⇓ More from ICTworks

How You Can Start on Bottom-Up Data Protection Right Now

By Guest Writer on July 10, 2019

data security in rural africa

As the saying goes: in 2019, every company is a data company. Being a data company, especially an international data company, has never been more complicated. There are currently 132 countries with data privacy laws – and even more with legislation just around the corner. And with growing cyber security threats, common data breaches, and creeping corporate and government surveillance, building a “good” data company can seem overwhelming.

Being an international development organization is even harder. Humanitarian organizations often work, and attract political attention, in a wide range of contexts, all of which have different laws, cultural norms, and security threats.

Amidst all of that chaos, they still have to uphold and deliver on their mission – and data is the next frontier for how organizations operationalize their mission. And that can be very personal – most of us chose to work internationally because we believe in the mission, and we know that we’re struggling, at best, to live up to the mission in the way we use data.

For many of us, the most important thing we do with international organizations is help align the way they use data with their mission – and that starts with local control.

The Trouble with Top-Down Data Management

Companies and governments realize the need for control – it’s why companies have complicated Terms of Service that demand unfettered use of our data and governments are pushing back with an increasing number of data localization laws. Companies are investing in maintaining control with some of the largest lobbying budgets in the world.

The vast majority of conversations about data, data protection, and data rights are between governments, advocates, and companies. Too often, that leaves civil society out in the cold.

For most organizations, responsible data practices and data localization laws are too much to keep track of – and it can feel like a complicated, abstract set of top-down compliance requirements.

Whether it’s Europe’s General Data Protection Regulation, funder pressure to become more data-driven, or the alarming frequency of data breaches, just understanding all the implications of using data responsibly is a full-time job. That’s one reason it seems easier to just use large, commercial products and hope that their approaches are good enough.

If the last couple of years has taught us anything, though, it’s that commercial technology approaches to the social and political impact of data aren’t good enough. Mission-driven organizations are realizing the need to develop their own approach.

That work often starts with culture change – whether that’s ethical principles, seeking expertise, or operational audits to understand the state or practice. No matter where your organization is in its digital transformation, three things are clear:

  1. culture change is a lot of good, but slow, work – especially if your ideas challenge existing practice;
  2. there is no perfect blueprint; and
  3. the work is never done – each case is different, and organizations will have to build ways to evaluate whether their use of tools and approaches align with their mission.

So if you’re a good person working in a good organization, that happens to be doing bad things with data (not even, necessarily, on purpose) the question becomes: where to start?

The Opportunity for Bottom-Up Data Protection

Start with bottom-up data protection.

Bottom-up data protection is the practice of designing your technology programs with local control at the center. From the moment an organization collects data, it not only has the opportunity to try and maximize its value – it has the obligation to minimize the risks it creates. Both the opportunity and risk that data creates are closely related to how and where it’s collected, stored, and used.

One of the things I’ve learned through Frontline is that when you’re building data systems – whether on the frontend with stakeholders through communications channels or on the backend through data formats and reporting requirements across different offices – you’re building relationships. And your ability to earn and maintain trust in those relationships is based on your control over the data you collect – how you get it, how you use it, how you protect it, and how you delete it.

When Frontline moved from desktop software to the cloud, we realized how complex managing international data projects was becoming – and now we’re rebuilding our core software with a solution built-in. FrontlineLocal is a hybrid desktop and cloud platform designed explicitly to give users as much control over their data as possible. In other words, organizations can manage their data themselves, bottom-up.

Regardless of whether you use Frontline, here are a few ways that we’re seeing organizations start building local control and data protection into their digital stack:

Local Hosting

This is the name of the game when it comes to data protection. The most common ways to run afoul of data laws are opt-in laws, data localization, and data privacy breaches. Each of those issues get more complicated if organizations use centrally hosted or public cloud storage for personal and sensitive data.

