We have only just started to reap the benefits of “Big Data” – from foreseeing deadly infections to fraud detection. It is a key source of value for many industry sectors: profiling, spotting market trends, product performance analysis and forecasting future outcomes.
The use of large data sets that are collated and analysed to discern patterns and make optimal decisions is an exciting journey many companies are only just starting to explore. There is, however, a potential darker side to the perceived benefits of big data: the effect on personal privacy. In this regard, is the GDPR a welcome guiding light to the benefits of Big Data, or will it strike a fatal blow to the utility of it, in an attempt to protect our privacy?
What is Big Data?
“Big Data” is a blanket term for collections of data sets that are enormous in size and complex, such that their processing using traditional data management means, such as relational database management systems, is problematic. Big Data is regarded as meeting the following characteristics (often called the “Four V’s”):
1. Sheer Volume of data;
2. A large Variety of data (in terms of types and structure);
3. Veracity of data, in that the data is, on the whole, representatively accurate and trustworthy (as opposed to exactly so); and
4. The data needs to be analysed at a high Velocity in order to derive value from it.
So why does Big Data cause problems in the context of the GDPR?
Big Data sets will often include personal data, and in many cases, it is not possible to separate the personal data from the non-personal data.
The aim of Big Data is to uncover relationships within and amongst the information, through analytics and processing. Given the accuracy and trustworthiness of any particular data set may not be exact, but rather directionally representative, the starting point of Big Data itself runs contrary to a fundamental principle of the GDPR – that the accuracy of the personal data of a particular data subject in the possession of an organisation must be maintained and protected.
Furthermore, Article 22 of the GDPR prohibits automatic processing, including profiling, where such processing has a legal effect on a data subject, or similarly significantly affects the data subject. In this regard, profiling is defined as: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
Some of the privacy risks particularly pronounced in the context of Big Data profiling therefore include:
1. Processing of personal data outside of the purpose for which it was collected;
2. Use of incorrect and/or outdated information;
3. Discrimination or bias against certain individuals or groups resulting from the application of certain profiling algorithms; and
4. Processing of personal data in excess of what is needed in order to process it.
Because automatic processing involves such high risks on privacy, it is prohibited in principle under the GDPR, except where:
Note that organisations have already accumulated large amounts of data – and the GDPR applies not just to data sets created going forward – but also to those already in existence today, insofar as such that pre-existing data sets would be the subject of processing after the GDPR comes into force. It will undoubtedly prove problematic in practice to obtain the required explicit consent for specific uses of a data set that already exists (and is, in fact, already in use).
So how can Big Data be used in practice under the GDPR?
It is imperative that businesses review their current use of profiling and automated processing practices and processes, to:
Is the GDPR the death knell of Big Data?
There are clearly some specific challenges in reconciling data protection principles set out in the GDPR with the characteristics of Big Data analytics. However, these are not insurmountable, nor incongruous with the aims of the GDPR. Organisations should, however, think through the why and the how in respect of Big Data profiling, and ensuring transparency and privacy by design are at the heart of their “Big Data journey”. With the EU’s 2015 Digital Single Market Strategy targeting Big Data as a “catalyst for economic growth, innovation and digitisation across all economic sectors […] and for society as a whole,” it is imperative that Big Data is seen as an opportunity to be actively nurtured and better understood, including through the prism of privacy compliance, so that its potential may be fully realised.
Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses
By Akber Datoo, Managing Partner, D2 Legal
Originally published by GDPR.Report
COMPLIANCE BRIEFING: LONDON
12 OCTOBER 2017
COUNTY HALL, LONDON