GDPR Compliance in EU-funded Projects

Protection of personal data and privacy are one of the most important ethical challenges. Across all EU research funding schemes, Ethics has a transversal nature. For that reason, it prevails all working packages and task within scientific and research projects.

Managing privacy and data protection within projects such as IoT-NGIN, CYRENE and AI4HealthSec requires:

• leadership and guidance from the partner responsible for ethics and legal issues
• supervision and synchronization of activities from project coordinator
• active participation of all project partners
• and, when necessary involvement of the project officer.

Because privacy and data protection should continue to develop and mature over time, all project partners must understand just how they contribute and support data protection efforts, what is the meaning of potential Conditional Clearance and Ethics Requirements the project received, what are steps within the Ethics Appraisal Process, where to find relevant reference documents etc.

Transposing the GDPR Compliance Requirements

General Data Protection Regulation (GDPR) is the cornerstone of the European Union data protection regulatory framework. In general, application of the GDPR is required whenever personal data is processed by entities based in European Union or whenever processing activities include data of natural person in European Union. To satisfy GDPR requirements in an EU-funded project, various activities are required. Among these activities are the adoption of privacy policies and procedures as well as their enforcement at functional level, deployment of privacy-enhancing and security-enhancing controls, the assessment of compliance states, establishment of controlling/monitoring mechanisms including potential external supervision by an Independent Ethics Advisory Board, appropriate information providing about data processing activities and lawful and secure sharing of data.

The GDPR enshrines the principle of accountability. This is one of the most important concepts introduced by GDPR. In essence, this principle laid down that anyone that process personal data should be able to demonstrate the capacity to comply with applicable privacy laws and principles. The idea behind the principle is that someone must be responsible when collect and process information about people throughout the whole data lifecycle. Being accountable for data processing activities ensures that the GDPR requirements are satisfied.

How GDPR Compliance increases exploitation potential: the case of IoT-NGIN

Being complaint with the GDPR goes beyond the legal obligation of the project partners and brings additional benefits to the exploitability of project outcomes. The following section will examine these benefits across several projects where Privanova leads the GDPR Compliance efforts and acts as the Ethics and Legal Manager for the project.

IoT-NGIN: GDPR Compliance as part of the Next Generation Internet

The IoT-NGIN project extends the interoperability and intelligent edge computing of IoT systems. To achieve its results, IoT-NGIN combines different technologies and approaches including the need for high-level of cybersecurity, trust and privacy, use of blockchain and DLTs, mobility requirements adapted to 5G networks, M2M, ML Artificial Intelligence as well as the principles of Data sovereignty, Data Security and Scalability.

In this context, there are several domains that are directly improved when data protection principles are respected and properly transposed into project requirements. Namely, being complaint with GDPR enables to a data controller/processor to process data with increased quality and value. Also, use of high-quality data improves the end-user’s business processes and forms a ground for a process automatization. In return, better business processes help to better understanding of data, data processing purposes, retention period, storage-related facts as well as measures applied to secure data which is extremely important for a project aiming to support societal changes and economic growth, such as the IoT-NGIN. Well-organized, GDPR-compliant processes for handling personal data result in improvement of data security and decreased risks regarding potential data breaches. Therefore, by assisting the Coordinator in fulfilling a series of ethics requirements and by focusing on the data protection compliance as part of the overall Data Management and Risk Management of the IoT-NGIN, Privanova delivered improved exploitability of project results and contributed to their uptake by the end-users.

IoT-NGIN: GDPR Compliance within the Ethics Appraisal Process

In terms of GDPR Compliance, the fact that IoT-NGIN underwent an in-depth ethics assessment and addressed a number of ethics requirements means that the project performed a collaborative risk-assessment across various aspects and delivered a documented proof of compliance against the EU Ethics Appraisal Process requirements. These, in particular, cover many of the GDPR compliance aspects.

In addition, the consortium partners made sure that all relevant instances and stakeholders within the CYRENE ecosystem are accountable for safekeeping and responsible use of personal information. This is not just important to regulators and for compliance reasons, but also to individuals whose personal data is (or will be) processed and to the general population. Therefore, the GDPR transposition and implementation efforts within CYRENE resulted in

• documented readiness to demonstrate compliance with applicable data protection principles
• the reduction of data breach risks
• the trust-based approach to building project outcomes and
• enhanced reputational advantages for the project outcomes and its potential end-users.