As a research organization that handles personal data, we are dedicated to safeguarding the privacy of our research participants, applicants, contractors, and staff. Naturally this means complying with all data security requirements to ensure data privacy across all jurisdictions where we work. It also means adhering to best practice data security principles.
Laterite has recently completed a thorough review of its data security commitments across East and West Africa, Peru and Europe. We hope that this summary will be useful for other researchers and research organizations working in our regions.
Shared principles and data protection rights across countries
While specific requirements vary by country, most data protection laws in the countries where we work share some common principles. These include lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
Equally important are the rights of research participants, often referred to as “data subjects” in legal terms. These rights include: the right to be informed about data collection and use; the right to access their personal data; the right to rectification of inaccurate data; the right to erasure (or “right to be forgotten”); the right to restrict processing; the right to data portability; the right to object to processing; and rights related to automated decision-making and profiling.
Key concepts in data security legislation
Much of the data security legislation across the countries where we work builds on the European General Data Protection Regulation (GDPR). The GDPR is widely regarded as a gold standard in data privacy and protection regulation. It enshrines several important definitions that are common across many of our countries, particularly the definitions of data controllers, data processors and Data Protection Officers.
Data Controller. A data controller is the entity that determines the purposes and means of processing personal data. In simpler terms, the controller decides ‘why’ and ‘how’ the personal data should be processed. For example, if Laterite initiated a research project and determines what data to collect and how to use it, we would be acting as a data controller.
Data Processor. A data processor is the entity that processes personal data on behalf of the controller. The processor acts on the instructions of the controller and doesn’t make decisions about how the data is used. If Laterite were contracted by another organization to collect data according to their specifications, we would be acting as a data processor.
Note: an organization can be both a controller and a processor, depending on the circumstances of each activity. This dual role is common for research organizations like ours. Accordingly, data security laws require us to clearly identify which role we’re playing for each project or data processing activity.
Data Protection Officers (DPOs). DPOs are central to ensuring compliance with data protection regulations. The GDPR and several other data protection laws mandate this role for certain types of organizations or data processing activities. A DPO is responsible for:
- ensuring compliance with data protection laws and internal policies,
- training staff and raising awareness about data protection issues,
- advising on Data Protection Impact Assessments,
- acting as a point of contact for data subjects and supervisory authorities,
- monitoring legislative changes, and
- managing responses to data breaches.
Not every country where we work requires organizations who control or process personal data to designate a DPO (see the table below for an overview). However, to make our data security practices consistent across our offices, we’re committed to following the strictest applicable data security legislation. We have therefore designated a DPO for each of our offices.
Data security requirements – cheat sheet
While many data security laws have definitions and principles in common, there are subtle differences between the legal frameworks in the countries where we operate. The cheat sheet below sums some of these up. We hope it’s a useful starting point for organizations looking to strengthen their data security strategies.