IMEC: Assessing and Mitigating Data Protection risk for a Large e-Learning Project

A Flanders-born R&D giant

IMEC is a world-class R&D hub for nano- and digital technologies. With firm roots in nanoelectronics, their portfolio covers a range of hardware and software technologies. Some of their applications include semiconductor technologies, robot arms for industry 4.0, nanoelectronics for space exploration and more.

Headquartered in Leuven and founded in 1984, imec now employs over 5000 employees across different countries, collectively driving annual revenue of over € 500 million.

Data Trust Associates (DTA) was involved in the i-Learn MyWay project. The project is an initiative of the Flemish government and is carried out by imec and KULeuven. Thanks to i-Learn MyWay, teachers no longer have to find their way through the enormous range of educational tools, but they have access to a wide range of high-quality tools bundled on one portal and via a single login. With these tools, they can then set up learning trajectories within the portal tailored to their students to provide personalised education and easily monitor their students’ progress.

GDPR-compliant processing of children’s personal data

The customer was in the process of designing a new personalized education platform, which would be used by a large number of schools in Flanders, resulting in the processing of a vast amount of children’s personal data. The challenge was the data protection of the children’s data in accordance with the GDPR principles.

In that respect, the Flemish Authority for Data Protection (VTC) had issued advice regarding cloud storage that takes into account the European Court of Justice’s Schrems II case. Schrems II rules that users of US-based cloud providers (such as Amazon Web Services) must take into account the data protection laws of the recipient country document its risk assessment and confer with customers.

As the i-Learn MyWay project involves especially vulnerable end-users (children), imec decided to bring in external assistance to maximally safeguard the end-users privacy.

Engagement

Data Trust Associates (DTA) was brought in to identify data protection risks related to the i-Learn MyWay project and assist in mitigating these risks to safeguard the privacy of all users, including children and teachers.

We conducted a Data Protection Impact Assessment (DPIA) to identify and tackle the risks – in line with the GDPR requirements. To gather all the necessary information, we held interviews with the project team and some of the project’s stakeholders. This group was diverse and included the schools, imec’s project manager, solution architects and of course, (representatives of) the end-users: the pupils and teachers using the application.

Based on the information gathered, Data Trust Associates (DTA) helped the project team to identify data protection risks as well as identifying mitigation measures (e.g. need to know access only, minimum personal data). As expected, the most considerable risk was that US cloud providers lack compliance with the European data protection regulation (GDPR).

As a solution, we identified several architecture alternatives – one of which was to store pseudonym and encryption keys in a European cloud provider, leaving the pseudonymised data on the US cloud platform. The alternatives were presented to the VTC in two consecutive sessions where the combination of an EU and US cloud provider was retained.

This way, the data protection risks were reduced to a minimum while still benefiting from the reduced costs, better functionalities, and more optimal infrastructure of US-based cloud providers.

Results

As a result of the DPIA and the proposed mitigation measures for improvement, imec can now provide a personalized learning platform that is in line with GDPR and implements privacy by design and safeguards the data of both pupil and teacher.

The solution we proposed in this project could also be implemented for other projects looking for alternatives to US-based cloud providers. Evidently, this shouldn’t be decided ad hoc. A case-by-case approach works best to account for inherent differences between projects and to find the optimal solution for all stakeholders.

Team

Sonja is one of our Data Protection and Data Privacy experts. She has a Master’s degree in Law as well as an LLM. Apart from her deep knowledge of Data Protection law, she also received more hands-on Data Analyst training. Because of this, she is comfortable understanding regulatory requirements’ legal and technical implications.