaus
 
Machine Learning Algorithm - KNN
byKush Kulshrestha
 
Data Cleaning Techniques
byAmir Masoud Sefidian
 
Data fusion
byyousef emami
 
Cns 13f-lec03- Classical Encryption Techniques
bybabak danyal
 
Data governance – an essential foundation to good cyber security practice
byKate Carruthers
 
静的型付け言語Python
bykiki utagawa
 
Data Science Introduction
byGang Tao
 

Similar to GDPR and personal data protection in EU research projects

DOCX
Ethics and data protection .docx
byelbanglis
 
PPS
Introduction to Data Protection and Information Security
byJisc Scotland
 
PPT
GDPR - Thoughts on the EU Data Protection Regulation, Research and Libraries
byLIBER Europe
 
PPTX
Media_644046_smxx (1).pptx
byMichelleSaver
 
PDF
Quantum Computing_A Security Threat, a Privacy Solution and a Privacy Right_N...
byanandhguru514
 
PPTX
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
byeHealth Forum
 
PPTX
An itinerary for FAIR and privacy respecting data-driven innovation and research
byMarlon Domingus
 
PPTX
Data protection within development
byowaspsuffolk
 
PPTX
Charity Law Updates for 2018: Making the Most of Change
byIBB Law
 
PDF
GDPR master class accountable research organisations (january 2018)
byMRS
 
PPTX
GDPR training
byASL
 
PDF
What about GDPR?
byMartin Hawksey
 
PDF
Administrative and public law seminar
byBrowne Jacobson LLP
 
PDF
No Man is an Island: The Battle for Data Privacy
byKate Chan
 
PDF
Legal and ethical considerations for sharing research data
byOpenAIRE
 
PPTX
Associates quick guide to gdpr v 1.0
byAaron Banham
 
PPTX
CBC GDPR The Physics
byJason Chapman
 
PPTX
Data protection
byRaviPrashant5
 
PPTX
Gdpr action plan - ISSA
byUlf Mattsson
 
PPTX
Jisc GDPR conference
byJisc
 
Ethics and data protection .docx
byelbanglis
 
Introduction to Data Protection and Information Security
byJisc Scotland
 
GDPR - Thoughts on the EU Data Protection Regulation, Research and Libraries
byLIBER Europe
 
Media_644046_smxx (1).pptx
byMichelleSaver
 
Quantum Computing_A Security Threat, a Privacy Solution and a Privacy Right_N...
byanandhguru514
 
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
byeHealth Forum
 
An itinerary for FAIR and privacy respecting data-driven innovation and research
byMarlon Domingus
 
Data protection within development
byowaspsuffolk
 
Charity Law Updates for 2018: Making the Most of Change
byIBB Law
 
GDPR master class accountable research organisations (january 2018)
byMRS
 
GDPR training
byASL
 
What about GDPR?
byMartin Hawksey
 
Administrative and public law seminar
byBrowne Jacobson LLP
 
No Man is an Island: The Battle for Data Privacy
byKate Chan
 
Legal and ethical considerations for sharing research data
byOpenAIRE
 
Associates quick guide to gdpr v 1.0
byAaron Banham
 
CBC GDPR The Physics
byJason Chapman
 
Data protection
byRaviPrashant5
 
Gdpr action plan - ISSA
byUlf Mattsson
 
Jisc GDPR conference
byJisc
 

Recently uploaded

PDF
Gemba Walk Meaning with eAuditor Audits & inspections
byeAuditor Audits & Inspections
 
PPT
CH 04; PROJECT IDENTIFICATION & PREPARATION.ppt
byAtoshe Elmi
 
PDF
Summary: Information Doesn't Rule - Capabilities Do
byDavid Teece
 
PPTX
Annual Year Report 2024/2025 Sky Initiative.pptx
byskyinitiativeug
 
PDF
Kaizen Event: Small Steps That Transform Workplaces
byCIToolkit
 
PDF
Principal of management and functions .pdf
byjk0940848
 
PPTX
Green White and Orange Bold Military Presentation.pptx
byMichaelRodriguez198642
 
