19 minute read
DATA DRIVERS
The European Union’s General Data Protection Regulation (GDPR) may not feel like it has much to do with lighting. In fact, it is something all lighting professionals need to have a handle on, especially given lighting’s growing role as a collector, hub and conduit for data
By Peter Thorns
JUNE 2021 LIGHTING JOURNAL 51
Data management and protection
The GDPR is a four-letter acronym that you have probably seen, heard or read about and, possibly like many, ignored or shrugged off. But it is nevertheless an important new European Union regulation that, irrespective of Brexit, anyone working in lighting, or indeed anyone handling client or customer data, needs to be up to speed on.
This article is based around a webinar I recently delivered for the ILP and, while most definitely not a definitive guide to the regulation, for those wanting to find out more, please do check out the recording of this, which is available via the ILP website (details at the end of the article).
So, first of all, what is the GDPR? The basis of the GDPR or, to give it its full name the General Data Protection Regulation, goes back to the 1950s. It came into being as a response to the need formally to recognise a person’s right to privacy under the 1950 European Convention on Human Rights.
This states that: ‘Everyone has the right to respect for his private and family life, his home and his correspondence.’ Using this as a foundation, the European Union has sought to protect this principle through successive legislation.
As society has changed and become more technologically advanced, it was recognised existing regulations on privacy no longer reflected current data concerns. Therefore, in 1995, the EU passed the European Data Protection Directive. This established minimum data privacy and security standards and was the basis from which each European member state created its own implementing laws.
However, society continued to evolve, especially via the rise of the internet, social media and online services and commerce.
The figures for online usage are now staggering. For example, it is estimated that in 2020 there were 4.6 billion active internet users and 3.7
Data management and protection
billion online shoppers; 200 million emails were sent and 4.2 million Google searches carried out every minute.
Neither the European Convention on Human Rights nor the European Data Protection Directive was designed for this amount of data and data usage. Europe’s data protection authority declared the EU therefore needed ‘a comprehensive approach on personal data protection’ and began to update the 1995 directive. The new regulation entered into force in 2016 and, as of 25 May 2018, all European organisations were required to be compliant with it.
UNDERSTANDING THE GDPR
So, what is the GDPR designed to do? In very simple terms, it is designed to tighten up protections around the transfer of personal data, both within and outside the EU and European Economic Area (EEA). It aims to give individuals more control over their personal data and how it is used or shared and to simplify the regulatory landscape for businesses by bringing together various EU regulations under one roof.
Like all regulations, however, it is important first to understand some of the basic terminology. Be aware, these may not always be based on common usage or understanding but a legalistic translation of a concept. There are four key terms that will crop up time and again in any discussion about the GDPR, and so which it is important to have a handle on. 1) Personal data. As its name suggest, this is any information that relates to an identified or identifiable living individual. Different pieces of information that, collected together, can lead to the identification of a particular person, also constitute personal data.
Personal data is any data, held in any format, that allows a living person to be identified. Anonymised data is outside the scope of the regulation but, if this anonymisation can be removed or if the data used along with other data can result in an individual being identified (what is known as ‘pseudo-anonymised data’), then it is not considered to be anonymous and is covered by the regulation.
Even if a person is dead, their data may still infringe the rights of a living person, such as a spouse or child, and is therefore potentially still in scope. The GDPR protects personal data and is technology neutral, so applies to both non-automated and automated processing. 2) Data processing. Under the regulation, this covers a wide range of operations that are performed on personal data. This includes the processing of data by both non-automated or automated means. It encompasses the collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
In practice, this means that, as soon as you have any personal data on your system you are within the scope of the GDPR. It does not matter if you do nothing with it, as collection of data is within the scope of the regulation, along with storage. And it does not matter how you manage the data; it only matters that you have the data. 3) A data protection officer. Under the GDPR, you may be required to have a nominated data protection officer within your organisation. It is their job to inform about obligations to comply with the GDPR and data protection laws. They will also monitor compliance, address issues, train staff and conduct internal audits.
