We are living in a world that changes at an incredible speed. Disruptive information technologies such as social media, high-speed internet, artificial intelligence, big data, machine learning, and smartphones which are getting more and more powerful are only two decades old but they have already changed fundamentally and irreversibly the way that we live. We are not living in our towns, cities anymore. We live in a digital world and make thousands of connections all around the world through Facebook, Twitter or Instagram, some of which are actually not human. We date no more physically with a classmate or with a colleague, we date online. We shop no more from the marketplace gathered once a week in downtown, rather we prefer to shop online from Amazon or Zalando, and we love to track the item that we purchased from the manufacturer located presumably in China to our doors with (near) real time accuracy. CVs are still important. But our Linkedin profiles that serve as a living CV are more important. We are paid electronically, not necessarily “en espace”. We don’t need to “go” to school or a course. Even 240 ECTS bachelor programs or 120 ECTS master degrees are totally online right now. Morning updates are on Zoom, bringing together highly skilled teammates from all over the world, every day. Our children do not play on playgrounds, they play in metaverse environments such as Roblox or Fortnite. Government services are not only accessible in the town hall, they are in our pockets, in our smartphones. Cinema, encyclopaedia, land-lines, newspapers, magazines and television, they all became obsolete, now we have Netflix, Wikipedia, Whatsapp, push notifications of various apps, Zoom and Youtube. Thanks to COVID-19 we seldom go to restaurants, rather, we prefer to order from Takeaway. Now we have restaurants in our cities with no seats available. Even wars are fought in cyberspace. The road to win our hearts and minds passes from our screens and earphones.
All these gadgets and technologies are coming with numerous side effects, though. And the most important ones are related to our privacy. Thus, in this “brave new world”, data security and privacy have become the cornerstone of all the above-mentioned innovations. Due to the increasing awareness, particularly in Europe, regulatory bodies inevitably, took action to protect citizens’ rights and privacy.
GDPR: A Tool for Data Protection
As early as 1950, the European Convention on Human Rights recognized the right to respect for private and family life (article 8). Likewise, according to article 8 of the Charter of Fundamental Rights, everyone has the right to the protection of personal data. This data must be processed fairly for specified purposes and on the basis of the consent of the data subject or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
These are important components of the individual’s privacy, data security and control over their personal data. Besides these legal framework sits the General Data Protection Regulation (GDPR), or as its title stands “Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive)” which was put into effect on May 25, 2018. The regulation contains provisions and requirements related to the processing of personal data of individuals who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects’ citizenship or residence—that is processing the personal information of individuals inside the EEA.
Basically, GDPR sets out data protection principles (lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability – article 5), defines lawfulness – or legal basis of processing (consent, entering into a contract, complying with a legal obligation, protecting the vital interests of the data subject, public interest and legitimate interest of a controller – article 6) and enumerates rights of the data subject (the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, rights in relation to automated decision making and profiling – articles 12-23).
Personal Data Protection Measures in ORIENT8
So why is it important for us to take into account GDPR in project ORIENT8? Simply because we are dealing with sensitive personal data. Let me explain. Project ORIENT8 is a smart social mentoring program supported by smart digital tools and tailored activities. It smartly pairs newly arrived third country nationals with the volunteer members of the local community. The main output of ORIENT8 is an ‘effective, efficient and durable’ smart social mentoring program. We test/implement this program using developed tools and activities. One of the main deliverables of ORIENT8, a smart matching tool (using artificial intelligence) is being developed within the project and it will bring the volunteer mentors and newcomers in need of information and support together and make a smart matching based on academically developed matching criteria. In other words, Smart Matching Tool will process the personal data to do the matching. Smart Matching Tool, handles personal information of EU citizens and residents, thus it is crucial that it complies with the GDPR.
To ensure compliance with the GDPR in the project, together with the representatives of the members of the consortium and under the technical assistance of supervisors and data protection officers we prepared a number of deliverables directly related with the GDPR;
Data Protection Impact Assessment: It is a process to help identify and minimise the data protection risks of a project. It;
1. describes the nature, scope, context and purposes of the processing;
2. assesses necessity, proportionality and compliance measures;
3. identifies and assesses risks to individuals; and
4. identifies any additional measures to mitigate those risks.
We used European Data Protection Board (EDPB) Guidelines and the template provided by the UK’s Information Commissioner’s Office to prepare a data protection impact assessment.
Data Processing Agreement: Data controllers need to sign a data processing agreement with data processors prior to processing natural persons’ data. A data processing agreement is a legally binding contract that states the rights and obligations of each party concerning the protection of personal data. Since one of our sub processors is a U.S. based IT company we used standard contractual clauses provided by the European Commission for our data processors/subprocessors.
Transfer Impact Assessment: Transfer Impact Assessment is a written analysis, conducted by a controller or a processor, of the impact that a transfer of personal data to a country outside of the EEA may have on the privacy afforded to the transferred data. The EDPB indicates the following to be necessary components of the transfer impact assessment:
– An analysis of the legislation of the data importer’s country.
– Whether public authorities of the third country may seek access to the data with or without the data importer’s knowledge either via legislation, practice, or reported precedent.
– Whether public authorities of the third country may be able to access the data through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedent.
Although no data transfer is envisaged outside the EEA, since one of the subprocessors is a U.S. company a Transfer Impact Assessment was also prepared.
Privacy Notice: A privacy notice explains how your personal data is processed and how it applies data protection principles. According to the GDPR, a privacy notice should have following qualifications (articles 12-14):
– In a concise, transparent, intelligible, and easily accessible form,
– Written in clear and plain language, particularly for any information addressed specifically to a child,
– Delivered in a timely manner,
– Provided free of charge.
ORIENT8 prepared an “IKEA-style” easy to understand privacy notice reinforced with icons and translated to the languages that newcomers widely use. DaPIS (Data Protection Icon Set) is used in the privacy notice. DAPIS is created by CIRSFID, Università di Bologna and Accademia di Belle Arti di Bologna.
Consent Text: According to article 4 of the GDPR; “consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. We prepared a clear, simple, easy to understand consent note for all participants of the project in their mother tongue to be signed prior to processing their personal data. Thus, our legal basis in the project is consent, within the remits of GDPR.
Many projects like ORIENT8 co-funded by the European Union process personal data in some way or other. Privacy and security is thus becoming more and more important. It is not only an ethics responsibility but rather a legal obligation to design all tasks which involve personal data processing in compliance with GDPR and to have data protection in mind (GDPR by design and default). Data privacy and security is a dynamic field and every technological breakthrough has either direct or indirect effect on privacy and security. Legislation is also being adapted. So do the actions.
References:
https://eur-lex.europa.eu/homepage.html?locale=en
http://gdprbydesign.cirsfid.unibo.it/dapis-the-data-protection-icon-set/