General data protection

For a Smart city powered by CitySys to be achieved, citizens and organisations, including government, need to collaborate amicably. Smart City by CitySys can be viewed as a simple push and pull model. The push being organisations, complying to government policies, introducing smart technologies. The pull being citizens choosing to gain control and accept the integration of smart technologies into cities. If GDPR can be successfully integrated, powered by trusting relationships, a Smart City vision can be reached. The key is establishing GDPR compliancy, whilst simultaneously innovating smart technologies for a smarter future.

The implementation of the General Data Protection Regulation (GDPR) intensified regulatory requirements in terms of data protection for smart city projects.

In particular, the mandatory Data Protection Impact Assessment (DPIA) process constitutes a new challenge for those data processing activities entailing “high risks”
for the rights and freedoms of individuals. Furthermore, as the EU legislator explicitly requires a DPIA to be performed for projects that conduct either “systematic
monitoring of public areas on a large scale” or “processing of sensitive data on a large scale”, a wide range of smart city projects will most probably fall within the envisioned scope of the DPIA obligation.

Challenges with respect in the smart city context will vary depending on two main factors:
• the complexity of the urban environment in which this service is provided
• and the complexity of the smart city service itself.

The GDPR guide advises adoption of different strategies and frameworks to ensure compliancy such as:

Privacy by design (PbD) where privacy led infrastructure of CitySys is built into technologies at the start of their lifecycles.
Our software engineers are required to adopt privacy mindsets, where the data collected is within the purpose limitation clause that ensures personal data is:
“collected for specific, specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes”

Privacy impact assessments (PIA) enhance PbD effectiveness by helping organisations discover and avoid privacy risks for new projects or policies.
Documentation (consent forms, privacy notices) required to be concise and legible. The results not being incomprehensible legal jargon preventing citizens
from understanding data collection purposes. Organisations are required to demonstrate their compliancy via these documents

CitySys respecting GDPR is a two-sided coin of organisations and citizens. The second purpose of GDPR is to educate citizens
on their individual rights ensuring they know how they work and understand their vital role in holding organisations accountable.

Citizens have the Right to:
· Be informed
· Access
· Erasure
· Rectification
· Object
· Restrict processing
· Data portability
· Automated decision-making

GDPR aims to:
1.Legally enforce data protection measures so organisations are forced to take data security more seriously.

2. Give citizens access to their rights to assert control over personal data.

By combining these two aims building trusting relationships, where citizens happily engage with organisations, becomes achievable.