The role of the different stakeholders in the RFID Privacy Impact Assessment process
There are different kind of stakeholders involved in an RFID PIA process. Among others, we have RFID operators and suppliers of RFID products or services.
Obviously, the companies that are involved in the data capture system are classified as RFID operators but the RFID recommendation makes it clear that even those only responsible for encoding the tags are concerned.
The recent publication of the European Standard: EN 16571: 2014 Information technology – RFID privacy impact assessment process adds a new dimension to the responsibilities of these RFID operator. Like the RFID Recommendation, it requires the RFID operator to undertake a privacy impact assessment (PIA), produce an internal comprehensive report, and publish a summary report.
The Geographic Scope of EN 16571
EN 16571 applies to 33 European countries, but even if your company is outside Europe, it might be worth considering the standard and some of your customer base is likely to be here. The risks to personal privacy do not stop at the boundaries of Europe. And the potential exploits from the bad guys, who are already adept at ignoring boundaries, can result in an exploit in one country being exercised in another. Or they can just access products, tools and software developed in one place and exploited anywhere.
What should you do as an RFID operator?
Your organisation can undertake the RFID PIA now. You may work directly from the standard or use the CNRFID-CSL software. When the new EU General Data Protection Regulation gets approved it might be a legal requirement. But even under the existing Data Protection laws some authorities might consider it a requirement now. The General Data Protection Regulation has one key requirement that impacts RFID:
Data protection first, not an afterthought: ‘Privacy by design’ and ‘privacy by default’ will also become essential principles in EU data protection rules – this means that data protection safeguards should be built into products and services from the earliest stage of development, and that privacy-friendly default settings should be the norm. In our website you will find some actions you should consider taking as an RFID operator, product manufacturer or systems integrator.
You can also find details of your national data protection authority on the website!