Benefits of GDPR Compliance for Exploitation of Project Results
GDPR Compliance in EU-funded Projects
Protection of personal data and privacy are one of the most important ethical challenges. Across all EU research funding schemes, Ethics has a transversal nature. For that reason, it prevails all working packages and task within scientific and research projects.
Managing privacy and data protection within projects such as IoT-NGIN, CYRENE and AI4HealthSec requires:
- leadership and guidance from the partner responsible for ethics and legal issues
- supervision and synchronization of activities from project coordinator
- active participation of all project partners
- and, when necessary involvement of the project officer.
Because privacy and data protection should continue to develop and mature over time, all project partners must understand just how they contribute and support data protection efforts, what is the meaning of potential Conditional Clearance and Ethics Requirements the project received, what are steps within the Ethics Appraisal Process, where to find relevant reference documents etc.
Transposing the GDPR Compliance Requirements
General Data Protection Regulation (GDPR) is the cornerstone of the European Union data protection regulatory framework. In general, application of the GDPR is required whenever personal data is processed by entities based in European Union or whenever processing activities include data of natural person in European Union. To satisfy GDPR requirements in an EU-funded project, various activities are required. Among these activities are the adoption of privacy policies and procedures as well as their enforcement at functional level, deployment of privacy-enhancing and security-enhancing controls, the assessment of compliance states, establishment of controlling/monitoring mechanisms including potential external supervision by an Independent Ethics Advisory Board, appropriate information providing about data processing activities and lawful and secure sharing of data.
The GDPR enshrines the principle of accountability. This is one of the most important concepts introduced by GDPR. In essence, this principle laid down that anyone that process personal data should be able to demonstrate the capacity to comply with applicable privacy laws and principles. The idea behind the principle is that someone must be responsible when collect and process information about people throughout the whole data lifecycle. Being accountable for data processing activities ensures that the GDPR requirements are satisfied.
How GDPR Compliance increases exploitation potential: the case of IoT-NGIN, CYRENE and AI4HealthSec
Being complaint with the GDPR goes beyond the legal obligation of the project partners and brings additional benefits to the exploitability of project outcomes. The following section will examine these benefits across several projects where Privanova leads the GDPR Compliance efforts and acts as the Ethics and Legal Manager for the project.
IoT-NGIN: GDPR Compliance as part of the Next Generation Internet
The IoT-NGIN project extends the interoperability and intelligent edge computing of IoT systems. To achieve its results, IoT-NGIN combines different technologies and approaches including the need for high-level of cybersecurity, trust and privacy, use of blockchain and DLTs, mobility requirements adapted to 5G networks, M2M, ML Artificial Intelligence as well as the principles of Data sovereignty, Data Security and Scalability.
In this context, there are several domains that are directly improved when data protection principles are respected and properly transposed into project requirements. Namely, being complaint with GDPR enables to a data controller/processor to process data with increased quality and value. Also, use of high-quality data improves the end-user’s business processes and forms a ground for a process automatization. In return, better business processes help to better understanding of data, data processing purposes, retention period, storage-related facts as well as measures applied to secure data which is extremely important for a project aiming to support societal changes and economic growth, such as the IoT-NGIN. Well-organized, GDPR-compliant processes for handling personal data result in improvement of data security and decreased risks regarding potential data breaches. Therefore, by assisting the Coordinator in fulfilling a series of ethics requirements and by focusing on the data protection compliance as part of the overall Data Management and Risk Management of the IoT-NGIN, Privanova delivered improved exploitability of project results and contributed to their uptake by the end-users.
AI4HealthSec: GDPR Compliance Requirements, Trustworthy AI and Healthcare ICT Infrastructures
The AI4HealthSec project delivers increased capabilities for detection and analysis of cyber-attacks and threats on healthcare ICT infrastructure. The project creates new knowledge on the current cyber security and privacy risks and, as such, is very dependent on proper implementation of the GDPR compliance requirements. Besides, one of the AI4HealthSec objectives in the area of cyber security is to deliver healthcare solutions with a clear business impact and to facilitate new kinds of services, collaborations and market opportunities. In this context, the need for appropriate implementation and maintenance of high levels of GDPR compliance becomes obvious.
As the healthcare ICT infrastructures adapt to the ever-changing cybersecurity environment, they also need to define clear security strategies capable of orchestrating multiple security components to identify system vulnerabilities and sophisticated attacks and to protect the often highly sensitive health-related personal data processed within these systems.
There are various motivators for implementing adequate privacy and data protection within this type of project. Firstly, there is the need to be responsible with individual’s personal data especially since these can fall under the category of special categories of personal data (health-related, biometric data including patient records). This aspect is directly related to the need for data subjects as well as the potential end-users of AI4HealthSec results to have transparency of data processing activities and gain trust in relevant services. In addition, fines and fees from regulators in this field are very common and present a tangible monetary negative value (risk) for the end-users. However, the loss of individuals’ trust can be broad, unbounded, and have much more severe repercussions. Loss of trust can be ruinous to entities that process data. It is hard to obtain, and harder to get back once lost. Therefore, many organizations are motivated to have mature data protection and privacy approaches (and programs) to ensure they do not lose individuals’ trust. All organizations have an interest in keeping trust with their partners, employees, contractors, and customers. Thus, proper handling of personal data is in every organization’s best interest and this, in particular, concerns healthcare ICT infrastructure operators.
Alongside the end-user trust, there are also reputational aspects to be considered. This is mainly due to the sensitive nature of data processing activities performed on the healthcare ICT infrastructure. All organizations strive to keep their reputations untarnished. To this extent, a potential end-user of AI4HealthSec technologies and any healthcare ICT infrastructure operator processing personal data needs to take the proper steps to ensure 1) compliance with regulatory requirements, 2) reducing the risk of a data breach and to 3) meet expectations of individuals.
CYRENE: GDPR Compliance, Information Security and Resilience of Supply Chain Services
The CYRENE project delivers addresses the GDPR Compliance requirements on several levels. It delivers enhanced security, privacy, resilience, accountability and trustworthiness of Supply Chains. All these principles have their legal aspects based in the GDPR.
Because the project delivers its outcomes through the provision of a novel and dynamic Conformity Assessment Process that evaluates the security and resilience of supply chain services, CYRENE integrates in its outcomes several short and long-term benefits of the proper GDPR compliance implementation. This also concerns the way in which these outcomes will be demonstrated in a series of real-life supply chain scenarios under operational conditions and by different categories of end-users.
In terms of GDPR Compliance, the fact that CYRENE underwent an in-depth ethics assessment and addressed a number of ethics requirements means that the project performed a collaborative risk-assessment across various aspects and delivered a documented proof of compliance against the EU Ethics Appraisal Process requirements. These, in particular, cover many of the GDPR compliance aspects.
In addition, the consortium partners made sure that all relevant instances and stakeholders within the CYRENE ecosystem are accountable for safekeeping and responsible use of personal information. This is not just important to regulators and for compliance reasons, but also to individuals whose personal data is (or will be) processed and to the general population. Therefore, the GDPR transposition and implementation efforts within CYRENE resulted in
- documented readiness to demonstrate compliance with applicable data protection principles
- the reduction of data breach risks
- the trust-based approach to building project outcomes and
- enhanced reputational advantages for the project outcomes and its potential end-users.