As we explore the safe and fair integration of drones with manned aircraft, issues related to data protection and compliance are becoming more and more of an issue. The stakes associated with data breaches are higher than ever, while new regulations like the EU’s General Data Protection Regulation (GDPR) showcase what’s at stake for any drone company that doesn’t take data protection seriously. Infringements of the regulation can result in heavy fines that could cause a company to cease operations.
These stakes are part of the reason that Maria Varela has been specifically studying GDPR and Information Security since 2017. A consultant for more than 25 years with experience in industries that range from utilities to government to insurance to aviation, her passion about process and technology influenced this focus, and it’s also why she founded Smaare Consulting in 2018. The company’s principal goal is to help drone companies be compliant with privacy regulations and protect their business information.
Smaare Consulting can help clients to determine how their critical data is been processed and how they can protect their data. From providing GDPR Gap Analysis to data protection training, Smaare Consulting is dedicated to helping drone companies that are focused on everything from performing inspections with small drones to supporting urban air mobility ecosystems. We caught up with Maria to ask her about how she creates value for her clients, how GDPR has impacted the way drone companies can operate and much more.
Jeremiah Karpowicz: How has GDPR changed the way in which certain organizations in Europe can operate?
Maria Varela: GDPR exemplifies the biggest change in data privacy law that Europe has seen for more than 20 years. It represents a step change in the regulatory environment relating to the governance of how organisations can collect, store and process personal data. GDPR increased the powers of data protection supervisory authorities to take enforcement action when companies get things wrong. The fines that supervisory authorities can issue were increased to a maximum of 4% of global annual turnover or €20 million. The impact is real.
GDPR impacts the way companies handle personal data, including having the latest documentation and communication on data protection. GDPR also places more accountability on organizations for the handling and storing of personal information. Additionally, GDPR has reshaped the way corporations around the world approach data privacy and has also strengthened the rights of people who may have their Personal Data processed or handled by other companies.
Tell us about the drone clients that you work with. How are you able to create value for them, and how has GDPR impacted what this value can look like?
Our clients are small and medium scale firms that conduct drone operations for a commercial purpose, pilots training firms and insurance companies. With GDPR & ISO 27001 services, our clients can ensure a stronger enforcement of rules, increased competitive advantage, diminish security incidents, protection of the organization’s reputation as well as the ability to attract investors through representing legal compliance and implementation of security procedures.
Drones ecosystem organizations should put GDPR at the forefront of their business. As such, it is important for them to take a proactive approach to lessen the probability of penalties and gain a competitive advantage. However, as organizations move towards GDPR compliance and Information security, it is important to have a strategy and choose a partner that knows and understand the drone business operations and their specific data flows.
Do you work with organizations across the continent or are you focused on certain regions?
Our main market focus is on the companies that fall under the new regime, which covers any European Company and many non-European ones offering goods or services or targeting European citizens.
Any drone operator taking photographs or collecting data involving EU individuals should ensure it has taken appropriate steps to address its compliance obligations under GDPR. It’s also very important to establish and maintain secure connections so that hackers cannot exploit the cyber security vulnerabilities of a drone to commandeer it and transform it into a piece of “dangerous equipment”.
What are some of the common issues that people either don’t consider or fully think through when it comes to drone technology?
Drone technology is growing faster than ever and drones can become a threat to privacy since they can be used as spying devices. As a result, security measures must be put into place on several levels, including government regulations, user education, and in releasing credible platforms. The absence of adequate drone security and secure UAV systems can lead the public to shift their opinion on drones.
One of the tips is to make cybersecurity is a boardroom issue. To meet the cybersecurity challenge, drone organisations must look at the full system architecture, which includes everything from workstations to communication links to storage infrastructure. That means anything and everything with the potential to connect.
Another tip is to be compliant with regulations. Lack of user control is a huge issue and pervasive across technological developments. But for businesses, the need to obtain specific, informed consent from individuals for each kind of processing of their data is likely to present challenges where traditional consent mechanisms are not up to the task.
