Background
Over the years, people have lost trust in organizations that collect a lot of personal data. To regain this trust and improve efficiency and sustainability while protecting democratic values, privacy-friendly technologies are now essential. As societies rely more on data, the risk of violating human rights increases. The EU's General Data Protection Regulation (GDPR) was created to protect these rights.
That's why Indivd has developed and patented a new people counting technology, designed with privacy in mind. This article outlines the steps we have taken over six years as a research project to continuously ensure strong and clear compliance.
By following these steps, Indivd has created a strong, privacy-friendly solution that meets both legal requirements and market needs, ensuring high-quality services while protecting user privacy.
The Problem and Solution: A Chronological Overview
Step 1: Identifying the Problem
- Issue: The disconnect between privacy and a data-driven society creates significant risks of human rights violations.
- Objective: Develop a solution that balances data collection with privacy, adhering to GDPR without requiring individual consent on a large scale.
- GDPR Insight: Aligns with GDPR's core principle of protecting individual rights in a data-driven society and recognizing the need for balancing data collection with privacy.
Step 2: Understanding the Market Need
- Action: Conducted needs studies with various organizations to validate the market demand for privacy-compliant data solutions.
- Outcome: Confirmed a substantial need for a privacy-friendly alternative that does not infringe on personal privacy.
- GDPR Insight: Reflects GDPR's impact on market demand for privacy-compliant solutions.
Step 3: Developing the Solution
- Action: Spent over 18 months researching and developing a unique solution to meet market needs while ensuring privacy.
- Outcome: Created a solution designed to improve societal efficiency and sustainability without compromising privacy.
- GDPR Insight: Embodies the GDPR principle of "Privacy by Design," integrating data protection from the outset.
Step 4: Technical Validation
- Action: Completed the development phase with a technical validation to ensure the solution's anonymity and capability to understand re-identification.
- Outcome: Validated a solution that enhances overall privacy in society.
- GDPR Insight: Supports GDPR's requirement for data protection measures, including anonymization techniques.
Step 5: Documenting the Solution
- Action: Carefully documented the solution's technical workings, including data processing maps, system architecture, and comparisons with EU definitions and guidelines.
- Outcome: Provided comprehensive documentation to support the solution's compliance and effectiveness.
- GDPR Insight: Aligns with GDPR's emphasis on accountability and transparency, facilitating compliance with documentation requirements.
Step 6: Analyzing Anonymization Methods
- Action: Conducted a comparative analysis of different anonymization methods, critically evaluating their solution against others.
- Outcome: Ensured that their solution met the EU's stringent anonymization standards.
- GDPR Insight: Addresses GDPR's focus on data protection techniques, particularly anonymization.
Step 7: Adapting to GDPR
- Action: Initiated a full-scale GDPR compliance project, creating and documenting necessary processes, policies, and agreements.
- Outcome: Established a robust framework for legal conformity, including IT security, information security, anonymization, ethics policies, and secure development processes.
- GDPR Insight: Directly implements GDPR compliance measures, creating necessary policies and agreements as required by GDPR.
Step 8: Conducting Risk Analysis
- Action: Employed top IT-security experts to conduct multiple risk analyses.
- Outcome: Addressed initial issues and confirmed a good level of security in subsequent analyses.
- GDPR Insight: Fulfills GDPR's risk-based approach to data protection.
Step 9: Data Protection Impact Assessment (DPIA)
- Action: Collaborated with legal advisors to conduct a DPIA, examining all information and processes.
- Outcome: Concluded that Indivd had a strong argument for lawful data processing under GDPR.
- GDPR Insight: Complies with GDPR's requirement for DPIAs for high-risk processing activities.
Step 10: Expert Review
- Action: Sought audits and challenges from leading experts in IT security, law, and data protection.
- Outcome: Validated the solution's legality and robustness through rigorous testing.
- GDPR Insight: Supports GDPR compliance by seeking external validation.
Step 11: Patenting the Anonymization Method
- Action: Filed patents for our anonymization method for image data.
- Outcome: Secured approved patents in Europe, the USA, Asia, and other regions.
- GDPR Insight: Potentially exempts the process from GDPR if true anonymization is achieved.
Step 12: Prior Consultation with Data Protection Authority
- Action: Applied for a prior consultation with the Swedish Data Protection Authority.
- Outcome: The Authority confirmed that Indivd can be used.
- GDPR Insight: Aligns with GDPR's encouragement of cooperation between organizations and supervisory authorities.
Step 13: Ongoing Compliance
- Action: Committed to maintaining and updating GDPR compliance continuously.
- Outcome: Ensured that future developments do not compromise data protection standards, viewing ongoing compliance as a mission-critical objective.
- GDPR Insight: Reflects GDPR's requirement for continuous compliance efforts.