Companies, researchers, and other entities are beginning to collect, store, and process mobility data; but they are also facing the challenge of consent management and privacy management.
Whilst users are aware of the potential value it has, companies who are willing to monetize data by sharing it with third parties must comply with current data privacy laws. In this process are different players involved in managing the data, let’s see their roles.
Who is who in the data journey?
One of the advantages of defining all the roles and responsibilities involved in management and processing, is that the data can be easily used in all types of applications.
- Data subject is the person who generates data, and inasmuch the data owner.
- Data controller is the company collecting the data. These entities must handle consent management, security and data privacy issues.
- Data processors are the companies using the data. In this case, they are data aggregators, data marketplaces, and service providers accessing and using data.
- Data authority are national agencies or bodies that define regulations and legislation about data sharing, in addition to those defined at higher levels like the EU.
No matter which roles we work with from Net4Things in our mobility projects, we protect the confidentiality of data to ensure proper information management, without giving up the ability to analyze the data.
To what extent is data privacy legislated?
In addition to the legislation of each country or the privacy protection measures that companies may wish to take, the European Union has published the latest version of its GDPR in 2018. This regulation states that:
- The data subject must consent to the processing; consent must be given freely, and be specific, informed, and unambiguous.
- The data subject shall have the right to access, to be informed, and withdraw his or her consent.
- The data collector shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
- The request for consent shall be presented clearly, distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
Any organization operating within the EU is required to inform European privacy regulators within 72 hours after a data or privacy breach has occurred.
Steps for Successful Management of Mobility Data
As the volume of mobility data being exchanged between different parties grows, it is incumbent upon the parties to create guidelines that ensure proper handling, usage, storage, access, and dissemination. Specifically, companies, associations and cities need to update their processes for the management of sensitive mobility data. These updates should be regular because challenges change.
Here are some good practices for handling sensitive mobility data:
Storage
- Set a time limit for storing personal trip records and destroy the records once the timeline is over. Generally, cities can base this timeline on things like the gathering of enough mobility data for processing and the conclusion of particular traffic violations.
- Always store individual mobility records in a secure database
- Contractors and companies should adhere to set out industry best practices for storage
- Aggregation should precede permanent storage of geospatial data
Sharing
- Only the aggregate form of data should be shared publicly. Data aggregate should at the bare minimum take into account time and population density.
- Cities should retain the right to share mobility data with other administrations for use provided these administrations are ready to follow the outlined best practices.
Access
- Access to sensitive or individual mobility data should be restricted to only a few approved people under the supervision and control of the Internal Data Protection Officer.
- These people should occasionally undergo training on how to handle the sensitive data
- There should be rules regarding when to access individual records. At all costs, the anonymity of the data should be maintained.
Oversight
- Regulate and enforce best practices for mobile data access. As a rule of thumb, access and use of aggregate and sensitive data should be automatically recorded and reported regularly to ensure adherence to the approval process.
Managing Consent: Key task from now on in mobility services!
Manage consents are the way to transform data into a digital currency. In Net4Things we work to fulfill some fundamental pillars around it with our Consent Management Suite included in our Global Mobility Platform and the Mobility Data Services, so it can be customized for any business scenario or service.
First of all, we develop mobility services that comply with regulations in the European Union, but are flexible enough to meet abroad regulations or future changes in the current GDPR.
On the other hand, the final goal of the Consent Management Suite is to provide value in exchange for shared data by connecting the service suppliers and the users through the data creates a truly mobile digital ecosystem.
And finally, in our mobility platform is also essential to handle acceptance and revocation if the users change their mind on sharing their data.