This article outlines the chronological steps Indivd has taken to develop a people counting technology that is privacy-friendly by design and supports alignment with the EU General Data Protection Regulation (GDPR). It is intended for data protection officers, legal advisors, and others evaluating Indivd's data protection practices. This document does not constitute legal advice.
This article contains the following topics:
Background
Over the years, public trust in organisations that collect personal data has declined. Privacy-friendly technologies have become essential to restoring that trust, improving efficiency and sustainability, and protecting democratic values. As societies rely more on data, the risk of human rights violations increases. The EU General Data Protection Regulation (GDPR) was created to protect these rights.
Indivd has developed and patented a people counting technology designed with privacy as a foundational requirement. This article documents the steps taken over six years — beginning as a research project — to ensure that the solution maintains a strong and clearly documented approach to data protection.
The problem and solution: a chronological overview
Step 1: Identifying the problem
- Issue: The disconnect between privacy and a data-driven society creates significant risks of human rights violations.
- Objective: Develop a solution that balances data collection with privacy, in a manner consistent with GDPR without requiring individual consent at scale.
- GDPR relevance: Aligns with GDPR's core principle of protecting individual rights in a data-driven society and the need to balance data collection with privacy.
Step 2: Understanding the market need
- Action: Conducted needs studies with various organisations to assess demand for privacy-aligned data solutions.
- Outcome: Confirmed a substantial need for a privacy-friendly alternative that does not infringe on personal privacy.
- GDPR relevance: Reflects GDPR's influence on market demand for privacy-aligned solutions.
Step 3: Developing the solution
- Action: Spent over 18 months researching and developing a solution to meet market needs while ensuring privacy.
- Outcome: Created a solution designed to improve societal efficiency and sustainability without compromising privacy.
- GDPR relevance: Embodies the GDPR principle of Privacy by Design, integrating data protection from the outset.
Step 4: Technical validation
- Action: Completed the development phase with a technical validation to assess the solution's anonymisation properties and its resistance to re-identification.
- Outcome: Validated a solution that supports broader privacy protection in society.
- GDPR relevance: Supports GDPR's requirement for data protection measures, including anonymisation techniques.
Step 5: Documenting the solution
- Action: Documented the solution's technical workings in full, including data processing maps, system architecture, and comparisons with EU definitions and guidelines.
- Outcome: Produced comprehensive documentation to support the solution's effectiveness and accountability obligations.
- GDPR relevance: Aligns with GDPR's emphasis on accountability and transparency, and supports compliance with documentation requirements.
Step 6: Analysing anonymisation methods
- Action: Conducted a comparative analysis of different anonymisation methods, critically evaluating Indivd's approach against available alternatives.
- Outcome: Confirmed that the solution meets the EU's anonymisation standards.
- GDPR relevance: Addresses GDPR's focus on data protection techniques, particularly anonymisation.
Step 7: Adapting to GDPR
- Action: Initiated a full-scale GDPR project, creating and documenting the necessary processes, policies, and agreements.
- Outcome: Established a framework for legal conformity covering IT security, information security, anonymisation, ethics policies, and secure development processes.
- GDPR relevance: Directly implements GDPR measures, creating necessary policies and agreements as required.
Step 8: Conducting risk analysis
- Action: Engaged specialist IT security experts to conduct multiple risk analyses.
- Outcome: Initial issues were addressed, and subsequent analyses confirmed a satisfactory level of security.
- GDPR relevance: Fulfils GDPR's risk-based approach to data protection.
Step 9: Data Protection Impact Assessment (DPIA)
- Action: Collaborated with legal advisors to conduct a DPIA, examining all relevant information and processes.
- Outcome: Concluded that Indivd has a well-founded basis for lawful data processing under GDPR.
- GDPR relevance: Addresses GDPR's requirement for DPIAs for high-risk processing activities.
Step 10: Expert review
- Action: Sought audits and challenge reviews from leading experts in IT security, law, and data protection.
- Outcome: Validated the solution's legal basis and technical robustness through rigorous external testing.
- GDPR relevance: Supports accountability obligations under GDPR through external validation.
Step 11: Patenting the anonymisation method
- Action: Filed patents for Indivd's anonymisation method for image data.
- Outcome: Secured approved patents in Europe, the USA, Asia, and other regions.
- GDPR relevance: Where true anonymisation is achieved, the processed data may fall outside the scope of GDPR.
Step 12: Prior consultation with the supervisory authority
- Action: Applied for prior consultation with the Swedish Data Protection Authority.
- Outcome: The Authority confirmed that Indivd can be used.
- GDPR relevance: Aligns with GDPR's framework for cooperation between organisations and supervisory authorities (Article 36).
Step 13: Ongoing alignment
- Action: Committed to maintaining and updating data protection practices on a continuous basis.
- Outcome: Ensures that future developments do not weaken data protection standards. Ongoing alignment is treated as a mission-critical objective.
- GDPR relevance: Reflects GDPR's requirement for continuous and demonstrable data protection efforts.
Comments
0 comments
Please sign in to leave a comment.