The data protection officer will also advise on data protection impact assessments and will be the first point of contact for external authorities. You require a data protection officer if you are a public authority or if your core activities consist of monitoring or processing data of individuals.
However, even if you do not legally require a data protection officer, having someone designated in this role may well be a sensible approach. 4) A data controller. A data controller is the legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
The data controller is legally responsible for the processing of personal data. Other people may receive the data and process it but only with the permission and knowledge of the data controller.
The foundations of the GDPR are enshrined in two main principles: the rights of the individual concerning their personal data and the data protection principles an organisation must comply with when processing personal data. Let’s look at each in turn.
THE ‘EIGHT RIGHTS FOR INDIVIDUALS’
When it comes to the rights of the individual concerning their personal data, there are eight core rights that run through the GDPR. These are:
1) The right to be informed. If any data is collected on an individual they have the right to be informed what data is being collected, why, and what will be done with this data.
As an example, if you go on a website and you are asked to ‘accept cookies’, instead of clicking on ‘accept’ click on the ‘manage’ option. This will show you what is being collected and how it will be used.
In principle, this right also includes the situation that, if information is obtained via a third party, the individual must be informed within one month of this happening. In practice, this is fairly difficult to police but if there is the possibility that your data will be sold or shared this must be identified at the time the data is collected.
Note that it does not matter whether the data source is private or public. If data is obtained from a publicly accessible source, then the individual still has the right to be informed that this has happened. For a company, therefore, it is important that, if consent is given, records are kept to demonstrate this. Be aware, if consent cannot be proven it is assumed it had not been given. 2) The right of access. An individual has the right to see what information is held about themselves. In principle the information should be provided in keeping with the method of making the request.
For example, if the request was made electronically then electronic information in a commonly used format would be acceptable. If the request was made in writing, then hard copy data could reasonably be expected.
The information provided has to be in a form that is easily understandable, in other words using plain language. It may include not only the data that is being held but also the justification on why it is being held, where it came from, who has seen it, and other background information.
A fee may be charged if the request is excessive or based upon a serious misconception. However, a fee cannot be charged to overcome the shortcomings of processes or IT systems in handling such a request. 3) The right to rectification. An individual has the right to have any errors in data being held corrected. ‘Incorrect’ data in this context is data that is inaccurate or misleading.
Data management and protection
The right to rectification is not absolute, in that if the original data is considered correct and the proposed amendment inaccurate it can be refused with an explanation of why, although the individual has the right to challenge this decision.
Also consider that data may be incorrect at a point in time but could have been correct when collected. If the storage of historical data can be justified, it may be permissible to keep both the original and the corrected data as long as it is correctly identified in time.
4) The right to erasure. This has been one of the most controversial aspects of the GDPR, and is often called ‘the right to be forgotten’. An individual can withdraw their permission to hold data on them at any time. If they do this, the data should be deleted. Also consider that data may have a defined period that it may be held and should be deleted when the timeframe expires.
Note that this right is not absolute and depends upon the lawful basis for processing the data (and there is more on this in the section on the six data protection principles below).
There are exceptions where this does not apply, legal requirements and public interest are examples. However, the justification has to be documented, be valid, and be made available if requested by the individual. If, however, the personal data has been processed unlawfully the individual automatically has the right to erasure. 5) The right to restrict processing. The right to restrict processing is an alternative to the right to erasure. In general, the restriction of data-processing rights will be time-limited and will not be permanent, so it is more of a holding measure.
For example, if an individual feels the data held is not correct, permission has not been given for any or all of the data, or the data has been used incorrectly. It can also be used to preserve data that the individual does not want deleting at a particular point in time. Remember, however, deletion/erasure is classed as data processing.
Preservation of data can be pertinent in the event of a dispute, for example. The right to restrict processing is not an absolute right and may not apply in certain circumstances.
