Complying with the GDPR when vulnerable people use smart devices

Piasecki, Stanislaw (2022) Complying with the GDPR when vulnerable people use smart devices. PhD thesis, University of Nottingham.

PDF (Thesis - as examined) - Requires a PDF viewer such as GSview, Xpdf or Adobe Acrobat Reader
Available under Licence Creative Commons Attribution.
Download (1MB) | Preview


The number of smart home devices is increasing. They are used by vulnerable people regardless of whether they are designed specifically for them or for the general population (for example, smart door locks, smart alarms or voice assistants). This PhD focusses on children and inherently vulnerable adults, and analyses how to comply with the General Data Protection Regulation (GDPR) when the latter use smart products, with a particular focus on the UK through references made to the Information Commissioner’s Office guidelines and reports. Complying with the GDPR provisions related to the processing of vulnerable people’s data would be beneficial not only for the latter but also for organisations developing and deploying smart devices. This thesis argues in favour of protecting vulnerable people’s data by design and default in every smart product. The objective of this work is also to draw attention to the need of thinking about vulnerability across all data protection principles and to propose solutions on how to effectively comply with the GDPR in this context.

This PhD contains a legal doctrinal chapter, an empirical part (interviewing lawyers and technologists working within the smart home field) as well as a chapter related to theoretical debates and privacy enhancing technologies (PETs).

In the doctrinal chapter, research into data protection law and legal concepts is conducted to understand the current legal landscape, guidelines and opinions related to this field of study. Personal data can be processed only if an appropriate legal basis is chosen and all of its conditions are met, and if all GDPR principles are respected. In this part of the thesis, the most relevant data protection law provisions in the context of the use of smart products by vulnerable people are identified and discussed.

The empirical chapter introduces information gathered through semi-structured interviews conducted with UK and international professionals in the field of data protection law and technology design, with a focus on the smart home context. Those discussions gave various insights and perspectives into how the two communities view intricate practical data protection challenges.

The chapter related to theoretical debates and PETs analyses personal information management systems (PIMS) in order to understand how to protect and manage vulnerable people’s data more effectively in smart homes and, as a result, enhance compliance with data protection law. Relying on PETs to safeguard vulnerable people’s personal data could lead to questions as to the normative grounds for this technological approach. By examining debates such as privacy-as-confidentiality versus privacy-as-control, this thesis explains why edge computing PIMS could help in improving GDPR compliance while underlining that designers of PIMS need to consider the consequences of implementing different privacy paradigms.

Item Type: Thesis (University of Nottingham only) (PhD)
Supervisors: McAuley, Derek
Perez Vallejos, Elvira
Chen, Jiahong (external)
Keywords: Data protection law, Compliance, Internet of things, Smart devices, Vulnerable people, Children, Privacy enhancing technologies, Personal information management systems
Subjects: Q Science > QA Mathematics > QA 75 Electronic computers. Computer science
Faculties/Schools: UK Campuses > Faculty of Science > School of Computer Science
Item ID: 69888
Depositing User: Piasecki, Stanislaw
Date Deposited: 31 Dec 2022 04:40
Last Modified: 01 Jan 2023 04:30

Actions (Archive Staff Only)

Edit View Edit View