PPT
learning_from_columbia_accident_investigation.ppt
bySASIPRIYA67
 
PPTX
communication definition, models of communication.pptx
byAliIbrahim517066
 
PPTX
Change-Management-Workshop-Presentation.pptx
bySaiShankarGadepalli1
 
PDF
Agile Pune 14-15 Nov 2025 | "52 Repos, Zero Domain Knowledge, and 6 Weeks to ...
byAgileNetwork
 
PDF
Agile Pune 14-15 Nov 2025 | Operations, Not Optional: Mainstreaming the Agile...
byAgileNetwork
 
PPTX
What are Rogers Rules of Rangering? Why Are They Important?
byBob Mayer
 
PDF
Project Management Professional (PMP) Certification: Unit 1
byVICTOR MAESTRE RAMIREZ
 
PDF
Kanban: A Simple System for Smarter Production and Inventory Control
byCIToolkit
 
PPTX
Balanced Leadership - The Role of Behavior Styles PPT(1).pptx
bySaiShankarGadepalli1
 
PDF
Growing WordPress Communities Through Next-Generation Events
byMakarand Mane
 
PDF
Rick & Morty Walk Across Mordor: A History of The World in 10 1/2 Chapters
bytreyka
 
PDF
Agile Pune 14-15 Nov 2025 | My Journey from Programmer to Entrepreneur by Shr...
byAgileNetwork
 
PDF
Agile Pune 14-15 Nov 2025 | Hope is not a Strategy ... a SLICE of HOPE is by ...
byAgileNetwork
 
Gemba Walk Meaning with eAuditor Audits & inspections
byeAuditor Audits & Inspections
 
CH 04; PROJECT IDENTIFICATION & PREPARATION.ppt
byAtoshe Elmi
 
Summary: Information Doesn't Rule - Capabilities Do
byDavid Teece
 
Annual Year Report 2024/2025 Sky Initiative.pptx
byskyinitiativeug
 
Kaizen Event: Small Steps That Transform Workplaces
byCIToolkit
 
Principal of management and functions .pdf
byjk0940848
 
Green White and Orange Bold Military Presentation.pptx
byMichaelRodriguez198642
 
learning_from_columbia_accident_investigation.ppt
bySASIPRIYA67
 
communication definition, models of communication.pptx
byAliIbrahim517066
 
Change-Management-Workshop-Presentation.pptx
bySaiShankarGadepalli1
 
Agile Pune 14-15 Nov 2025 | "52 Repos, Zero Domain Knowledge, and 6 Weeks to ...
byAgileNetwork
 
Agile Pune 14-15 Nov 2025 | Operations, Not Optional: Mainstreaming the Agile...
byAgileNetwork
 
What are Rogers Rules of Rangering? Why Are They Important?
byBob Mayer
 
Project Management Professional (PMP) Certification: Unit 1
byVICTOR MAESTRE RAMIREZ
 
Kanban: A Simple System for Smarter Production and Inventory Control
byCIToolkit
 
Balanced Leadership - The Role of Behavior Styles PPT(1).pptx
bySaiShankarGadepalli1
 
Growing WordPress Communities Through Next-Generation Events
byMakarand Mane
 
Rick & Morty Walk Across Mordor: A History of The World in 10 1/2 Chapters
bytreyka
 
Agile Pune 14-15 Nov 2025 | My Journey from Programmer to Entrepreneur by Shr...
byAgileNetwork
 
Agile Pune 14-15 Nov 2025 | Hope is not a Strategy ... a SLICE of HOPE is by ...
byAgileNetwork
 

