Understanding how Big Data is regulated by the EU is no easy task. Generally speaking, the European Union’s General Data Protection Regulation (GDPR) is having a major impact on an array of different businesses worldwide – Or at least, those in the majority who agree that continuing business within one of the world’s largest economic blocs is a wise choice. Most companies, big and small, are affected in some form, but perhaps none more severely than those working with ‘disruptive’ technologies, such as Big Data, AI, IoT, and Blockchain, to name a few. As it concerns Big Data, there are many ways in which companies can vastly improve their compliance, but the first step is knowing more about the rules that most significantly impact your company’s advanced technology.
Data and the Problem of Purpose
Few things are likely to make a bigger impact on GDPR compliance than purpose limitation. Purpose limitation refers to one of the principles mentioned in Article 5 of the GDPR. It states that there must be a specific, explicit, and legitimate reason for a processor to collect the personal data of customers. Additionally, the moment there is no longer a specific, explicit, and legitimate reason for collecting that data, the company is obliged to stop processing it. Designed to promote trust and limit abuse by data processors, this principle represents a sizable effort to protect data subjects. It is also, to the horror of many data-dependent ventures, painfully vague.
Such vague wording is not good news for those fighting to stay afloat in the already hyper-competitive markets for products that rely on what the world increasingly refers to as ‘big’ data. The term Big Data in this sense is used to describe the process of collecting and analyzing vast amounts of data from various sources, including personal data and ‘sensitive data,’ as defined under the GDPR. This, too, is a rather vague definition if you are concerned about compliance, and a definition that will be hard to understand without further legal context – context that will ultimately come from how the GDPR will actually be enforced in the coming months and years.
The Opportunity Cost
In the meantime, the potential costs to innovation in the form of fines on forward-thinking (but non-compliant) tech companies are hard to understate. Larger still could be the opportunity costs faced by corporations, or even entire economies, if they are not able to realistically capitalize on the innovations that big data enables. This is especially the case when looking at the advances in productivity that good data analytics can inform. As many already know, big data is regularly used alongside data analytics, which reviews large volumes of data in a short amount of time. Such technology is already helping companies and research institutions around the world make unbelievable gains in terms of the speed and quality of their work. A process that, for obvious reasons, hopefully even the most hawkish regulator would not want to hinder.
The stakes are also highest for the firms that have been most effective at digging opportunities out of big data and the many technologies that orbit it. Advances in capturing the most value from data analytics have been uneven between public and private institutions – as well as among different industries. Retailers, for example, fare far better than the EU public sector or US healthcare when it comes to making the most out of the data in their possession. This could be in part due to retail’s need to keep up with fickle shoppers and public institutions’ more siloed data between departments, but what is clear is that the institutions that have benefited most from new technology also know that they are the ones who have the most to lose should their use of it be hindered. The cost of a GDPR violation is high enough, but being slowed down by the process of collecting consent from vast numbers of people is no cheap affair either.
Plenty to collect
Startups, too, with fewer resources for compliance could also suffer. Big corporations may have more numbers to crunch, but they also have more manpower and connections to get them through it. Smaller, more innovative companies are not just trying to keep up with, but redefine marketplaces throughout Europe and beyond. Big data regularly informs the development of better business models, better ad-targeting measures, and various cost-cutting practices throughout an array of industries. The potential cost to nearly every industry as it regards corporate profits is astoundingly high, even for slow adoption, let alone not adopting certain technologies at all. Still, for all of the risks to business that purpose limitation poses, A GDPR-compliant startup or corporate is still in a far better position to seize upon big data’s blooming opportunities than those that are not.
A Data-Driven Path to Compliance
For all of the innovative risks and potential headaches posed by the sometimes clumsy fist of regulatory enforcement, it must be noted that the principle of purpose limitation does not entirely prohibit processing big data. A company can be granted permission to keep doing so, provided it is able to prove that the data being processed is necessary in order to provide a service and that consent has been given regarding its collection. In some cases, authorization from the person giving away their data can ensure that this data may go on being collected, even if the original purpose for its collection is no longer the same as it was in the beginning.
It must also be stated that the purpose limitation will likely do much to help data subjects, so that their personal data is not processed without their explicit consent – But the problems it puts on firms’ backs are not to be underestimated. Companies that deal with big data analytics must check if the data they process is being processed for the same reason for which it was collected in the first place – No easy task, even for companies with modest amounts of data. If that is not the case, processors must try to get explicit consent from their data subjects, which is also tedious.
Perhaps most important to note is that this process, however painful, also has the potential to inspire more comprehensive regulatory enforcement. The way in which the GDPR is interpreted and enforced within the sophisticated and ever-changing ecosystem of data-driven business models will certainly evolve. Staying engaged by keeping tabs on advances in technology as they overlap with changes in regulation is especially important. So too is ensuring that you have technical and legal protocols in place to respond to change when it comes. Taking these and other measures will ensure not only that you reach a reliable level of GDPR compliance, but also remain there.
To learn more about data privacy and the GDPR, follow us on Twitter.