Useful innovation is innovation that embeds data protection by design, says Jèssica Obiols, Head of the Andorran Data Protection Agency (APDA)

At a time when artificial intelligence, global digital services, and the massive circulation of data are redefining the relationship between technology, the economy, and fundamental rights, data protection has become a strategic issue for both states and businesses. In Andorra, this debate has a particularly important dimension: how can a small, highly connected, and internationally oriented country guarantee digital trust without slowing innovation? We spoke with the Head of the Andorran Data Protection Agency (APDA), Jèssica Obiols (centre in the photo), about the major challenges facing Andorra in privacy, cybersecurity, artificial intelligence, and digital competitiveness. Interview: Irina Rybalchenko Andorra is a small country, but it is highly connected and international. How can the APDA turn this small scale into a strategic advantage and help make the country a model for data protection at the European level? Andorra has a distinctive feature that can become an important advantage: proximity. In a small country, the relationship among institutions, businesses, professionals, and citizens is more direct. This makes it possible to build a culture of data protection in a way that is closer, more educational, and better adapted to the country’s reality. From the APDA’s perspective, this proximity helps reinforce three essential lines of action: prevention, awareness, and effective supervision. Data protection should not be understood only as a response after a problem has occurred, but as a way to build trust before risks arise. Being a small country can also make it easier to apply good practices in a more coherent and cross-cutting way. That said, this requires shared involvement. The APDA plays an important role as the supervisory authority, but data protection does not depend on the Agency alone. It requires public administrations, companies, professionals, and citizens to progressively integrate a culture of responsibility in the use of personal data. With the massive rise of artificial intelligence, sovereign clouds, and cross-border digital services, where, in your view, should the red line be drawn between useful innovation and excessive exploitation of personal data? The red line appears when innovation stops being understandable, proportionate, and respectful of people’s rights. Technology can deliver very positive solutions, including in the public and business sectors, but it cannot justify every form of collection or reuse of personal data. From a data protection standpoint, any digital project should start with a few basic questions: What data is being processed? For what purpose? On what legal basis? For how long? With what safeguards? With which providers? And with what level of control for the people concerned? When these questions do not have clear answers, the risk increases. In the fields of artificial intelligence, cloud services, and cross-border processing, technological complexity cannot dilute legal responsibility. Even when algorithms, external providers, or infrastructures located outside the country are involved, there must always be sufficient traceability regarding data processing and appropriate safeguards. Useful innovation is innovation that embeds data protection by design. Excessive exploitation begins when more data is collected than necessary, when data is reused for purposes that were not foreseeable, or when individuals lose effective control over their information. Data protection is often perceived as a legal obligation. How can it become, in Andorra, an argument for trust, competitiveness, and even economic attractiveness? Data protection should not be seen only as a formal or administrative obligation. When properly implemented, it is a marker of quality, responsibility, and trust. In the digital economy, personal data is a highly sensitive asset, and the way a company or institution manages it directly affects its reputation. For Andorra, this can have strategic value. A country that wants to develop digital services, attract talent, promote technology projects, and maintain strong international relationships must be able to demonstrate that it offers legal certainty and appropriate safeguards. Digital trust is not built only with technology; it is also built through transparency, responsibility, and respect for people’s rights. Data protection can also be a competitiveness factor because it helps reduce risk, better structure internal processes, improve relationships with customers and users, and facilitate cooperation with other jurisdictions that require high standards. In this sense, proper compliance is not only about avoiding sanctions; it is also about demonstrating maturity, seriousness, and the ability to operate in an increasingly demanding digital environment. In a country where public administrations, banks, telecommunications operators, the health sector, and tourism operators manage highly sensitive data, which sector do you consider most exposed today to new digital risks? Rather than pointing to a single sector, I believe we need to talk about levels of risk. Risk depends on several factors: the type of data being processed, the volume of information, the interconnection of systems, dependence on technology providers, the security measures in place, and the consequences that an incident could have for the people affected. Clearly, sectors such as health care, finance, telecommunications, and public administration carry a particularly high level of responsibility, because they may process highly sensitive data or data that can have a significant impact on people’s lives. But digital risks no longer affect only large organizations. Any entity that uses applications, cloud systems, management platforms, artificial intelligence tools, or digital communication channels may be exposed. That is why it is important not to reduce this issue to a purely technical problem. Cybersecurity and data protection are also organizational, legal, and cultural matters. Having a technology tool is not enough. Organizations need to know what data they process, who has access to it, why it is used, how it is protected, how long it is retained, and how they will respond in the event of an incident. If you had to give one simple message to Andorran entrepreneurs launching digital projects, what should be their first reflex in order to integrate data protection from the initial design stage rather than as an afterthought? The first reflex should be very simple: before collecting data, ask what data is truly necessary and for what specific purpose. This question is essential. Many problems arise because data is collected “just in case,” without a sufficiently defined purpose or without assessing whether it is truly indispensable to provide the service. Integrating data protection by design means thinking about it from the very beginning of the project: in the configuration of the application, in forms, in consent checkboxes, in access permissions, in the contracting of providers, in the location of servers, in retention periods, in the information given to users, and in security measures. This should not be seen as a brake, but as an investment. It is far more efficient to build a digital project properly from the start than to have to correct a system later once it is already operating, has already collected data, or has already generated risks. Data protection by design helps create products that are more reliable, more transparent, and more sustainable over the long term. With the new legislative changes expected in Andorra in the digital and data protection fields, what are, in your view, the main challenges for ensuring that the law continues to protect citizens without slowing the country’s innovation and competitiveness? The main challenge is to maintain an intelligent balance. The law must effectively protect people’s rights, especially in a context where personal data is becoming increasingly valuable, but it must also be clear, understandable, and applicable for data controllers. In digital matters, laws must be able to respond to new risks without quickly becoming outdated. Artificial intelligence, cloud services, international data transfers, cybersecurity, and the intensive use of technology platforms raise challenges that require solid regulation, but also regulation that is flexible and proportionate. From the perspective of data protection, the key is that innovation should not be built at the expense of people’s rights, but by incorporating safeguards from the outset. The LQPD already provides important tools in this regard, such as the principles of minimization, transparency, security, proactive responsibility, data protection by design, and impact assessment when processing may involve high risks. Therefore, the challenge is not to choose between data protection and innovation. The challenge is to ensure that innovation is safe, responsible, and compatible with fundamental rights. This is also an opportunity for Andorra: to move forward digitally without giving up trust, legal certainty, and the protection of individuals.The post Useful innovation is innovation that embeds data protection by design, says Jèssica Obiols, Head of the Andorran Data Protection Agency (APDA) first appeared on All PYRENEES.