Costanza, welcome to CERN! Can you tell us a little about your professional experience prior to joining CERN?
Thank you! I'm delighted to join the ODP at CERN. I very much hope that my skills and experience in data protection, including a master's degree in intellectual property and information law at King’s College, London, and my work as a lawyer and a data protection officer, will bring valuable experience to the team. After completing my studies, I trained in an international law firm and then became partner of a boutique law firm, focusing on data protection. As well as delivering lectures and training to data privacy specialists, I've also co-written books on data protection.
What are your first impressions of CERN and its approach to data privacy compared to other organisations?
There are necessarily some differences of approach, although one of the positive aspects of the General Data Protection Regulation (GDPR) has been to open all of our eyes to the importance and value of our own personal data. Although CERN, as an intergovernmental organisation, does not apply GDPR, it has issued Operational Circular No. 11 (OC11), which provides a valuable internal data protection framework. OC11 is inspired by the data protection legislation frameworks in many of CERN’s Member States. Also, CERN’s ultimate goal in the field of privacy is similar to most other organisations – to ensure the protection of personal data.
What do you see as your key priorities as you join the ODP?
"Awareness"
One of my key priorities will be to enhance awareness of data privacy within the CERN community.
Here's one of my favourite quotes to introduce the concept of awareness:
There are these two young fish swimming along and they happen to meet an older fish swimming the other way, who nods at them and says "Morning, boys. How's the water?" And the two young fish swim on for a bit, and then eventually one of them looks over at the other and goes "What the hell is water?"
David Foster Wallace
I think this illustrates very well how many of us feel when it comes to data privacy issues. They're all around us but too often we're simply unaware of them. However, raising awareness is not as hard as it might seem at first.
In my experience, training plays a key part in developing our collective awareness. I believe training should be based on a practical approach, rather than simply on theory, and be targeted to address the core activities of the various services at CERN. This is exactly the type of training that CERN already delivers. Also, training should be interesting and, wherever possible, fun. In other words, training should allow individuals to recognise the value of their own personal data and the need for it to be protected. CERN has already launched a successful training programme, with over 750 people having completed the online or classroom training.
"A continuous process"
There is the misperception that data protection compliance is something that can be achieved once and then put away in a drawer. It's not. It's a continuous process. In my experience, it's crucial that data privacy needs are part of the design of systems and processes and embedded in all that we do.
"Transparency"
The need for transparency is another important principle of OC11 and indeed all data protection frameworks. But, what does this mean for us as data subjects? Well, it means that we have to stay informed about the processing of our personal data and the rights that we can exercise. The question that we should ask ourselves is not "Should my personal data be kept secret?" but rather "How might my personal data be used? By whom? And for what purpose?"