By Vasco Rosa Dias, Data Protection Officer at INESC TEC.
“We can only see a short distance ahead, but we can see plenty there that needs to be done”.
By the end of January, INESC TEC makes available a new online training course about personal data protection, developed internally by its Data Protection Group, for the benefit of the INESC TEC community. I’d like to invite you to get to know and explore it. This resource, to be progressively updated with new contents and thematic modules useful for the Institute (e.g., focusing on the research context), follows several awareness-raising initiatives carried out over recent years, including presentations and internal training sessions, conferences, seminars and other events open to external communities, as well as workshops promoted by invited entities – in a continuous effort that we consider crucial to the dissemination of best practices and the consolidation of an internal culture which respects and promotes key values like privacy and data protection.
When we talk about values, we inevitably talk about ethics and the identity of a given organisation. While compliance and ethics are separate dimensions, they also complement each other and are deeply interrelated.
On this subject, in his 2015 Opinion – right before the approval of the European General Data Protection Regulation (GDPR) -, the European Data Protection Supervisor (EDPS) Giovani Butarelli stated that “in today’s digital environment, adherence to the law is not enough; we have to consider the ethical dimension of data processing”.
In this sense, the approval of a Code of Ethics at INESC TEC – covering, among others, the challenges posed by emerging technologies, automation and artificial intelligence – is an excellent news, and its implementation will certainly bring inestimable benefits.
Particularly since those values and culture represent an undeniable asset and an opportunity for an R&D organisation like INESC TEC to conduct research on, and contribute to shaping, our data and knowledge-based society. This is especially true in a period like the one we are going through, characterised by the fast digitalisation of the economy, in which the dual ecological and digital transition are paramount in the current EU public policies.
The road is made as you walk; and the journey we are addressing here is a continuum: for this reason, we will never be able to properly say, in the context of privacy, that the “die is cast”. In Portugal, there is a widespread notion that many organisations, both public and private, are still struggling and facing significant difficulties in adapting to the requirements of the (recent, but not so novel) European data protection legal framework and the respective national implementing legislation. In addition to the difficulties resulting from unpreparedness and the legacy of a recent past when privacy was not yet perceived as a truly critical subject among us, one could also highlight those associated with the complexity and, to be fair, a few flaws of the European regime in question.
As far as the R&D area is concerned, many have pointed out the harmful consequences of insufficient harmonisation (not only internationally, but, paradoxically, at the European level), often colliding with the needs inherent to the multicentric research that is carried out today, in Europe and internationally. Complementary legislation is still awaited and much needed at both the national and European levels, including, in the latter case, the first regulatory framework for artificial intelligence or the implementation of the so-called European Data Spaces.
Apart from such recent and future developments, it is essential, and increasingly important, that research entities seek to implement and monitor the principles of privacy by design and by default throughout the development of their projects – while considering regulatory and ethical risks that may affect research or even jeopardise its application.
I’ll end as I started, by underlying that, regardless of the sector or area of a given organisation, compliance depends, ultimately, and always, on the individual commitment (and training) of each one of us.