The ELISE action organised a webinar titled "GDPR and location data" on 24/04/2018 - 09:30 – 11:00 (CEST). The event was chaired by Ray Boguslawski (JRC, External Consultant). In this page are made available the presentations given.
|Overview and background to GDPR and location data||
|JRC, External Consultant||Slides|
|Location data as personal data||Efrén Díaz Díaz||Lawyer, European Data Protection Officer
Bufete Mas Y Calvet, ES
|GDPR in Norway – a view from Kartverket||Laila Aslesen
||Senior Legal Advisor
Data Protection Officer
Norwegian Mapping Authority
Overview and background to GDPR and location data
Dara Keogh outlined the key features and some unique features of location data, the ongoing historical development and some legal thinking from Article 29 Working Party around location data as constituting personal data. The presentation outlined ongoing industry developments such as IOT and Blockchain and recent data scandals with Facebook and Under Armour that affect thinking around location and personal data. It went on to explain the key rationale and benefits of GDPR. Some contrasts were then brought in from recent articles (Harvard Business Review) and surveys (KPMG, HERE) that showed both opposition to and support of the thinking around and implementation of GDPR.
Location data as personal data
Efrén Díaz Díaz set out the principles and underlying key rules for GDPR. The key driver for GDPR is to better protect personal data and end the fragmentation in the implementation of current data protection policy across the EU. GDPR is set to produce homogenous and effective protection. A key question posed during the presentation was whether ‘location information is personal data’. The answer is that it can be depending on the level of detail and if it can be linked to an individual. Location is personal when it reveals a person’s location however, maps, national registers for example would not be personal data. It can be hard to distinguish when data is personal for example a personalised bus timetable may be regarded as personal as it may enable identification of a person. When considering if location data could be personal data consideration needs to be given to scale and link-ability.The core principles that need to be adhered to are lawfulness and transparency, data minimisation, purpose limitation and proactive responsibility.
GDPR in Norway – a view from Kartverket
Laila Aslesen outlined the current approach in Norway to GDPR and location data. The location/address is freely distributed while land registry and cadastre data are regulated and exempted from most user’s rights. The main concern is focused on employee and visitors/users and a focus on internal processes.Laila also noted that procedures needed to be examined and developed for personal data not currently covered by the law. The internal procedures, controls, privacy by design, DPIA, training, communication procedures, informing about breaches, mapping the data journey etc are the tip of the iceberg around the implementation of GDPR. This will require heavy resource time and training of staff across the organisation separate archiving, storing and deletion processes.