One way to approach this is to deploy locally hosted data collection and management tools, which can export selected data into redundant storage or centrally administered databases using federated syncing.

Federated Syncing > Central Storage

Whether you call it privacy-by-design or data minimization, the emerging best practice in sharing data is to do it “as-needed,” in order to do the consented (or legitimate purpose) task.

In order to operationalize that principle, organizations should focus on syncing only certain data in distributed data systems, so each part of the system only has access to the minimum data necessary for that system’s function. Selectively syncing data helps minimizing the risk of a security breach, the cost of storage, and the risk of data protection violations. The fewer points of redundancy, the less potential for compromise.

Permission Minimization

Structuring data ‘as-needed’ can be more complicated than it seems – most components of an organization haven’t done auditing that architects data by who needs access to it. And yet, many have informally built similar, federated information management systems.

For example, most management or external reporting systems, whether for tax, grant, or oversight, involve progressively communicating smaller amounts of aggregated data. Organizations should use tools that enable them to tailor the way they grant access to data based on the level of granularity required by each role. In other words, not only should organizations be focused on data minimization, they should also be focused on permission minimization.


No matter how your organization approaches data protection, one thing that’s very clear is the need to be able to trace your data supply chains. From collection to deletion, organizations now need to be able to not only audit what data they have, how they got it, and how they use it – they also need to be able to explain where they host each of those functions.

That kind of supply chain tracking is called traceability, which was pioneered by agricultural producers to track environmental impact and labor conditions. Digital traceability is faster, more granular, and more global – and even more necessary.

While each of these approaches will vary by the needs of your organization, they’re all an important realization: your data architecture has a big impact on your mission. And if you haven’t started thinking about how to make the transition yet, now’s the time to start – and that doesn’t mean an elaborate campaign to get senior management on board. Often, it just means spending a little more time on project design.

How You Can Start on Bottom-Up Data Protection Today

If you’re looking for places to start, here are a few things to look out for:

  1. Procurement. The easiest place to have influence is in choosing the tools and approaches you use – ask your providers about where they host data, and how they help you cope with data protection laws.
  2. Limited Licenses. Where possible, work with providers who commit to very specific uses of data, don’t claim ownership of your data, and don’t sell advertising. It may seem obvious, but the more concrete the terms of your data relationship, the easier it is to build trust, confidence, security, and compliance.
  3. Flexibility. Laws and terms of service change; your tech stack should be designed to move with you, whether that’s from headquarters to the field or AWS to your server stack. Whether building or buying, design your tools for minimizing set-up requirements and adaptable reuse.
  4. Portability. Your data should always be available to you, wherever you need it, in as many formats as useful, and at any level of aggregation. If your technologies lock you in to their revenue model or their services, they almost definitely aren’t giving you the tools you need to build good data protection practices.
  5. People. Ultimately, data – and all the things we do with it – are about helping people. One of the easiest, and least technical, ways to build bottom-up data protection is to work with communities and technologies that enable you to connect directly with the people involved. Whether that’s in-house experts in technology companies or engaged members of your data subject community, the best bottom-up data protection starts and ends with the people involved.

That’s not to say any of this will happen immediately, or overnight – but it is to say that we don’t have to wait for global consensus or the perfect tool to get started. Whether you’re an international non-profit, business, or government – embedding good data protection tools and practices, project-by-project, can help build the field of practice and your organizations capacity.

No matter what you’re building, the best way to start by laying a strong, local foundation and growing bottom-up. Your data architecture, protection, and practice are no different – and there’s no time like the present.

By Sean Martin McDonald, CEO of FrontlineSMS

Filed Under: Data, Featured
More About: , , , , , , ,

Written by
This Guest Post is an ICTworks community knowledge-sharing effort. We actively solicit original content and search for and re-publish quality ICT-related posts we find online. Please suggest a post (even your own) to add to our collective insight.
Stay Current with ICTworksGet Regular Updates via Email

Sorry, the comment form is closed at this time.