Privacy by Design –Building an inclusive digital ecosystem (EU)

25.01.2022

Projects

PROJECT SUMMARY

FIELD – Personal data protection

Project Title– Privacy by Design –Building an inclusive digital ecosystem (PD-BIDE)

Type of Contract/ Category – 2021/429-271

IPA Component/ (national or regional) -EIDHR Supporting a civil society through Country-Based Support Schemes in North Macedonia

Programming year – 2020

Lead applicant and co-applicants

Lead applicant: Metamorphosis, Foundation for Internet and Society, Skopje

Co-applicant: Association Konekt Skopje

Context/background

In the past two years, and especially after the Covid-19 outbreak, there has been a noticeable tendency of the state institutions in North Macedonia to provide more services online. However, there is no common framework and standard for institutions to develop digital services, and a variety of approaches in the deployment of new digital services is used by different institutions. There is an evident need for a model including policies, procedures and technical specifications ensuring personal data protection and security. Common to most current e-services in the Republic of North Macedonia is the absence of Privacy Impact Assessment that should assure privacy by design of the new e-services and lack of transparency that usually involves publishing of privacy policies that do not follow the minimal GDPR (General Data Protection Regulation) and national law requirements for informing the data subjects (citizens – right holders). The EC Progress report notes that most recommendations from the Personal Data Protection Agency are not fully implemented by the institutions concerned and not all laws and by-laws regulating personal data processing are submitted to the Agency before adoption.

The new Law on Personal Data Protection in North Macedonia was adopted in February 2020 being fully compliant to the GDPR. The new law came into force on August 24, 2021. Pursuant to this law all legal entities now need to align their internal procedures and policies to the new law, and the Action will aid the implementation of these measures for civil society, state institutions and the business sector.

In the transitional period, the Personal Data Protection Agency has been delivering generic trainings for legal entities, but so much in campaigns to raise citizens’ awareness on their new rights. It issued instructions on how to align the internal procedures only after the law came into force on August 24, 2021, and legal entities now need more time to perform the alignment. The new, modern regulation grants citizens more power by exercising their rights to control their data processing, and the Action will make this advantage obvious to all stakeholders.

Abstract (short project summary)

The overall objective of the action is to strengthen the awareness and capacity of citizens and civil society organizations (CSO) to competently navigate the digital environment and demand increased privacy protection while supporting responsible state institutions and other stakeholders as duty bearers to work in the service of the society and protect citizens.

More specifically, the Action will:

  1. Educate the citizens (right-holders) about their privacy rights and help them understand/avoid violations related to their personal data;
  2. Assist state institutions in mapping digital tools, developing privacy by design methodologies and creating a strong and credible data protection environment through appropriate privacy policies in compliance with the Law on Personal Data Protection and EU best practices;
  3. Build Data Protection Officers’ (duty bearers) capacities to develop and implement standards for effective protection of citizens’ privacy rights online (right-holders), especially while using e-services;
  4. Build CSO capacities to engage and competently voice their concerns about privacy and artificial intelligence -with government, law enforcement agencies and judiciary institutions as well as with businesses.

 

Overall, the project will benefit the final beneficiaries in the following way:

  • Citizens will become aware of mechanisms they can use in order to control the processing of their personal data;
  • Data Protection Officers in state institutions will gain specific knowledge based on the needs of the respective institution and future development of e-services;
  • IT professionals in state institutions will be invited in the capacity building program which will support them in adopting the principles of integrity and security of data incorporated in the GDPR and the national Law on Personal Data Protection;
  • Agency for Personal Data Protection will be provided support in the process of promotion of the importance of the new rights of the citizens;
  • State institutions presented by the Data Protection Officers will directly benefit from the Action by having their Data Protection Officers knowledge extended and improved;
  • Businesses that provide services to the government and deploy ICT infrastructure for e-services delivery will be included. The aim of the cooperation is to capacitate the businesses to include risk assessment procedures related to human rights and establish an approach in terms of crucial risks related to human rights;
  • Media –The action envisages cooperation with media for education and sensitization purposes regarding topics related to privacy and AI.