GDPR and personal data protection in EU research projects

  • 1.
    GDPR and Protectionof Personal Data in Horizon 2020 and Horizon Europe: a Case Study for Research Managers and Administrators Lorenzo Mannella
  • 2.
    My profile • Projectmanager at UNIBO • Focus on post-award, ethics Current Position • Proposal writing (SC2, BBI) • Freelance science writer Past experience • MA in Science Communication • MSc in Plant Biotechnology Background Lorenzo Mannella @Loremann
  • 3.
    Heading 1 text Our goals Explorea fictional H2020/HEU project with research activities processing personal data Check compliance of research activities with the General Data Protection Regulation (GDPR) Beyond the case study: discuss best practices (Q&A) and collect feedback from participants
  • 4.
    CrimeWords (a fictional project) 9 international partners analysing stereotypes in criminal trials and related news media  Research based on algorithms analysing language nuances of media products and confidential criminal record  Third parties provide access to datasets and confidential records  We are the Coordinator’s project manager
  • 5.
    The Consortium Partners storing researchdata IE, UK Project Coordinator Partners processing personal data Partners handling web/social media data FI, PL DE, ES, FR, DK IT
  • 6.
    The manager’s checklist Read and understand the DoA  Meet with the research team  Comply with H2020/HEU rules  Contact Legal Office and DPO  Draft and submit deliverables  Monitor activities  Draft and submit reports  Predict the future
  • 7.
    The best casescenario  Data subjects will give consent  Police and Court will mail confidential information  Personal data collected, digitalized, stored and processed on University’s premises despite COVID-19  Only anonymous data will be published Handling personal data
  • 8.
  • 9.
    Data management plan Nopersonal data to external cloud services Data Storage Access Original criminal records Locked cabinet Each PI has keys Scanned criminal records University servers (LAN) Restricted to research group Transcription of criminal records Researchers’ Laptop/Tablet Restricted to device owner Pseudonymised criminal records Consortium private network Restricted to project partners Aggregated data Public Public
  • 10.
    Everything goes well Rights of data subjects are enforced  Project partners deliver great results and make an impact  Researchers and manager successfully archive the project and look forward to new opportunities CrimeWords succeeds
  • 11.
    The worst casescenario  Brexit disrupts data flow: what if the UK partner needs to test algorithms on criminal records instead of anonymous data?  Cloud services at partner level are located in the US: what if the Privacy Shield is not valid anymore?  A partner leaves the consortium: what if data is lost? Issues with personal data
  • 12.
    From: researcher@uni.edu Sent: 23/12/2020 To:manager@uni.edu Subject: FW: Just recalled this email. Shall we answer that? From: reg.office@police.gov Sent: 10/11/2020 To: researcher1@uni.edu Subject: R: Request for additional information Dear Researcher, our office reminds you that sharing sensitive personal data through an unencrypted email account may expose individuals to risks (unauthorized access to personal data). Concerning your request…
  • 13.
    From: researcher@uni.edu Sent: 08/11/2020 To:reg.office@police.gov Subject: Request for additional information Hi, could you provide further information on criminal records? Some detail of Court documentation is missing. See attached documents as an example. Crime_record_MrOrange_scan.pdf
  • 14.
    From: manager@uni.edu Sent: 03/01/2021 To:reg.office@police.gov Subject: Clarifications on previous requests To whom it may concern, our University ensures researchers employed on its premises adhere to internal regulation on data protection, section on criminal records (see pag. 134)… UniversityPrivacyRegulation.pdf
  • 15.
    Audit by DataProtection Authority and fining  Findings go under the lens of the Authority  The researcher exposed personal data by using email and third party cloud services The University is fined for 54.000 €
  • 16.
    GPDR infringement inthe case study The Data Protection Authority states that our University:  has sent sensitive personal data through unencrypted email and via open network to the Police. The university has therefore processed personal data in contrary to Article 5 (1) (f) and Article 32 (1) and (2) of GDPR by failing to take appropriate technical measures to ensure an appropriate level of safety in relation to the risk.  has not reported the personal data incident to the Data Protection Authority and not documented the circumstances surrounding the incident as the university became aware of it. The university has therefore acted in breach of Article 33 (1) and (5) of GDPR.  in the processing of sensitive and privacy-sensitive personal data in a third party cloud service, not have taken appropriate technical and organizational measures to prevent unauthorized disclosure of or unauthorized access to personal data. The university has therefore treated personal data in breach of Article 5 (1) (f) and Article 32 (1) and (2) of GDPR.
  • 17.
  • 18.
  • 19.
  • 20.
    Privacy issues are (un)predictable it is hard to spot all of them in advance  it is hard to convince researchers to pay attention  other issues often prevail and privacy is deranked  we think they will stay frozen and forget them …until they explode
  • 21.
    Gear up beforethe project begins  Team up with legal and data protection officers  Establish a set of common guidelines for data protection  Apply privacy-by-design principles  Set the boundary of your responsibility and know when to escalate issues is that enough?
  • 22.
    Let’s collect bestpractices Provide your feedback by filling out a short online survey check this link: https://forms.office.com/r/tU103t3Q78 or scan the QR code below
  • 23.
    Sources Images and icons:pixabay.com EDPB news #1: University failed to sufficiently protect sensitive personal data EDPB news #2: Polish DPA: University Fined for the lack of Data Breach Notifications EDPB news #3: Swedish DPA: Police unlawfully used facial recognition app
  • 24.
    www.unibo.it Lorenzo Mannella Research ServicesDivision (ARIC) European Programmes and Projects Unit lorenzo.mannella@unibo.it

