privacy management in smart cities - greendigitalcharter€¦ · data sharing smart city officer ....
TRANSCRIPT
EIP-SCC Citizen Focus
Privacy Management in Smart Cities
Antonio Kung
26/04/2017 Data management and citizens’ privacy in smart cities open governance 1
EIP-SCC Citizen Focus
Introduction Speaker • Antonio Kung, Trialog (www.trialog.com,FR)
– Engineering background - CTO – Involved in standardisation
• Editor ISO 27550 Privacy engineering • Contributor ISO 20547-4 Big data – Security and privacy
fabric • Rapporteur ISO SC27
– Privacy in smart cities – Privacy guidelines in the IoT
– Member
• PRIPARE support action (pripareproject.eu) – Handbook (March 7th 2016 Press release)
• Methodological Tools to Implement Privacy and Foster Compliance with the GDPR
26/04/2017 Data management and citizens’ privacy in smart cities open governance 2
EIP-SCC Citizen Focus
Privacy from a Policy Maker Viewpoint
A demand side vision
26/04/2017 Data management and citizens’ privacy in smart cities open governance 3
EIP-SCC Citizen Focus
Deals with Complex Ecosystems
26/04/2017 Data management and citizens’ privacy in smart cities open governance 4
Security
Privacy
Safety Smart grid
Transport
Health
Smart Cities
Big data
IoT
Ecosystems Domains Concerns
EIP-SCC Citizen Focus
Must take into account
General Data Protection Regulation (GDPR)
May 25th 2018
• Data controllers
• Data processors
• Data Protection Officers – All public authorities
– Companies processing more than 5000 data subjects
• Sanctions for breaches – up to 20,000,000 EUR
– up to 4% of the annual worldwide turnover
26/04/2017 Data management and citizens’ privacy in smart cities open governance 5
EIP-SCC Citizen Focus
Must understands these terms
• Privacy-by-design: PbD
– Institutionalisation of privacy management
– Integration of privacy concern in the engineering of systems
• Privacy-by-default
– Highest level of protection by default
• Privacy Impact assessment: PIA
– Process that evaluates impact on privacy
• Note that the GDPR uses the term “data protection” instead of “privacy”
26/04/2017 Data management and citizens’ privacy in smart cities open governance 6
EIP-SCC Citizen Focus
Must Manage Privacy in Complex Ecosystem
26/04/2017
Data Controller
Data processor
Comply Privacy Obligations
Integrator
Contracts
Supplier
PIA and PbD Purpose known
Requirements Purpose unknown
Apply
Apply
Municipality stakeholder
Data management and citizens’ privacy in smart cities open governance 7
PIA
Citizen
Give consent
Agree
Requests
Agreements For data exchange
EIP-SCC Citizen Focus
Supplier - Purpose unknown
IoT Vision: Supply Chain
26/04/2017 Data management and citizens’ privacy in smart cities open governance 8
Middleware OS Security module
Electronics Sensor Smart device
Device Cloud solution
Operator Smart City
Application 1
Sup
ply
Ch
ain
Integrator - Purpose known
Operator Smart City
Application 2
Privacy impact assessment 2 Privacy impact assessment 1
Smart City Officer
EIP-SCC Citizen Focus
Big Data Vision : Sharing Chain
26/04/2017 Data management and citizens’ privacy in smart cities open governance 9
Data analytics Data transformation
Data collecting
Sharing Chain
Data sharing agreement
Data sharing agreement
Smart City Officer
EIP-SCC Citizen Focus
Several Types of Concerns
26/04/2017 Data management and citizens’ privacy in smart cities open governance 10
Stakeholder Legal
Compliance Concern
Management Concern
System Lifecycle Concern
Demand side Policy maker
Compliance Check Transparency
Operator Data Controller Regulation
GPDR
Privacy Impact
Assessment PIA
Sharing
Agreement
Privacy-by-Design
PbD
Supply side
Operator Data processor
Supplier Operators Requirements
EIP-SCC Citizen Focus
Focus of business impact assessment
Focus of privacy Impact assessment
(PIA)
Focus of privacy
Focus of security
Privacy Impact Assessment
7-8/03/2017 Sharing Cities GDPR Workshop Slide 11
Privacy
breach
Personal data
processing
Threats and
vulnerability of
system
Impact on
citizen’s
privacy
Impact on
organisation
Risk sources Consequences
EIP-SCC Citizen Focus
Privacy-by-design Lifecycle Process
PIA Process
Privacy-by-design
7-8/03/2017 Sharing Cities GDPR Workshop 12
Analysis Design Privacy controls
Privacy Principles
Privacy Requirements
Architecture
PETs
PIA Iteration
PIA Iteration
EIP-SCC Citizen Focus
Example: Sharing Cities
26/04/2017 Data management and citizens’ privacy in smart cities open governance Slide 13
EIP-SCC Citizen Focus
Sharing Cities work on GDPR Compliance
• H2020 lighthouse project (http://www.sharingcities.eu)
– € 24 million grant
– Cities: London, Milan, Lisbon, Bordeaux, Burgas, Warsaw
• Program
– March 2017 – Workshop on GDPR
• Use case London
• Use case Milan
• Use case Lisbon
– June 2017 – Workshop on PIAs
– Further – Applying a management plan for GDPR compliance
26/04/2017 Data management and citizens’ privacy in smart cities open governance 14
EIP-SCC Citizen Focus
Next steps Common work on privacy
management
26/04/2017 Data management and citizens’ privacy in smart cities open governance Slide 15
EIP-SCC Citizen Focus
Guidelines for GDPR Compliance • Privacy management plan
– Governance scheme – Roles and duties
• Data controllers • Data processors • Suppliers
– Resources
• Management – Repository of PIAs and data sharing agreements – Interaction with citizens
• Transparency (dashboard) • Complaints
– Breach management – Continuous improvement
• Templates – PIA template – Data sharing agreement template – Privacy notice template – Supplier privacy support description template
26/04/2017 Data management and citizens’ privacy in smart cities open governance 16
EIP-SCC Citizen Focus
General Privacy Standards Privacy framework 29100 Privacy impact assessment 29134 Privacy engineering 27550 (new) Code of practice 29151 Privacy Information management systems 27552 (new)
Privacy Standards for Smart Cities
Guidelines for privacy management?
Privacy Standards for IoT
Guidelines for Things?
Privacy Standards for Big Data
Security and privacy fabric 20547-4
Standardisation?
EIP-SCC Citizen Focus
Thanks
26/04/2017 Data management and citizens’ privacy in smart cities open governance Slide 18