VICINITY meets the New EU Privacy Regulation

VICINITY meets the New EU Privacy Regulation

privacy

Society is about to see a major shift in the accountability of organisations that make use of individuals’ personal data. Currently people give implied consent for the use of personal data on many occasions, such as when they accept the terms and conditions associated with downloading a new app. Less than 1% of people understand what personal data might be collected and how it might be used. In future organisations will be required to show clear evidence that they have received informed consent from data subjects in relation to the data collected and its allowed use.

European Union member states are passing into national law the requirements of the General Data Protection Regulation (GDPR) which comes into force in May 2018. Organisations based outside Europe must also comply with these regulations if they handle personal data relating to people living in Europe.

Furthermore, data subjects will have the “right to be forgotten”. An individual can revoke an agreement to allow their personal data to be used, and all historic personal data held must then be deleted. Where someone’s personal data has been fully merged with data from other individuals then it need not be eradicated. But if there is any way that the original data can be reconstituted and associated with an individual, then it is considered to be personal data. The VICINITY Ethics Advisory Board has put in place a coaching and review procedure to require privacy by design for our trials. A fast reporting process will be used, should we suffer a leak of personal information. Our architecture and other outputs from the project that might be deployed in future IoT systems must be GDPR compliant. Further challenges that we face include the adoption of a practical approach to obtain informed consent efficiently without the need for completion of a multiple-choice questionnaire before accessing a service. If people decline to allow their personal data to be used, should they be allowed to access a reduced version of the required service? Or should they pay for a service which the service provider would normally provide free of charge, on the basis of being able to sell-on the personal data collected? How can we be sure that no rogue devices are attached to the IoT that might be able to extract and use personal data in an unauthorised way?