Editor's Notes

  • #2 Hello, welcome to this session. My name is Lorenzo Mannella and I am going to present a case study for Research Managers and Administrators involved in personal data protection under post-award Horizon 2020 and Horizon Europe projects.
  • #3 Let me introduce myself. I work as Horizon 2020 project manager at the University of Bologna, where I focus on broad post-award topics such as reporting, internal communication and ethics. Before that, I have been writing H2020 proposals with researchers. I have also wrote about researchers, as I was a freelance journalist too. That’s why I am going to use a bit of imagination here in my presentation.
  • #4 And jump direclty to our goals within this presentation. We are going to talk about personal data protection in a fictional research project. That’s were imagination is going to work for us, setting fictional research activities and validating them in terms of compliance with the General Data Protection Regulation (2016/679 GDPR) – I guess you are familiar with GDPR. If not, I hope this presentation will push you to read it. If you are familiar with GDPR—well, there is no need for explanation. Let’s say you are just curious about other managers’ sorrows. Let’s help each other: I would really like to have a discussion with you on best practices to manage personal data and share some feedback with EARMA.
  • #5 Let’s introduce our fictional project: CrimeWords. Nine international partners will analyse stereotypes in criminal trials and the news. They will collect a set of research data, including personal data, and analyse them trought algorithms. Third parties will share confidential data, such as criminal records, with researchers and let them draw a broader picture of common perception of justice in Europe, considering nuances and prejudices against minorities, etc. A bold, ambitious project. And we are the Coordinator’s project manager called to keep an eye on the whole thing.
  • #6 Let’s focus on the Consortium. I have summarised some roles for partners and assigned them different nationalities. Let’s assume the coordinator is Italian, just to help us empathize. The coordinator will coordinate and perform research as other partners do. A group will process personal data in different countries by collecting criminal records. A second group will process data available on the web and social media, while the third one will store research data collected by others, analyse them through algortihms and generate public results.
  • #7 Considering the consortium I have presented you, we as managers will follow a checklist and make sure everything is set and perfectly working. [LIST]… you see – rules, clearances, indicators and deadlines: it is all written there on the checklist. We stick to it but we cannot tick the last box: the real world is out there. Issues happen and our project is not immune to them.
  • #8 You know, we are managers and of course we can predict a little bit of the future ahead. In my experience, I play a «what if» game based on the DoA. What if we have to run a project that collects personal data related to criminal convictions and offences? Well, personal data processing will be based on consent, confidential data will travel by mail and once in the hands of researchers we will make sure they are handled with care despite COVID-19. At the end, only anonymous data will be published. Nice. Let’s call it «What if everything is going to be ok?».
  • #9 Everything is going to be ok if we do some background work. This is the planned data flow for our research. It is just a sketch, showing the elements we need to put together in order to deliver results and achieve goals. We have criminal records, compared to data collected from web news. Then, a set of algorithms is performing the hard work: generating results that have an impact on society. We learn something more on nuances and prejudice in the way we speak about crimes.
  • #10 Behind the previous sketch stands a complex structure, almost invisible outside of the project consortium. We help establish a data management plan shared among partners that ensures hard copies of personal data are stored securely, digital copies are stored on local servers, so researchers from each beneficiary can process data, pseudonymise it, collect it together at project level and have it analysed by algortihms before going public with aggregated data.
  • #11 Eventually, our work is successful. This is the obvious outcome of the «what if» scenario we are talking about. The research is good. The data management is good. We can turn the next page and work on something new. […] I call this: daydreaming. A positve thinking telling me what to do, like reading instructions. But, in a remote corner of my mind, stands another question: «what if everything goes wrong?».