Final beneficiary – Citizens (general public); Data Protection Officers and IT professionals in state institutions; Law-enforcement officials (Agency for Personal Data Protection) and state institutions represented by the Data Protection Officers; Businesses developing e-services (for the government in particular).

Action location/s – North Macedonia

Objectives:

(S1) Educate citizens (right-holders) about their privacy rights as data subjects;

(S2) Assist state institutions in mapping digital tools, developing privacy by design methodologies and creating a strong and credible data protection environment through appropriate privacy policies in compliance with the Law on Personal Data Protection and EU best practices;

(S3) Build Data Protection Officers’ (duty bearers) capacities to develop and implement standards for effective protection of citizens’ privacy rights online (right-holders), especially while using e-services;

(S4) Build CSO capacities to engage and competently voice their concerns about privacy and artificial intelligence.

Activities:

PD-BIDE’ work is organized in eight activity clusters:

 

1) Mapping of government e-services and assessment of their compliance with the Law on Personal Data Protection;

2) Developing methodology for performing Privacy Impact Assessment for the institutions;

3) Creation of Guidebook for Data Protection Officers in state institutions;

4) Creation of an Online Privacy First Aid educational resource and response tool for CSO and tech-savvy activists to better protect themselves and the

communities they support against the most common types of data breaches;

5) Training for Data Protection Officers for the ICT challenges, artificial intelligence and risk management in regards to privacy protection;

6) Mentoring Data Protection Officers in the process of creating Privacy Policies and procedures for answering citizens’ requests;

7) Capacity building of CSO representatives, journalists and businesses on challenges and risks related to privacy protection and artificial intelligence;

8) Social Media Campaign sensitizing citizens as privacy rights holders.

Impact/Output/Result:

Outcomes:

(1) Increased awareness of citizens for the effective exercise of the rights for personal data protection;

(2) Increased capacities of a network of CSOs to protect and advance privacy;

(3) Advanced implementation of privacy-by-design principles in regards to planning and prioritizing digital services provided by state institutions;

(4) Established network of skilled Data Protection Officers in the state institutions;

(5) Improved visibility of the data protection standards implemented by the state institutions providing digital services for citizens

 

Outputs:

  • Methodology for performing Privacy Impact Assessment for institutions;
  • Guidebook for Data Protection Officers in state institutions;
  • Educational videos aimed at expanding the reach of the raising awareness campaign and the produced explanatory educational articles;
  • Explanatory articles about the privacy, GDPR, Law on Personal Data Protection and AI
  • Online Privacy First Aid – educational resource and response tool for CSO and tech-savvy activists to better protect themselves and the communities they support against the most common types of data breaches
  • Mapping of government e-services and assessment of their compliance with the Personal Data Protection Law
  • Mapping of most used e-services provided by government institutions
  • Assessment of citizen knowledge about their privacy rights
  • Assessment of civil society organizations knowledge about personal data protection rights
  • Assessment of employees of state and public institutions knowledge about personal data protection rights
  • Training seminars for Personal Data Officers
  • Business training programme
  • Cross-sector working group on Business and Human Rights
  • Targeted advocacy workshops with representatives from CSO, government, businesses, media, academia and individual citizen activists
  • Adapted internal privacy policies of institutions to respond to the Personal Data Protection Law and conducted PIA of new e-services
  • Social Media Campaign (Facebook ads, graphics design, etc.)
  • Data visualisation and graphic content for social media
  • Closing conference

Facts & Figures:

The key facts & figures relevant to the project:

  • Project duration: 18 months
  • Start date of the project: 1st of February, 2022
  • End date of the project: 31st of July, 2023

Figures

  • Cost of the action: 157,831.42 EUR
  • EU contribution: 149,940.00 EUR
  • EU contribution percentage: 95%

Final useful footnotes:

Include at the bottom of the page the following statement:

For more information: followed by an appropriate web address and contact details

http://metamorphosis.org.mk;

Contact details:

Mila Josifovska Danilovska, Programme Manager

mila@metamorphosis.org.mk,

tel.+38971385497