A new frontier for data

The probable impact of the forthcoming data protection regulations on technical products and services is beginning to emerge, says Hywel Davies

The pace of technological change continues to accelerate. Nearly 50 years ago, Neil Armstrong took that ‘giant leap for mankind’, and today’s smartphones pack more computing power than an Apollo spacecraft.

In the 20 years since the UK passed the current Data Protection Act, we have seen the explosive growth of email, the worldwide web and the internet, and the rise of social media – all driven by faster and faster connectivity, powering smartphones, tablets and services.

The nature of developing technologies, such as artificial intelligence and machine learning, suggests continuing transformation and further, faster change will be the norm. Cloud computing and the Internet of Things (IoT) are increasingly common in everyday applications. Into this landscape come the European General Data Protection Regulation (GDPR) and the UK Data Protection Bill, which is before parliament and which enables the UK information commissioner’s functions, a direct-marketing code of conduct, and other related purposes.

The UK has triggered Article 50 and – though we don’t yet know the nature of our future relationship with the EU – it is certain to involve businesses in the UK and the EU trading with – and holding data about – each other. So we will have to engage with GDPR and the UK legislation – and GDPR comes into effect on 25 May 2018, when the UK will still be in the EU.

GDPR applies to organisations outside the EU that offer goods or services to individuals in the EU. To use a well-known example to CIBSE members, therefore, it applies to ASHRAE processing data about European members.

So why do we need to pay attention? GDPR moves processing of personal data onto a more rigorous level and gives people more control over their data. According to the Information Commissioner’s Office (ICO), ‘personal data’ means any information relating to an identifiable person who can be directly or indirectly identified from an identifier. This definition covers a wide range of ‘personal identifiers’, including name, identification number, location data, or online identifier, reflecting changes in technology and the way organisations collect information about people. It could also cover images on security systems.

 Anyone handling personal data needs to think about how they will comply 

A large business that issues people with smart access cards to move around a corporate office, and collects data on who went where and when, is collecting personal data. The data subjects have a right to access that information, and need to give their consent to it being collected. If it is a multi-tenanted office, and the data is collected by the landlord, the employing tenants may need a contract to access the data. When someone leaves – and their access rights are withdrawn – great care will be needed, especially if their leaving is not by mutual consent.

There is a new ‘right to be forgotten’. While this is intended to allow people to have material removed from social networks – perhaps because of embarrassment – or to erase an unwanted past association, it applies to anyone who has had data collected on them with their full consent.

A domestic smart energy meter is collecting personal data. If this is processed by a third party for the utility company, they must have a clear contract that covers all aspects of the use, protection, retention and disposal of the data. If the processor falls short, the utility will be liable, just as if it had fallen short.

If the meter data collector suffers a breach involving personal information, there are strict rules for disclosure – not just to the utility firm, but to customers whose personal data may have been compromised and the ICO. And the deadline is short: in many cases 72 hours.

So what about the IoT? By 2020, 20 billion devices will be connected to it, and many of these will be collecting personal data. This may be pattern-of-use data, which reveals an individual’s personal routine, showing when a home is likely to be vacant. While this is not new, the right to require that data to be removed is – so those developing systems to collect personal data will need to work out how they comply with GDPR.

Finally, GDPR applies to automated and manual filing systems holding personal data – including those where data has been pseudonymised or key-coded, if the coding can be worked out. This means data collectors with large data sets that may be of value for statistical research – such as the major energy-use databases used for energy epidemiology studies – will need to be reviewed carefully, to ensure they do not fall foul of the GDPR.

The regulation comes into force in May and there is no option for postponement. Anyone handling personal data needs to think now about how they will comply – there is no time to lose.

Dr Hywel Davies is technical director at CIBSE