Protecting data and opening data
Publication Date/Time
2018-06-06T09:00:00+00:00
General Data Protection Regulation (GDPR) as a supporter for Open Data
WHAT IS THE BACKGROUND OF THE GDPR?

As technologies develop and more and more data are produced and
collected, several initiatives seize the potential of the data by
re-using it to gain insight or provide new products and services.
Mobile applications can, for example, tell users when it will rain in
which area by linked weather and geo data. Websites on public
procurement provide inside on public spending and decision making.
Others combine bus and train schedules and routes to improve public
transport and smart city initiatives. Most of the data that is re-used
is Open Data not including personal data.

Re-using personal data, can help organisations understand user
behaviour and target their marketing activities more effectively.
Because personal data is information relating to a person who can be
identified, directly or indirectly by the data, the right of privacy
is concerned. The right of privacy is a human right anchored in most
modern democracies. In Article 8 of the European Convention on Human
Rights
[https://human-rights-law.eu/echr/article-8-echr-right-to-private-life-family-life-correspondence-and-home/],
it states that "Everyone has the right to respect for his private and
family life, his home and his correspondence." Because processing
personal data concerns the privacy of individuals, the use of personal
data is regulated.

WHAT IS THE AIM OF GDPR?

In order to set a legal framework for data privacy in the mid-1990s,
the Directive 95/46/EC was written. In that time the internet was
still a recent innovation and social media was not spread yet. Since
then, the technology and the re-use of data outgrew the Directive,
making an update necessary. To ensure data privacy, regulations had to
expand to digital privacy breaches. Regulation (EU) 2016/679 (the
General Data Protection Regulation, or "GDPR")
[https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en]
replaces the Directive 95/46/EC with the aim to raise awareness,
transparency and compliance. It impacts almost every organisation that
is based in the EU, as well as every organisation that does business
in the EU, even if based abroad. To increase awareness at the level of
company's senior executives, penalties in case of non-compliance are
increased to up to 20 million Euro or 4% of the worldwide turnover.

HOW CAN GDPR INCREASE UNDERSTANDING AND TRUST IN SHARING DATA?

However, the aim of GDPR is not to penalise data users but to guide
data processing, increase trust and encourage sharing and re-using
data. A driver for GDPR is to increase understanding of how personal
data is treated and processed. Since digital data is mostly not
tangible, it makes it more difficult to understand also because often
technical or legal jargon is used. GDPR aims to give citizens back the
control on their personal data, to simplify the regulatory environment
and to highlight the benefit of data re-use in compliance with data
privacy regulations.

In the absence of a clear understanding of data privacy regulations,
avoidance, anxiety and misunderstanding hinder trust and literate safe
data handling. By setting a solid and current legal framework that
protects personal data, it reduces the risk of misuse and privacy
breaches (attentionally or due to a lack of knowledge or awareness).
GDPR determines the conditions for consent:
[https://www.eugdpr.org/key-changes.html]

_"... companies will no longer be able to use long illegible terms and
conditions full of legalese, as the request for consent must be given
in an intelligible and easily accessible form, with the purpose for
data processing attached to that consent. Consent must be clear and
distinguishable from other matters and provided in an intelligible and
easily accessible form, using clear and plain language. It must be as
easy to withdraw consent as it is to give it._

This way, processing personal data will be more transparent and
comprehensible restricted by guidelines and legal barriers. That makes
it also easier and more favourable for data (re-)users to process and
create value out of data and Open Data. Additionally, it enables to
rise understanding for the benefit of sharing data because it is not
overshadowed by the insecurity and anxiety of misuse. This highlights
that the GDPR supports sharing and re-using data by increasing
transparency and knowledge about how to process data in a safe and
legal way. With organisations compelled to handle data with greater
care, consumers can be more inclined to not only share their data but
understand the benefits of sharing and re-using data. Therefore, GDPR
in fact supports the concept of Open Data.

WHAT KIND OF DATA IS CONCERNED BY THE GDPR?

EUgdpr.org [https://www.eugdpr.org/eugdpr.org-1.html] provides a
highly exhaustive and comprehensible overview on GDPR and what is
means. To help understand GDPR related to Open Data, two definitions
of data can help.

Personal data is "any information relating to an identified or
identifiable natural person ('data subject'); an identifiable natural
person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one
or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that natural person".
GDPR deals exclusively with personal data.

Open Data refers to data which is open for free access, use and
modification to be shared for any purpose. The principles for Open
Data are described in detail in the Open Definition
[http://opendefinition.org/]. Open Data cannot be considered open if
it is not accompanied by a licence that ensures its free re-use.

WHAT ARE THE IMPLICATIONS OF GDPR FOR OPEN DATA? 

There is still a misunderstanding about how protecting data and
opening data can pursue the same goal. Some even claim GDPR is
controversial to the concept of Open Data. GDPR deals exclusively with
personal data. The only situation when GDPR directly affects Open Data
is when Open Data includes personal data. According to GDPR, European
citizens must give their clear and explicit consent to the processing
of their data. Therefore, no personal data can be published for re-use
without the consent of the affected party.

There are a few exceptions, when personal data can be published:

	* If there are legitimate reasons to publish data. For example, in
the case of a court decision. This rule restricts privacy rights in
general.
 	* If the data has been anonymized.

Anonymization is the process of removing personally identifiable
information from data. Therefore, these data can no longer be referred
to as "personal data" and is no longer subject to GDPR. By ensuring
that personal data is processed transparent, strictly following GDPR,
it can lower the barrier to publish and re-use Open data. Therefore,
GDPR can facilitate the data-driven economy, generating new products
and services that create value to society, while respecting the rights
of citizens.
