Open Data and Closed Data

Introduction

In our always connected environment, there are considerations that organisations have to make when determining whether certain data should be open or closed access, especially if they have the potential to benefit society as a whole. Decisions that are made can affect how they implement data protection and privacy regulations along with cybersecurity policies. 

Definitions


Open Data: The Open Data Institute (ODI) provides the following definition: “open data is data that anyone can access, use or share.” “Anyone” refers to literally anyone, including commercial users. So Open Data can be accessed, used, remixed and shared again with no restrictions at all. Open Data – Data that meets the following criteria:
  1. Accessible (ideally via the internet) at no more than the cost of reproduction, without limitations based on user identity or intent;
  2. In a digital, machine-readable format for interoperation with other data; and
  3. Free of restriction on use or redistribution in its licensing conditions.
In some cases, the data provider may stipulate that their data is attributed, eg. data users must acknowledge who provided the original data in any outputs they produce.

Closed Data: Closed data is defined by the ODI as “data that can only be accessed by its subject, owner or holder.”

Relation to GDPR


General Data Protection Regulation (GDPR) as a supporter for Open Data

What is the background of the GDPR?

As technologies develop and more and more data are produced and collected, several initiatives seize the potential of the data by re-using it to gain insight or provide new products and services. Mobile applications can, for example, tell users when it will rain in which area by linked weather and geodata. Websites on public procurement provide inside on public spending and decision making. Others combine bus and train schedules and routes to improve public transport and smart city initiatives. Most of the data that is re-used is Open Data not including personal data.

Re-using personal data, can help organisations understand user behaviour and target their marketing activities more effectively. Because personal data is information relating to a person who can be identified, directly or indirectly by the data, the right of privacy is concerned. The right of privacy is a human right anchored in most modern democracies. Because processing personal data concerns the privacy of individuals, the use of personal data is regulated.

What is the aim of GDPR?

In order to set a legal framework for data privacy in the mid-1990s, the Directive 95/46/EC was written. In that time the internet was still a recent innovation and social media was not spread yet. Since then, the technology and the re-use of data outgrew the Directive, making an update necessary. To ensure data privacy, regulations had to expand to digital privacy breaches. Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") replaces the Directive 95/46/EC with the aim to raise awareness, transparency and compliance. It impacts almost every organisation that is based in the EU, as well as every organisation that does business in the EU, even if based abroad. To increase awareness at the level of the company’s senior executives, penalties in case of non-compliance are increased to up to 20 million Euro or 4% of the worldwide turnover.

How can GDPR increase understanding and trust in sharing data?

However, the aim of GDPR is not to penalise data users but to guide data processing, increase trust and encourage sharing and re-using data. A driver for GDPR is to increase understanding of how personal data is treated and processed. Since digital data is mostly not tangible, it makes it more difficult to understand also because often technical or legal jargon is used. GDPR aims to give citizens back the control on their personal data, to simplify the regulatory environment and to highlight the benefit of data re-use in compliance with data privacy regulations.

In the absence of a clear understanding of data privacy regulations, avoidance, anxiety and misunderstanding hinder trust and literate safe data handling. By setting a solid and current legal framework that protects personal data, it reduces the risk of misuse and privacy breaches.

This way, processing personal data will be more transparent and comprehensible restricted by guidelines and legal barriers. That makes it also easier and more favourable for data (re-)users to process and create value out of data and Open Data. Additionally, it enables to rise to understanding for the benefit of sharing data because it is not overshadowed by the insecurity and anxiety of misuse. This highlights that the GDPR supports sharing and re-using data by increasing transparency and knowledge about how to process data in a safe and legal way. With organisations compelled to handle data with greater care, consumers can be more inclined to not only share their data but understand the benefits of sharing and re-using data. Therefore, GDPR, in fact, supports the concept of Open Data.

What kind of data is concerned by the GDPR?

EUgdpr.org provides a highly exhaustive and comprehensible overview of GDPR and what it means. To help understand GDPR related to Open Data, two definitions of data can help:


  • Personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. GDPR deals exclusively with personal data.


  • Open Data refers to data which is open for free access, use and modification to be shared for any purpose. The principles for Open Data are described in detail in the Open Definition. Open Data cannot be considered open if it is not accompanied by a licence that ensures its free re-use.

What are the implications of GDPR for Open Data? 


There is still a misunderstanding about how protecting data and opening data can pursue the same goal. Some even claim GDPR is controversial to the concept of Open Data. GDPR deals exclusively with personal data. The only situation when GDPR directly affects Open Data is when Open Data includes personal data. According to GDPR, European citizens must give their clear and explicit consent to the processing of their data. Therefore, no personal data can be published for re-use without the consent of the affected party.

There are a few exceptions when personal data can be published:

If there are legitimate reasons to publish data. For example, in the case of a court decision. This rule restricts privacy rights in general.

If the data has been anonymised. Anonymisation is the process of removing personally identifiable information from data. Therefore, these data can no longer be referred to as "personal data” and is no longer subject to GDPR. By ensuring that personal data is processed transparent, strictly following GDPR, it can lower the barrier to publish and re-use Open data. Therefore, GDPR can facilitate the data-driven economy, generating new products and services that create value to society, while respecting the rights of citizens.

Cybersecurity Considerations

With data now considered a vital asset essential for many businesses to function there are different cybersecurity consideration to making the data open or closed access. This is due to when something you have that others want increases risk. There are always going to types of data that business will need to and are required to protect such as customer and user data. But if it is a type of data that could benefit society as whole data about health and different types of travel then there could be benefits to sharing the data then just hoarding it. Also, by making certain types of data sets open means cybersecurity resources can be focused on more vital assets that an organisation might have. Also, with  the Cybersecurity Act companies now have to vulnerability disclosure programmes in place instead of hiding them or only reluctant sharing problems. This is a move from closed access to a type of data to open data.

Conclusion

When it comes to data there are no simple solutions since how it is treated, classified, shared and protected are governed by regulations and laws. For some types such as customer billing, it is a simple matter of what to do while for others such as source code there are pros and cons to making the data open or closed. It is a worthwhile conversion to have when concerning data as the application of data not just the creation and hoarding gives it value.

Comments

Popular posts

Balancing functionality, usability and security in design

Personal Interest - Unbuilt fleets of the Royal Navy

Personal Interest - RAF Unbuilt Projects