With the Smart City Expo World Congress currently taking place in Barcelona, we wanted to delve into one of the hot smart city topics that EUROCITIES will be exploring in more detail with our members in the coming months.
Data protection has been a much in vogue topic in media articles and popular debate this year, especially following the implementation of the EU’s data protection regulation last Spring.
To find out more, we interviewed Bart Rosseau, chief data officer, and Seppe Vansteelant, data protection officer, from the city of Ghent:
What does the new EU General Data Protection Regulation (GDPR) mean for smarter cities?
The main impact stems from the fact that a lot more thought goes into privacy when starting a smart city project. The GDPR doesn’t block new initiatives, but forms a framework with rules which have to be taken into account when processing personal data. For example: how do we find innovative ways to obtain consent in case someone is tracked via sensors in a museum.
What are cities doing about it?
Many cities have to try out several ways of complying with the regulation. EUROCITIES, the network of major cities in Europe, is, however, already providing a forum through its working group on data which is part of its Knowledge Society Forum where European cities can exchange their experiences with implementing the regulation.
Has this change caught smart cities by surprise?
We think that data protection was mostly already an important part of smart city projects even before the GDPR was applied. Don’t forget that the GDPR was preceded by directive 95/46/EC which was translated in the different member state law. Some member states already had a very far-reaching privacy legislation, which meant that the GDPR was not much more demanding.
How do you, and others in your role, work within a city administration?
Among others, the main tasks currently are: providing the different departments and offices with expert advice on how to implement and maintain the GDPR, increasing awareness within the organisation on privacy and data protection through learning sessions etc., complying with a number of new obligations the GDPR formulates like building a registry of data processing activities, and creating new policies on how to provide the rights the data subjects have which the GDPR specifies.
How can smart cities maintain data privacy?
A good policy in which data is privacy-sensitive is key, and helps to keep tabs on how these datasets are being used, combined through different systems and algorithms. This means ownership of the data and ownership of the process must be claimed, combined with responsibility.
What risks does data management pose?
Not all municipalities have a significant IT budget. The biggest risks are thus an insufficiently maintained IT-architecture. The biggest cities will not have that issue, but smaller cities and even smaller municipalities often don’t have the resources to maintain a high level of security, though they still want to provide many e-services to the populace and implement smart-city strategies.
How has Ghent innovated in this area?
IT plays a big role in augmenting the life and services towards citizens. But this does not always mean a digital end product. We have a notification app for trash, we’re experimenting with smart garbage bins and are continuing our work with open data. But using digital tools like our participation platform makes the offline contacts between city government, officials and citizens more valuable.
Over the last four years we invested a lot in the smooth handling of digital services, implementing the only once principle while respecting the GDPR requirements.
A lot of the innovation is based on our implementation of Linked Open Data, where the information and data underlying websites and applications is also accessible for third party applications.
What should local authorities do to be proactive about data concerns?
Contact your local Data Protection Officer before you start with a project . Privacy by design must be the first thing project managers think about when starting with these kinds of things. This way, one can think in advance about how to obtain proper consent or find out if there is another legal basis, or how the data subject will be informed of the specific processing activity, etc.