Maastricht University Data Protection as a Corporate Social Responsibility (UM DPCSR) Research Project: UM DPCSR Icons Version 1.0
Paolo Balboni, Professor of Privacy, Cybersecurity, and IT Contract Law at the European Centre on Privacy and Cybersecurity (ECPC) within the Maastricht University Faculty of Law
Kate Francis, PhD candidate at the European Centre on Privacy and Cybersecurity (ECPC) within the Maastricht University Faculty of Law
4 December 2020
Maastricht, The Netherlands
Over the past twelve months we have been working to finalize the Maastricht University Data Protection as a Corporate Social Responsibility Framework (see our first Manifesto here). An important aim of the forthcoming Framework is found in the internationally recognized principle of transparency. One of our main goals is to further sustainable and transparent data processing, stimulating the provision of comprehensive, manageable, and meaningful information to individuals. In order to accomplish this objective, however, communication and information hurdles must be overcome and the ways in which individuals are informed about processing activities that concern their data must be improved.
Based on extensive literature-based research, we have reached the conclusion that icons, together with layered privacy notices, can give users an immediate understanding that certain high-risk processing activities are taking place. We therefore set out to develop a set of data protection icons that would actively provide a signal to users, potentially making individuals more aware of what happens to their data.
During a period of two months, we worked closely with a team of designers to develop the first sketches of the five UM DPCSR Icons under Principle 2, Be transparent with citizens about the collection of their data, Rule 1, Before processing. The organization shall use icons (and sounds) for an easily visible, intelligible and clearly legible provision of information concerning the intended processing. Electronically presented icons should be machine-readable. (Recital 60 and Article 13 GDPR) which are now ready to enter the testing phase.
Testing will be carried out in the form of an online survey directed towards EU citizens age 13 and older. According to the outcome of the testing phase, further actions may be taken by the researchers and designers to improve the relevance and effectiveness of the icons for users. In their final iteration, the icons will be machine-readable. When displayed on websites, mouseovers will provide for both accessibility and comprehension of the meaning of the icon.
Five UM DPCSR Icons and mouseovers
I. Marketing Icon: Signaling to users that data processing will take place for marketing purposes
II. Fully automated processing (Art. 22 GDPR) Icon: Signaling the presence of fully automated processing to users
III. Transfer Icon: Signaling to the user that their data will be transferred abroad
IV. Data sharing in exchange for direct profit/value Icon: Signaling to the user that their data will be shared by the organization
V. Sensitive data  Icon: Signaling to the user that their sensitive data will be processed
 The Icon WG consisted of the UM researchers and a team of designers provided by Business Stakeholders Rabobank and Diennea. Many thanks to Sarah Bakir, Luuk Beursgens, Valentina Fiorendi (Visual - UX/UI Designer), Joost Haar, Fabio Masini, Michela Parziale, and Rachid Quadai for your valued input and design contributions!
 We have adopted the extended meaning of “Sensitive data” – as indicated in the Article 29 Working Party Guidelines on Data Protection Impact Assessment (DPIA) (wp248rev.01) pages 9-10 – which includes categories of data that can also be considered as increasing the possible risk to the rights and freedoms of individuals.
NOTICE: © (2020) European Centre on Privacy and Cybersecurity (ECPC), Maastricht University) - All rights reserved. Ownership of this (electronic-)document or any portion thereof (including, without limitation, any texts, schemes, charts, diagrams, drawings, pictures, logos, icons, symbols, trademarks and/or other distinctive signs depicted herein, hereinafter “Materials”) remains vested in ECPC-Maastricht University and/or its assignors. Neither this (electronic-)document nor the Materials may be reproduced, used or otherwise made available in any manner whatsoever without the express written permission of ECPC-Maastricht University, except for the use permitted under applicable laws. ECPC-Maastricht University does not hereby authorise or endorse any different usage of the Materials