With the evolution of science, modern technologies in human civilisation are advancing rapidly. Updated laws are also being introduced to tackle the changing circumstances. The General Data Protection Regulation (GDPR) is a recent addition to those laws in the European Union (EU) Member States.
Digital smart city is a modern technological innovation in which the Internet of Things (IoT), 5G technology as well as artificial intelligence, machine learning and other smart and recent technologies are or will be used. However, the concept of ‘smart city’ has not been defined in law. A smart city is designed, built and maintained with the use of advanced, integrated and smart technologies, devices and sensors which can provide and develop a variety of safe, fast and better services in parallel including transportation, education, power, healthcare etc. Various disciplines, including information technology, economic and social development, urban planning and management, sustainable development contribute to developing a smart city. The definition provided by Forrester is useful in understanding the concept. Accordingly, smart city means:
‘The use of Smart Computing technologies to make the critical infrastructure components and services of a city – which include city administration, education, healthcare, public safety, real estate, transportation, and utilities – more intelligent, interconnected, and efficient’. Thus, smart computing becomes a key factor in a smart city platform.
A Data Protection Impact Assessment (DPIA) is a process that identifies and minimizes data protection risks a project mandated by EU Data Protection Law.
DPIA’s must be performed for processing that is likely to result in a high risk to individuals (this includes some specified types of processing). It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
A DPIA must: (i) describe the nature, scope, context and purposes of the processing; (ii) assess necessity, proportionality and compliance measures; (iii) identify and assess risks to individuals; and (iv) identify any additional measures to mitigate those Cookie consent risks.
To assess the level of risk, organizations must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
Controllers should consult with (i) their data protection officer (if they have one) and, (ii) where appropriate, individuals and relevant experts. Processors may also need to assist the controller at this stage. If a controller identifies a high risk that cannot be mitigated, they must consult with the data protection authority before starting the processing.
Under the GDPR Policy Template controllers must carry out a DPIA if the proposed processing is likely to entail a high risk for the individuals whose data are being processed. The GDPR states that a DPIA is mandatory in particular if the following takes place:
Systematic and extensive evaluation of the personal aspects of an individual, including profiling;
Processing of sensitive data on a large scale;
Systematic monitoring of public areas on a large scale.
This limited list only provides broadly defined processing activities. Therefore, in October 2017, the Article 29 Working Party (called the European Data Protection Board, ‘’EDPB’’ since the GDPR came into force) published the Guidelines on Data Protection Impact Assessment. The Guidelines provide more extensive information and additional examples of processing activities which require a DPIA.
The Belgian Data Protection Authority already published a DPIA draft list last year. After the EDPB published an Opinion on this list, along with Opinions on the DPIA lists of 21 other SAs, the Belgian Authority made several changes. In accordance with the updated list, a DPIA is mandatory if an organisation is planning any of the following types of processing:
Processing of biometric data (e.g. fingerprints) of individuals in a public area or private area that is publicly accessible;
Collecting personal data from third parties in order to use that information for making a decision to refuse or end a contract with an individual;
Collecting health-related data by automated means through an active implantable medical device;
Collecting personal data on a large scale by third parties in order to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, location or movements of individuals;
Systematic sharing of sensitive data or data of a very personal nature (e.g. related to poverty, unemployment, social work) between data controllers;
Large-scale processing of data subject request management generated by devices with sensors that send data over the Internet or any other means (e.g. Internet of Things applications like smart TVs and smart energy systems) in order to analyse the economic situation, health, personal preferences or interests, reliability or behaviour, location or movements of individuals;
Large-scale and/or systematic processing of telephony-, Internet- or other communication data, metadata or localization data of individuals (e.g. Wi-Fi tracking), when such processing is not strictly necessary for the service requested;
Large-scale processing of personal data where behaviour of individuals is observed, collected, established or influenced in a systematic manner and by using automated means.
There are no strict rules on how a DPIA should be carried out, but it should at least document the following elements:
A description of what types of processing will take place and for which purposes;
An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
An assessment of the risks to the rights and freedoms of the data subjects;
The measures that will be used to address the risks and to demonstrate GDPR cookie consent compliance. For example, minimising the data collected, pseudonymising or anonymising data as soon as possible, tightening access restrictions, or raising the overall level of security.
If the risks that have been assessed are considered too high, without sufficient measures to address them, controllers are obligated to consult their SA before the processing may be carried out. Generally, the SA is required to respond to this consultation within eight weeks.
Controllers are responsible for carrying out DPIAs, but processors are required to assist controllers if this is necessary and the controller requests this. They shall assist by providing all necessary information, such as security measures relating to the processing of personal data.