21 Feb 2023
This is a collaborative work of ENISA with the ENISA AHWG on DP Engineering, in which our Managing Partner, Maria Raphael, is a member
In celebration of the Data Protection Day on the 28th
of January 2023, the European Union Agency for Cybersecurity, ENISA, published a Report, in collaboration with the ENISA Ad Hoc Working Group on Data Protection Engineering, the objective of which is to demonstrate how cybersecurity technologies, can support personal data sharing in practice, while preserving privacy, in line with the General Data Protection Regulation (GDPR) principles.
Our managing partner, Maria Raphael, member of the ENISA AHWG on Data Protection Engineering, was one of the Contributors to the Report, amongst other exceptional experts on the field.
Undeniably, data is considered as the new currency and organisations are increasingly collecting, processing and sharing more and more data amongst different parties, in an effort to exploit new technologies and create more value for the citizens and their businesses. This concept of making more data available and facilitating data sharing across borders and sectors, also constitutes one of the main themes of the European Strategy for Data and the new laws proposed and introduced such as the Data Governance Act, the EU Data Act and the EU Health Data Space Proposal.
Data sharing can be considered as the disclosure of data to external third parties for a specific purpose. Data sharing may entail risks for the privacy of individuals, whose data is being shared as well economic risks for enterprises.
This report presents, through use cases, how the data protection principles embedded within the GDPR can be applied in practice by using technological solutions, such as relying on advanced cryptographic techniques, for personal data sharing that preserves privacy.
The report focuses primarily on data sharing within the health sector, when an entity directly shares data with another entity, but also discusses secondary, non-direct data sharing that takes place as part of another process or service, in case where the data is processed through a secondary channel or entity before reaching its primary recipient. Lastly, the report also presents the various challenges as well as possible architectural solutions on engineering the rights of data subjects such as the rights linked to intervenability (i.e., the right to erasure, the right to rectification, the right to object etc). The notion of data protection engineering, which reflects the concept of data protection-by-design prescribed in Article 25 of the GDPR, is an essential element for building a trusted sharing environment, where organisations may submit data without disclosing personal data or sensitive business information or disclosing personal data with an adequate level of protection.
This report aims to support policy makers, regulators and data protection practitioners and falls within ENISA’s tasks under the Cybersecurity Act (CSA) to support Member States on specific cybersecurity aspects of Union policy and law relating to data protection and privacy.
You can find the full Report of ENISA on Engineering Personal Data Sharing here