Fed4FIRE+ aims at establishing the largest federation of Next Generation Internet (NGI) testbeds by federating multiple testbeds. As any other European data controller and processor, Fed4FIRE+ partners must comply with the obligations of the European General Data Protection Regulation (‘GDPR’).
Although each testbed provider has appointed its own DPO, each experimenter that uses testbeds must also comply with the GDPR if he/she/it processes personal data during the experiment. In this context above, the experimenter is considered a controller under the GDPR, while the testbed provider its processor.
Since the majority of obligations under the GDPR need to be fulfilled by the controller, experimenters must be aware of the technical and organisational measures they need to implement during their experiment. If you identify yourself as a potential controller, please see the introductory video below which provides an overview of your GDPR obligations.
Fed4FIRE+ also aims at researching how to make research infrastructures simpler, cost efficient, and with increased trustworthiness. To facilitate GDPR compliance the following solutions have been developed which are interoperable and can be easily combined:
1) Global Data Processing Identifier Registry (DP-ID)
Under articles 12-14 of the GDPR, controllers are required to disclose information on their data processing activities. Data Processing ID is a global registry of public information on data processing activities that enables controllers to enhance transparency and comply with this obligation by creating a unique identifier and a public record for their data processing activities (Data Processing ID or DP-ID). In addition, the DP-ID enables to inform data subjects on the processing of their personal data and their rights; Facilitate the management of data processing internally and with third parties; and Use QR-Codes, hyperlinks (URL), and widgets to share data processing required information. Finally, the DP-ID can include the unique identifier of a Europrivacy certification (further analysed below) so as to enhance trust and easily provide to the users all the information under one public registry.
2) Europrivacy certification and compliance assessment methodology
Europrivacy is a certification scheme developed through Horizon 2020 research programme to assess and certify the compliance of data processing activities with the applicable regulations, including the GDPR. In the framework of the Fed4Fire+ project Europrivacy has been recommended as a compliance assessment methodology for Fed4Fire+ testbeds.
Although certification is voluntary under the GDPR, there are many benefits that a certification brings and shall be considered in the context of Fed4fire+ as well. Specifically, the benefits from a Europrivacy Certification scheme are:
- Prompt identification and reduction of legal and financial risks
- Demonstration of GDPR compliance (accountability principle) by an impartial, independent third-party.
- Trust and Confidence for data subjects and B2B partners and stakeholders
- Reputation enhancement and access to market
- Easier cross-border data transfers
- Continuous compliance updates ensure long-term GDPR compliance
- Member of a GDPR-compliant business community and Europrivacy experts
The Europrivacy Certification scheme can be extended to complementary national obligations as well as to emerging technologies, giving the opportunity to tailor the scope of the scheme to meet the exact needs of the Fed4fire+ project. It is also aligned with ISO best practices and can be easily combined with ISO 27001 (information security management).
The Europrivacy certification is a comprehensive scheme that at this moment is under review by the EDPB under GDPR article 42, and is opinion/approval could potentially lead it to be the first approved European certification scheme on GDPR (European data protection seal).
To be eligible for a Europrivacy certification a DPO and a record of data processing activities are necessary, as he/she will be the one to prepare the documentation and conformity with the Europrivacy criteria. For further information, please visit the Europrivacy website: https://europrivacy.org/