Free trial

Our continuous work with GDPR

The Background

Trust is crucial and consumers have today lost their trust in data-driven organizations due to their massive gathering of personal data. That is one of the reasons why privacy-friendly technologies are considered necessary to improve efficiency and sustainability in organizations and society, while at the same time securing our democracies.

Societies are becoming ever more reliant to gather and use more data to increase efficiency and be more sustainable. This is a fantastic opportunity, which at the same time increases the risks by challenging our human rights.

The dissonance between the digital society and privacy and the growing need to capture more and more data – including personal data – creates great risks of human rights violations. It was to protect our human rights that the EU created GDPR.

The Problem

There is a need for a change in the disconnect between privacy and the data-driven society. And those who solve the issue of how we can create value and while at the same time maintaining integrity are the winners. The losers are those who do not collect data and those who do not care about privacy.

Two of our main questions have been:

  1. How can we increase the accuracy and credibility of people counters without processing biometric data and without storing personal data?
  2. And, since a people counter based on consent rely on a massive gathering of biometric data. How can we create a privacy-friendly solution, where organizations do not need consent and all parties comply with the GDPR?

1. Understanding the market need

We conducted needs studies together with various organizations in the market to understand and validate their problems in a lack of knowledge. That they actually saw it as a problem, a need, and that their need was large enough for an alternative solution, which does not infringe on privacy.

2. Finding the solution

We began the exploration and development of our unique solution, in parallel with our market research. This research lasted for more than 18 months. The result was that we saw that we had the opportunity to find a way that both met the market's needs and ensured integrity. A solution that can help societies to grow, improve, become more efficient, and sustainable – and that it can do so without violating our integrity.

Our research ended with a technical validation of our solution, which we considered was both anonymous and able to learn visiting behaviors. A solution that we considered raised the overall integrity of society.

3. Documenting our solution

We carefully and clearly documented how the solution technically worked. We explained and argued, created a data map of how the data is processed, visualized our system architecture, philosophized about what anonymization is, and compared our solution with EU definitions, guidelines, and other various studies.

4. Analyzed the various existing anonymization methods

We conducted a comparative analysis of different anonymization methods since many organizations use the concept of anonymity as a marketing term. The EU considers building anonymous systems as highly complicated, which is why we felt compelled to critically evaluate our solution. We asked ourselves; what are the various methods of anonymization, how do various organizations define anonymity, how do the EU define anonymity, are the other methods really anonymous, how different is our solution, how anonymous is our solution, and is our solution anonymous at all?

5. Adapted our organization according to guidelines defined in the GDPR

We initiated a full-scale GDPR project for our organization. We created processes, routines, internal IT security policies, information security policies, anonymization policy, ethics policy, data processing agreements, secure development processes policy, etc., and published everything online for everybody to read.

6. Conducted multiple Risk Analysis

Once we had satisfactory documentation, we used the best IT-security experts we could find and asked them to conduct multiple risk analyses. The result of the first risk analysis showed some issues. We went back to our development, solved the issues, and conducted another risk analysis which indicated that we had a good level of security.

7. Conducted a Data Protection Impact Assessment

We consulted with the best legal advisors we could find and conducted a data protection impact assessment together with them. We gave them all our information, showed them how it all works, answered all their questions, and gave them months to process everything. The result was that they believed that we had a good argument for a lawful basis.

8. Asked other experts to challenge our beliefs 

We asked the leading experts in IT security, law, and data protection to review and challenge our documentation, our beliefs, and our solution since we understood the complexity of our solution and GDPR. The goal was to find cracks, a new perspective, or that they would explain why this was not legal. The result of all these reviews was they agreed with the results of the previous audits.

9. Applied for a Prior Consultation from the Data Protection Authority

We applied for a three months-long prior consultation by the Swedish Data Protection Authority.

In their final decision, the Swedish Data Protection Authority notes that Indivd’s processing of personal data complies with the Data Protection Regulation, provided that it is done in the manner stated and planned.

Continued work for compliance

An organization has no fixed contour. It is constantly in motion. Therefore, it is necessary to constantly keep the internal and external GDPR work up to date, highly conscious, and alive. Our road to compliance has taken us several years and we see it as our mission to continue living by our policies, ensuring that future updates and services never reduce our level of data protection.