Personal Data Stores and the GDPR’s lawful grounds for processing personal data

Abstract

Personal Data Stores (‘PDSs’) entail users having a (physical or virtual) device within which they themselves can, in theory, capture, aggregate, and control the access to and the transfer of personal data. Their aim is to empower users in relation to their personal data, strengthening their opportunities for data protection, privacy, and/or to facilitate trade and monetisation. As PDS technologies develop, it is important to consider their role in relation to issues of data protection. The General Data Protection Regulation requires that the processing of user data be predicated on one of its defined lawful bases, whereby the Regulation does not favour any one basis over another. We explore how PDS architectures relate to these lawful bases, and observe that they tend to favour the bases that require direct user involvement. This paper considers issues that the envisaged architectural choices surrounding the lawful grounds may entail.

Data protection, decentralisation, lawful grounds for processing, personal data stores, Privacy, Transparency

Bibtex

Conference paper{nokey, title = {Personal Data Stores and the GDPR’s lawful grounds for processing personal data}, author = {Janssen, H. and Cobbe, J. and Norval, C. and Singh, J.}, doi = {https://doi.org/10.5281/zenodo.3234902}, year = {2019}, date = {2019-05-29}, abstract = {Personal Data Stores (‘PDSs’) entail users having a (physical or virtual) device within which they themselves can, in theory, capture, aggregate, and control the access to and the transfer of personal data. Their aim is to empower users in relation to their personal data, strengthening their opportunities for data protection, privacy, and/or to facilitate trade and monetisation. As PDS technologies develop, it is important to consider their role in relation to issues of data protection. The General Data Protection Regulation requires that the processing of user data be predicated on one of its defined lawful bases, whereby the Regulation does not favour any one basis over another. We explore how PDS architectures relate to these lawful bases, and observe that they tend to favour the bases that require direct user involvement. This paper considers issues that the envisaged architectural choices surrounding the lawful grounds may entail.}, keywords = {Data protection, decentralisation, lawful grounds for processing, personal data stores, Privacy, Transparency}, }