  • #12 Yes, what if everything goes wrong? We start thinking of all possible issue out there. [LIST] Have you noticed this detail? In the best case scenario we have a checklist of to-do actions. Here in the worst case scenario we have a list of questions. A set of «what if…» nested in a wider «what if everything goes wrong?». It can go wrong this way, the other way, or the other way. So we rush to think of possible back-up plans for Brexit, US Privacy Shield and other major events. It is stressful: not because these problems are bigger than the project, but because they drain our time and attention. That is the precise moment when an unexpected issue hits us.
  • #13 Like this one. Out of the blue, possibly nearby Christmas time, a researcher from our University forwards us an email. Let’s take a look at it [EMAIL]. Why is the police writing about sharing criminal records via email? We established a mail only protocol to get those documents. The frame is not that clear, so we need some time to scroll to previous messages on the bottom and find this…
  • #14 [EMAIL] … an email from our researcher containing a scan of confidential criminal records sent to the Police in November, on a Sunday, without any encription, probably from a home or public connection. Really? I mean, the researcher was not supposed to do that. But, as managers do we really need to worry? I am sharing this question with you right now.
  • #15 Ok, so let’s assume we just do this. We struggle during Christmas time, find some time to check our internal regulations and try to explain the situation to the Police. Our University cares about privacy, we have a set of rules to ensure data subjects’ rights are enforced, our storage protocols are strong, this was a single mistake, we sincerely apologise. It will not happen again. We promise. Done? Is that enough? No, it is not. We are missing the bigger picture. Our University is in breach and we didn’t do nothing to inform the Data Protection Authority.
  • #16 This negligence in handling personal data noticed by the Police is forwarded to the Data Protection Authority itself. The Authorithy organizes inspections and finds out the researcher violated GDPR by sending criminal records via unencrypted email, but also used a third party cloud service to manage the transfer of criminal records from the workstation to laptop at home. Our University is fined for 54.000 €. Come on, really?
  • #17 Let’s focus on the infringement of GDPR articles in detail. Our researcher potentially exposed personal data. Our University discovered the violation but failed to report to the Authority and ignored risks. The audit finds out the researcher also used a third party cloud service, which was not allowed by our protocol. This «what if…» looks too bad? Is this a worst case scenario that could not possibly happen in real life? What if this is true?
  • #18 In fact, this case study is inspired by a true story. A research group at Umeå University (Sweden) requested from the police preliminary investigation reports concerning cases of male rape. When the research group sent an e-mail to the police requesting further information, one of the scanned reports was attached as a reference. The event triggered an investigation of the Swedish Data Protection Authority, showing that the research group stored over a hundred scanned preliminary investigation reports in American cloud service Box, despite the University internal guidelines said special categories of data should not be stored in the cloud service in question. An administrative fine of 54.000 € was issued against the University.
  • #19 I invite you to follow the National News section of the European Data Protection Board. You will find many detailed cases of data protection issues across European companies, hospitals and research centres. It happens all the time, like to this Polish University disclosing video recording of students showing their IDs during exams...
  • #20 … or the Swedish police – some of their personnel unlawfully used a facial recognition app. No one is flawless. So, what can we learn from this case study?
  • #21 We can say privacy issues are both predictable and unpredictable at the same time. Predicatable, as we know what can go possibly wrong (data is exposed, cloud service is insecure, data collections are lost). Unpredictable, as we are not able to notice all issues or lose track of them until they are exposed by a critical event. So, what can we do?
  • #22 We shall be ready even before the project begins. We are not alone in enforcing data protection, so we might want to team up with legal and data protection officers to establish guidelines in advance and explain reasearchers that privacy comes first. Since we make this clear, we shall also be able to set the boundary of our responsibility and know when to escalate and involve others. It doesn’t mean «I don’t care», but «I really care a lot, and you shall too». I know, what if this slide is not telling enough? Well, what if you tell your part of the story?
  • #23 Let’s go beyond the case study, share the benefit of participating in EARMA 2021 and collect our individual best practices. We can spread our experience and knowledge, while discussing feedback from other colleagues. In a face-to-face convention we would had a coffee together and had a chat. On this virtual session, you can take your time and visit the link published in this slide. I look forward to your questions.