The first step is to embed privacy defaults at all stages, within the design of drones and applications and as close as possible to the point of data collection. Businesses will need to design and implement privacy-friendly policies around the use of data, and where possible, develop new methods of giving information to users. That will enable greater transparency and individual control.
What has been the biggest change or development in the space that you believe will impact drones ecosystem organizations?
On 24 May 2019 the European Commission, through “Regulation (EU) 2019/947”, adopted EU rules to harmonize drones rules and ensure increasing drone traffic across Europe is safe and secure for people on the ground and in the air. The rules will apply to all operators of drones – both professionals and those flying drones for leisure. These rules, which will replace existing national rules in EU Member States, not only address safety but also contain important building blocks to mitigate drone-related security risks.
This Regulation Annex establishes procedures and limitations UAS operator responsibilities that have been adapted to the type of intended operation and the risk involved, including:
- measures to protect against unlawful interference and unauthorised access
- procedures to ensure that all operations are in respect of Regulation (EU) 2016/679 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. In particular, it shall carry out a data protection impact assessment when required by the National Authority for data protection in application of Article 35 of Regulation (EU) 2016/679.
Although published and due to come force on June 2019, drone operators will have another year, until June 2020, to prepare to implement the requirements.
How will the development of UAM systems further change issues related to privacy and data protection?
With UAM systems like last-mile delivery, air taxi or air metro, the major issue will be to explain to city-citizens how vehicle cameras work and how drones manufacturers apply “privacy by design” in their systems. They will need to explain how vehicles can actually help protect their privacy.
Some Privacy by Design requirements:
- minimizing data collected by using select-as-you-collect, and anonymization and pseudonymization design patterns
- hiding data by using encryption (when in transit or when at rest), traffic hiding techniques (onion routing), etc.
- separating personal data as much as possible by means of distributed approaches;
- aggregating data to process it at the highest level of aggregation and with the least possible detail in which it is still useful by using the k-anonymity family of techniques or differential privacy
- informing in a transparent way the subjects of the system by having adequate interfaces and detecting potential privacy breaches
- providing control to users over data by using techniques such as user-centric identity management, end-to-end encryption, etc.
- enforcing privacy policies by appropriate access control mechanisms;
- demonstrating the compliance with privacy policies by activities such as logging and auditing
The market is already doing some of these things, which we can see with DAA (Detect and Avoid) and SAA (Sense and Avoid) systems, but much more is necessary to gain the trust of city citizens. Spreading more good information about drones is the key.
What are some of the considerations that stakeholders need to be working through today to enable the UAM ecosystem of tomorrow?
To begin with, they should review the legislation to understand its implications. Carrying out an audit of the personal data an organisation holds and processes is a critical first step to understanding what data is held, where it originated and who it is shared with.
Implementing the required processes is essential for drone organisations to understand their data flows. Ultimately, they can do so through mapping where their data is sent. This will allow them to identify any weaknesses in their data security and IT infrastructure. Once all of this is understood they should draft and prioritise a set of initiatives which will enable them to become GDPR ready and ensure their data information secure.
What has you most excited about where this technology is and where it’s going?
I believe that in the near future, drones will have more power, better performance and quality at a more accessible price for consumers. On the other hand, more regulations and investments will be needed regarding privacy and drone safety. We cannot forget that drones aren’t only in the air but also in the water and on land, so all of the regulations must be similar. One day we will have a multi-environment drone. That will be a big challenge.
With AI development, some of the things that we only imagined or saw in movies are happening. In 1979, the Star Trek movies envisioned what mobile phone technology could look like, but no one really knew when or if that sort of thing would be possible. Today, mobile phones are our best friends. Will drones be our next best friend and soon follow us everywhere while monitoring our fitness training but also helping transport us across the city?