Putting data privacy back into citizens’ hands How do we finally give EU citizens back control of their own data? The answer could lie in a novel Privacy-Enhanced Dashboard developed under the EU-funded PoSeID-on project. Digital Economy © AndriiKoval, Shutterstock The GDPR is a great step forward for data privacy, but it still leaves users with little means to monitor and control how exactly their data is being used. The PoSeID-on (Protection and control of Secured Information by means of a privacy enhanced Dashboard) project team aimed to fill the gap with what they call a “Privacy-Enhanced Dashboard”. With this platform, consumers can retake control over their own data, and decide how much they want to share and with whom. Francesco Paolo Schiavo, General Director at the Italian Ministry of Economy and Finance and coordinator of the project, accepted our invitation to answer a few questions about the new dashboard and its potential benefits for European citizens and e-service providers alike. Why do people need a Privacy-Enhanced Dashboard such as the one you propose? Francesco Paolo Schiavo: The Privacy-Enhanced Dashboard is meant to protect personal data. It’s an integrated and comprehensive solution safeguarding the rights of data subjects. As they use the Privacy-Enhanced Dashboard, people will be granted concise, transparent, intelligible and easy access to their personal data. They will know how the latter is being tracked, control and manage their personally identifiable information (PII) processed by public and private organisations, and very much act as data controllers and/or providers. It’s all about making conscious decisions about who can process your own data: you can enable, restrict or revoke permissions in accordance with the data minimisation principle, as well as be alerted in case of privacy exposure. What would you say makes this solution particularly innovative? The Privacy-Enhanced Dashboard integrates the cutting-edge technologies needed to ensure accountability and GDPR compliance as far as data processing and exchange is concerned. One key innovation is the securitisation of our open architecture, by means of permissioned blockchain and smart contracts. This provides accountability, transparency and compliance with data protection law. Concretely, the dashboard traces all transactions. It registers user consent and grants a contextual guarantee of data erasure and reduction in identity traceability, all thanks to the mechanism of ‘burnable pseudo-identities’. Another innovation is the integration of state-of-the-art technologies within the Privacy-Enhanced Dashboard. These include cloud, access management according to eIDAS (electronic IDentification, Authentication and trust Services – the EU regulation on electronic identification and trust services for electronic transactions in the internal market) and privacy management with machine learning analysis. To reduce fraud, a Risk Management Module analyses data requests and sends warnings about likely fraudulent use. We also have a Personal Data Analyzer that monitors privacy risk using NLP to validate communication and messages. All these features enable the Privacy-Enhanced Dashboard to offer most of the latest innovative ICT technologies in a box. Moreover, the Privacy-Enhanced Dashboard is user-friendly. It can even be used by organisations wanting to integrate their procedures within a GDPR-compliant tool. How do you ensure that this tool can counter the wide variety of data tracking methods currently used online? There are three main aspects to consider here. First, the Privacy-Enhanced Dashboard is an integrated prototype that enables users to dictate how their personal data is shared with public and private organisations. The procedure is easy and accessible to all users. Then, we use source components. This means that we can potentially integrate the dashboard with any public or private ICT architecture. Each single component or toolkit is made available individually so that EU organisations can integrate it within their own systems. This option can potentially guarantee high technological development and competitiveness, and the creation of new business opportunities within the EU market. Finally, the Privacy-Enhanced Dashboard is also a cloud-based service (PEDaaS). Organisations without their own blockchain and/or cloud or that can’t afford the cost of managing GDPR-compliant tools can use it too. In such a scenario, they simply access the PoSeID-on cloud service and use the Privacy-Enhanced Dashboard to monitor and control data processing. How does the tool work exactly? Users’ web dashboard is composed of PII processing information and services management: the first part shows PII tracking, while the second one is used for permissions management. You can access it by using your electronic IDentification (eID) accounts, which reduces the risk of identity theft and protects your privacy. From the web dashboard, you can immediately see a risk score indicating your level of privacy exposure. The dashboard will also show evaluation results from several algorithms gauging how risky it is to allow third parties to see your personal data. There is a risk score for each service, and one for all data. What are the project’s most important outcomes so far? We have successfully developed the Privacy-Enhanced Dashboard, implemented four different use cases and integrated the Privacy-Enhanced Dashboard with other systems. The system is also fully compliant with the GDPR of technological e-services, including e-administration. We are now proud to have a solution that empowers individuals with the control of their personal data, increases their confidence in e-services and provides new methods to facilitate the deployment of such services. What do you still need to achieve? We are finalising our four use cases and proceeding with the full integration of the Privacy-Enhanced Dashboard. Final implementation is expected in December 2020. Keywords PoSeID-on, GDPR, privacy, data, cloud, dashboard
