How does GDPR affect open personal data?

The new General Data Protection Regulation (GDPR) mark a before and after in the rights of citizens with respect to the governance of personal data and citizens’ privacy. This Regulation updates the Data Protection Directive created in 1995 and obsolete according to the new technological environment and social behaviours, unifying the regulatory requirements in the 28 member countries.

GDPR was adopted in 2016, but Public Administrations and companies have two years to prepare for the new legislation. On May 25 of this year the deadline expires and GDPR will become fully effective. It not only applies to organisations located within the EU, but also for any organization that captures, stores or processes personal data of EU citizens, regardless of where is located.

According to GDPR, a personal data means any information relating to an identified or identifiable natural person. This very open definition generates a series of doubts. With GDPR, a professional email, an IP address or cookie's content are personal data. Not to mention all the data captured by wearables or sensors linked to Internet of Things or Smart cities initiatives -as long as they identify a person-.

Some personal data may include value-added information to citizens and re-use companies, but its open publication may threaten privacy. According to GDPR, European citizens must give their "clear and explicit" consent to the processing of their data. Therefore, no personal data can be published for re-use without the consent of the affected party. It is important to highlight that this situation was already included in the Spanish Data Protection Law - specifically in Article 6.1 -, so it is not a big change.

However, there are exceptions that allow the publication of personal data:

• If there are legitimate reasons to publish data. For example, in the case of a court decision. This aspect was already discussed in a previous article.
• If the data has been anonymized. Anonymization is the process of removing personally identifiable information from data. As a consequence, these data stop being "personal data". That is, we eliminate the data that can identify a person or replace it by generic variables, such as postal districts, age ranges, levels of studies, etc. As we have seen, GDPR only affects personal data, so if a data stop being “personal” is no longer subject to this Regulation.

Anonymization is a good resource to maintain the usefulness of open data, allowing different processing activities (such as analysis or statistical studies), but it also has risks. We should not confuse anonymization with pseudo-anonymization, where identity is hidden, but there is a trace that can identify the citizen. Anonymization should ensure that information about a particular citizen cannot be reunified by inference from non-personal data included in an open dataset.

In the current context, privacy is an inevitable concern when we talk about open data. To ensure regulatory compliance, it is important to regulate and monitor data flows, so that privacy and freedom of information, and the interests of citizens and data reusers can be balanced. In this way, we will be able to promote the data-driven economy, generating new products and services that create value to society, while respecting the rights of citizens.