UM data protection as a corporate social responsibility (UM DPCSR) research project
Over the past twelve months we have been working to finalize the Maastricht University Data Protection as a Corporate Social Responsibility Framework (see our first Manifesto). An important aim of the forthcoming Framework is found in the internationally recognized principle of transparency. One of our main goals is to further sustainable and transparent data processing, stimulating the provision of comprehensive, manageable, and meaningful information to individuals. In order to accomplish this objective, however, communication and information hurdles must be overcome and the ways in which individuals are informed about processing activities that concern their data must be improved.
UM DPCSR icons version 1.0
Based on extensive literature-based research, we have reached the conclusion that icons, together with layered privacy notices, can give users an immediate understanding that certain high-risk processing activities are taking place. We therefore set out to develop a set of data protection icons that would actively provide a signal to users, potentially making individuals more aware of what happens to their data.
During a period of two months, we worked closely with a team of designers to develop the first sketches of the five UM DPCSR Icons under Principle 2, Be transparent with citizens about the collection of their data, Rule 1, Before processing. The organization shall use icons (and sounds) for an easily visible, intelligible and clearly legible provision of information concerning the intended processing. Electronically presented icons should be machine-readable. (Recital 60 and Article 13 GDPR) which are now ready to enter the testing phase.
Testing will be carried out in the form of an online survey directed towards EU citizens age 13 and older. According to the outcome of the testing phase, further actions may be taken by the researchers and designers to improve the relevance and effectiveness of the icons for users. In their final iteration, the icons will be machine-readable. When displayed on websites, mouseovers will provide for both accessibility and comprehension of the meaning of the icon.
Five UM DPCSR Icons and mouseovers
I. Marketing Icon: Signaling to users that data processing will take place for marketing purposes
II. Fully automated processing (Art. 22 GDPR) Icon: Signaling the presence of fully automated processing to users
III. Transfer Icon: Signaling to the user that their data will be transferred abroad
IV. Data sharing in exchange for direct profit/value Icon: Signaling to the user that their data will be shared by the organization
V. Sensitive data  Icon: Signaling to the user that their sensitive data will be processed
 We have adopted the extended meaning of “Sensitive data” – as indicated in the Article 29 Working Party Guidelines on Data Protection Impact Assessment (DPIA) (wp248rev.01) pages 9-10 – which includes categories of data that can also be considered as increasing the possible risk to the rights and freedoms of individuals.
|Written by Kate Francis and Paolo Balboni - More blogs on Law Blogs Maastricht|
P. BalboniMore articles from P. Balboni
Paolo Balboni is Professor of Privacy, Cybersecurity, and IT Contract Law at the European Centre on Privacy and Cybersecurity (ECPC) within the Maastricht University Faculty of Law. He graduated with a degree in Law from the University of Bologna (Italy) in 2001 and completed his Ph.D.
Over the last 20 years, access to cheap computational capacity has increasingly led to the harvesting of more and more personal data, without having to worry too much about costs related to data storage and processing activities.
What was promised by the GDPR (Art. 80 and Rec. 142) is now a reality!