Working with international organisations to lead the way in data protection

Wojciech Wiewiórowski

Generating and fostering global partnerships in the field of data protection is one of the EDPS’ strategic objectives. That is why we co-organise, on a yearly basis, a workshop dedicated to data protection within international organisations (IOs). The workshop is a forum for the exchange of experiences and views on the most pressing issues in this field faced by IOs all over the world.

I just came back from the eighth edition of the workshop, which took place under beautiful sunshine in Paris. This year, the workshop was co-organised by the EDPS and the Organisation for Economic Cooperation and Development (OECD), and I would like to thank the whole OECD team for their efficient organisation and their enthusiasm.

The size and the relevance of this event has been growing consistently since the first edition in 2005. This confirms the need for a platform for IOs to engage, share best practices and discuss unsolved dilemmas, and the increasing awareness of the importance of ensuring strong safeguards for personal data. I am pleased to note that the workshop is now seen as a regular, expected occurrence in the calendar of the data protection teams within IOs, who are willing to engage in this stock-taking exercise and to share practical solutions with one another. This year, we welcomed a record of more than 90 participants representing more than 40 different organisations.

The first panel discussion looked at the challenges posed by the use of web services and social media. As highlighted by one of the speakers, the need for a careful risk assessment is even more important when the individuals concerned belong to particularly vulnerable categories, and the do no harm mantra must be respected when new tools and engagement platforms are used. We also presented an overview of the most common data protection issues arising from the use of web services, such as tracking by third party cookies, and made recommendations on how to address these issues and ensure transparency. By describing the tools we use to conduct website compliance checks, we were able to demonstrate the complexity and the importance of this issue. After all, even more than through legal compliance, we can ensure trust by showing respect for users’ rights and freedoms.

Before the end of the first day, participants had the chance to share recent updates and challenges they have been facing when developing a data protection policy in their organisations. The amount of attention and resources many organisations devote to the topic reassured me of their commitment to implementing robust data protection safeguards.

The next day, I moderated a discussion on issues arising from contractual arrangements with software providers, a topic that the EDPS has recently decided to investigate. The panellists highlighted the challenges faced both when contractual counterparts fail to implement the obligations that they have committed to, or when they refuse to negotiate a data protection clause. Given the costs and complexity of any negotiation with the big service providers, there is an incentive to work together on this issue.   

Another discussion concerned the open questions on personal data transfers to IOs, which the GDPR treats in the same way as countries outside the EU. The discussion was enriched by a detailed description of applicable GDPR provisions and the explanation of some viable solutions and practical examples.

The last part of the workshop was dedicated to a practical session, where issues were presented with a hands-on approach in order to share useful advice and tactics. For example: creating an inventory of data processing operations is an extremely important exercise, yet a complex one, as it requires a deep analysis of all the activities performed by the IO. A practical overview was also provided on the development of risk assessments, which should be carried out regularly during the lifecycle of a project and may be supported by existing software and tools. Lastly, the design of individual redress and oversight mechanisms is of paramount importance in order to ensure protection of individual rights while keeping in mind the specific status of IOs.

Our colleagues are working tirelessly on the development of strong safeguards for personal data within their organisations, and were keen to exchange views on present and future challenges. A key lesson from this workshop is that the development of robust data protection standards is and will continue to be a joint effort. Useful links can be created through cooperation with national DPAs and through the International Conference of Data Protection and Privacy Commissioners (ICDPPC), where IOs can apply for observer status. This year’s workshop demonstrated the commitment and innovation in the IO data protection community, and the EDPS will continue to support their efforts and offer our contribution to increasing global cooperation.