GDPR anxiety? Cities may soon see benefits that soothe compliance pain
From smart transport systems to smart power grids, connectivity and hordes of data are the hallmarks of smart cities. All those connected devices generate explosively increasing volumes of data, and municipalities are among those with a vital role to play in the EU's new privacy and data protection regulation.
Most regard citizens as the ultimate winners once the General Data Protection Regulation (GDPR) takes effect on 25 May, 2018. They will be able to acquire significant insight into data that is collected about them and significant control over how their personal data is used. The ability to receive timely notification in the event of data breaches involving their personal data is another GDPR benefit that will give citizens across the EU peace of mind.
Yet cities and other public agencies stand to benefit as well, that is, once they overcome the compliance pain. For example, public sector organisations have always collected highly sensitive data about their citizens as a matter of course – health records, court records and tax records among them. With adoption of smart technologies, they are collecting even more data about their citizens – from where they parked their car the previous evening to who they were brawling with outside a nightclub.
GDPR provides an opportunity for cities to set a very high bar in respecting the privacy and security of citizen data and to use it for improved public value and outcomes.
Ensuring the privacy of data subjects and the security of the data itself is a huge responsibility. Antonio Kung, who leads the EIP-SCC Citizen-Centric Approach to Data Initiative, makes the point that if a data breach were to occur – even if a third-party supplier was clearly at fault – the city's reputation would be negatively impacted.
Breach risks are everywhere
Data breaches can occur everywhere in the myriad of applications and systems, transport, energy, e-government, and the like that are managed in a smart city. Further, each individual application (such as a vehicle sharing system) can involve complex data processing chains involving many organizations (cloud storage provider, data analytics company, etc.). If a breach occurs, will the city be able to swiftly trace its origin and recover from it?
Kung points out that GDPR compliance will be easier to achieve if guidelines on how to manage data protection are provided to cities, for everything from procurement to data-sharing. In fact, he is currently working on standardization projects that will:
- Help cities and other organisations bake privacy and data protection into systems design
- Develop security and privacy guidelines around the Internet of Things
- Develop privacy guidelines that pertain specifically to smart cities
In the past year, Kung and others focused on privacy and data protection have held workshops to raise awareness about GDPR and to help cities assess risk factors in their data and privacy management. Outcomes from the workshops will inform the standards work.
Public sector benefits
In addition to providing an incentive to clean up poorly executed data and privacy practices and a checklist to follow in the event of a breach, GDPR offers other advantages for public authorities. A few examples:
- Transparency: In this age of hackers and disastrous data breaches, citizens are justifiably concerned about how much and what type of their personal data is floating around cyberspace. GDPR gives them much more control over it and gives cities definitive guidelines on how to collect, store and disclose personal information. No more guesswork.
- Shared services: Research by the Parliament Street think tank found that London boroughs reported widely varying budgets for GDPR compliance – ranging from £1,000 to £300,000. In a set of policy recommendations, Parliament Street suggested two boroughs might consider a shared-services model whereby back-office processes could be audited and data managed efficiently by a single IT team. Another cost-savings option would be for two or three boroughs to enter a shared agreement to hire technology companies and consultants at a discounted rate to support GDPR strategies. Good ideas for budget-strapped municipalities.
- Employee privacy: New rules also specify data-handling procedures in regard to civic employees. In an article for LocalGov, employment law specialist Mark Leach suggests government employers should review wording about consent to process data on employment contracts, streamline HR processes to meet tighter timeframes for responding to data protection subject access requests, and be current on rules regarding employment records. Employers that set an example of full and ready compliance will likely encourage employees to do the same for citizens.
GDPR is a major milestone in privacy protection and every one of us has a stake in its success.