Data protection record of processing activities and privacy notice generator toolkit by EMBL’s European Bioinformatics Institute

Abstract

EMBL-EBI, Europe's biomolecular data hub, is a world leader in managing and analysing big data in biology and making it freely available to scientists worldwide. Researchers can access the open data resources and related services of EMBL-EBI by submitting minimal personal data. In May 2018, following the enforcement of the European Data Protection Regulation (GDPR), EMBL adopted the EMBL Internal Policy no. 68 on General Data Protection. It reflects European data protection principles while remaining within the bounds of EMBL's international legal status. As a result of GDPR and EMBL's Internal Policy No. 68 coming into force, 190 EMBL-EBI user-facing services that processed personal data in 2018 were required to have Records of Processing Activities (RoPA) and Privacy Notices (PN). EMBL-EBI's solution was to develop a Data Protection Engine (DPE) that automatically generates RoPA and PN when a service owner answers a series of questions. In addition to maintaining a centrally located database for RoPAs and PNs, the DPE tracks changes to the documents, as well as providing versioning and time-stamped updates. It is the aim of this article to share the EMBL-EBI IT department’s experience with designing and implementing the DPE and providing a toolkit to let others develop a similar solution and benefit from our experience. Implementation steps, benefits, challenges, opportunities, and practices are discussed and critically analysed.