TERMINET is a novel next generation reference architecture based on cutting-edge technologies comprising SDN, multiple-access edge computing, and virtualisation for next generation IoT, while introducing new, intelligent IoT devices for low-latency, market-oriented use cases. Such innovative IoT related projects require an extensive, proactive, risk-based strategy for privacy and data security. SIDROCO undertakes the role of the design and setup of a privacy plan into action with the responsibility of ensuring adherence to privacy and data protection legislation for each of the TERMINETs’ partner.
The EU GDPR governs how the personal data of individuals in the EU may be processed and transferred. With the introduction of Art. 35 of the GDPR, the PIA or DPIA instrument has been established requiring to undertake and document an impact assessment before initiating any of the projected data processing. To ensure compliance with the GDPR, organizations are required to implement a range of measures, such as appointing a Data Protection Officer (DPO), conducting regular data protection impact assessments (DPIAs), and implementing appropriate technical and organizational measures to protect personal data. Being a Horizon 2020 funded project, TERMINET strives towards enhancing research and development in the EU as well as securing the quality of the actual projects’ deliverables. To that end, data flows among the components must be safeguarded not only technically but also legally.
TERMINETs’ ROTA software intends to assist data controllers in creating and proving the necessary compliance with the GDPR. ROTA is configured in such a way that it fits TERMINET’s technical requirements consulting additionally the appropriate PIA methodologies and guidelines.
ROTA implementation for GDPR compliance at TERMINET, is to identify the scope of the project and the data processing activities involved. TERMINET partners have analysed the data flows, the types of personal data being processed, and the potential risks to individuals’ privacy. Once the scope has been defined, the next step was to conduct a detailed analysis and assessment using the relevant software, ROTA for TERMINET purposes. This tool provides a comprehensive framework for conducting a PIA that considers the GDPR’s requirements, as well as other relevant data protection laws and regulations. This allows data controllers to identify and mitigate potential privacy risks, ensuring that their data processing activities comply with legal requirements. TERMINET case study has minimised privacy risks related to the data processing activities. Some of the utilized controls in TERMINET include anonymizing or pseudonymizing modules for personal data, restricting access to data on a need-to-know basis, and implementing secure data storage and transmission protocols. By adhering to these measures, TERMINET data controllers reduce the risk of data breaches, data theft, or unauthorized access, thereby protecting the privacy of individuals whose data is being processed.
The primary conclusions and noteworthy successes that have arisen as a result of conducting a PIA within the context of the TERMINET project, is that ROTA has proven to be an invaluable tool for identifying potential risks and vulnerabilities and allows for the implementation of effective mitigation strategies. Moreover, the success stories stemming from the PIA demonstrate the tangible benefits of incorporating privacy and data protection into TERMINET’s design from the outset. This has enabled TERMINET to foster greater stakeholder trust and confidence in the project, thereby contributing to its overall success.