6) The right to data portability. The right to data portability is slightly more esoteric. It effectively allows individuals to use their own data for their own benefit. However, this right does not mean that data must be supplied in a custom format for specific third-party applications. It only requires that the data should be made available in a commonly used machine-readable format.
7) The right to object. A person has the right to object to their data being processed in certain circumstances. In the case of direct marketing, for example, there are no reasons for this request to be refused. In this context, the term ‘direct marketing’, by the way, includes data profiling for tailored marketing or advertising.
Bear in mind, however, this is not the same as deleting the data. In principle, enough data will need to be held to indicate that the data cannot be used for the purpose given in the objection. 8) Rights in relation to automated decision-making and profiling. The GDPR outlines restrictions on the use of data for profiling or automatic decision-making.
There are three situations where this may be used: where it is necessary for the entry into or completion of a contract, where it is authorised by law, or if an individual has given explicit consent. Note that, if the basis for profiling is based upon an individual’s consent, then it may be withdrawn at any time.
Also note that, if any automatic process has a significant effect, it cannot be used as the sole means of decision-making.
THE ‘SIX DATA PROTECTION PRINCIPLES’
We’ve looked at the rights for individuals. But what about the principles organisations must comply with? There are six key data protection principles within the GDPR and which, again, lie right at the heart of the regulation. These are: 1) Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals. Before processing personal data, at least one of the lawful bases for processing must be valid. These are: consent, contract, legal obligation, vital interests (in other words, life-critical), public task and legitimate interests.
Remember that, if the data is processed unlawfully, an individual has the right to erasure or the right to restrict data processing, so it is important this is carefully defined.
Additionally, just because a system of processing requires a defined approach regarding data, that does not make it necessary in the legal terminology of the GDPR. If an alternative method may be used that is less intrusive it should be, regardless of the difficulty of processing the data.
Depending upon the lawful basis of the data processing, the individual will have more or fewer rights. For example, if the data processing is on the basis of a legal requirement, the individual cannot claim the right to erasure, the right to portability or the right to object. So it is important to correctly define the basis for data processing. 2) Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes. This slightly wordy principle is essentially highlighting that it is important the reason for data processing is clearly defined and documented. The principle states what data may be collected and used and, just as importantly, places limits so that only this data may be collected and it cannot be used for any other purpose.
It is possible that a new purpose for data processing may be considered compatible with the original purpose; that is in the same scope. The further away the new purpose is from the original basis, the less likely this is to be the case, however.
If the basis was consent, then a new consent is always required for any new purpose. Note that a vaguely defined consent request will not be considered adequate. 3) Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The data processing must be limited to what is necessary and justified by the legal basis. If it cannot be
A Trading Division Of
We offer a wide range of services including structural analysis and non-destructive testing on lighting columns and structures.
Our services combine Fabrikat’s extensive knowledge within the engineering industry with the latest technology to provide you with superb services, tailored to your needs.
Collectively our team have over 100 years’ experience in the NDT and Streetlighting industries.
3D printing for rapid prototyping and on site 3D scanning are among some of our most recent advancements we can offer.
Neoterik® is a trading division of Fabrikat (Nottingham) Limited. Our core business is the provision of engineering services that include on-site testing of streetlighting infrastructure, asset data collection and surveying.
We employ a number of highly skilled engineers within our engineering services division who are members of the British institute of Non-Destructive testing, and hold a PCN Level 2 in accordance with EN ISO:9712. Introducing Our Innovative Purpose Built IOS And Android App
Testing In Accordance with GN22. Column Data And Attribute Collection
Easy Access Customer Portal
External Influence And Condition Analysis
Column Material Analysis
Data management and protection
justified it is considered illegal. This is why the choice of legal basis is crucial. 4) Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In line with the rights of the individual, it is necessary that data is accurate and that it is deleted when it is no longer needed or any time limit has passed. 5) Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. This principle highlights how, by and large, the best approach is to anonymise data. As soon as this is done it is not possible to infringe an individual’s privacy and the data is no longer covered by the requirements of the GDPR.
Bear in mind, however, the role of ‘pseudonymised’, or partially anonymised, data. An example of pseudonymised data is data that has a separate key coding to identify individuals. So, the data by itself is anonymous. This is a second-best solution to fully anonymised data, and will still fall under the GDPR.
6) Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The GDPR places security requirements on any data processing. This may be cyber-security but could also include photocopying personal data in the case of paper records.
This also has implications for thirdparty processing, as the data controller still has legal responsibilities to ensure the third-party follows the rules and requirements of the GDPR and the defined use and legal basis for the data.
THE GDPR AND LIGHTING
So, what about lighting? The GDPR applies to all lighting companies as they go about their business. This means from HR through to sales and marketing databases, through to a salesperson’s informal spreadsheet of contacts, through to the contacts in their (and your) mobile phone.
Then there is lighting’s growing role as a data collector, hub, and conduit, especially in terms of connected and smart lighting and the Internet of Things (IoT). The EU definition of the IoT explicitly includes data processing.
It describes IoT as: ‘An enabler of a hyperconnected society & economy via a set of sensors, actuators, smart objects, data communications and interface technologies that allow information to be collected, tracked and processed across local and global network infrastructures.’
If this data includes personal data, it then falls within the scope of the GDPR. And, remember, personal data is data that allows a person to be identified, including, for example, the use of a phone or badge to activate corporate services.
Also consider concepts such as Li Fi and Power over Ethernet, which mean that a lighting product becomes a node on a computer system. At some point dedicated DALI or lighting control buses will become a thing of the past as lighting control commands will be sent over a general-purpose communication bus.
Smart buildings and smart cities, by definition, capture data on occupants and behaviour, creating building and city-wide ecosystems where all systems will be expected to share sensors and interoperate to the benefit of the building/city and their stakeholders.
Data is collected from many nodes and centralised for analysis. Again, if this data is not anonymous it is personal. And, if disparate data pieces can be linked up in centralised systems to identify a person, will fall within the scope of the regulation.
Lighting controls of course are no longer wall switches. They are Bluetooth- or internet-connected systems controlled by personal computers, tablets or smartphones.
The move to use smartphones to control services such as lighting can create personal data. Each smartphone effectively identifies an individual with benefits, such as personalising the settings in a room or at a desk for the individual.
But to do this, data on individual preferences has to be held and the individual has to be identified. If lighting is linked to a personal computer or smartphone, so that a city or building senses the user and therefore the location and building requirements, it also understands who is there.
The important questions from here become: who owns the data and, from there, where (and who) is the data controller? Even if a lighting product is just a conduit, does this classify as data collection, even if it is never stored?
The legal responsibilities will blur as communications expand and become common across many systems. Identifying who owns what, the legal basis for data processing and so on for data that may feed multiple customers will become complex.
The lighting industry is developing lighting, and lighting systems, that transcend the purely lighting function; lighting is becoming part of far bigger concepts.
Lighting is becoming data driven and, also, becoming a data collector for ‘Big Data’. So, as an industry we have to ask: do we want to be part of the IoT revolution, with all of the attendant problems regarding data security and the rights of the individual? Or do we want to be a component in a system that belongs to a big data corporation?
Do we want to be a key player in the IoT or merely a component supplier? And, ultimately, if we want to be a key player, are we ready to take on the responsibilities – including data management, protection and security – as well as the opportunities?
FIND OUT MORE
Peter’s article is built from his webinar for Durham LDC, ‘GDPR in the lighting industry’, that was held in November. A recording is available to view at: https://theilp.org.uk/ ilp-durham-cpd-webinar-gdpr-in-thelighting-industry/
Important note. This article is a general discussion of the principles, and some of the implications, of GDPR. It is definitely not a definitive guide and for specific concerns regarding GDPR a specialist should be contacted for advice.
Peter Thorns BSc(Hons) CEng FCIBSE FSLL is head of strategic lighting applications at Thorn Lighting
