TechGDPR

GDPR’s Big Issue with Big Data

Friday July 6th, 2018 by Jesse van Mouwerik

Understanding how Big Data is regulated by the EU is no easy task.  Generally speaking, the European Union’s General Data Protection Regulation (GDPR) is having a major impact on an array of different businesses worldwide – Or at least, those in the majority who agree that continuing business within one of the world’s largest economic blocs is a wise choice.  Most companies, big and small, are affected in some form, but perhaps none more severely than those working with ‘disruptive’ technologies, such as Big Data, AI, IoT, and Blockchain, to name a few. As it concerns Big Data, there are many ways in which companies can vastly improve their compliance, but the first step is knowing more about the rules that most significantly impact your company’s advanced technology.

Data and the Problem of Purpose

Few things are likely to make a bigger impact on GDPR compliance than purpose limitation. Purpose limitation refers to one of the principles mentioned in Article 5 of the GDPR. It states that there must be a specific, explicit, and legitimate reason for a processor to collect the personal data of customers.  Additionally, the moment there is no longer a specific, explicit, and legitimate reason for collecting that data, the company is obliged to stop processing it. Designed to promote trust and limit abuse by data processors, this principle represents a sizable effort to protect data subjects. It is also, to the horror of many data-dependent ventures, painfully vague.

Such vague wording is not good news for those fighting to stay afloat in the already hyper-competitive markets for products that rely on what the world increasingly refers to as ‘big’ data. The term Big Data in this sense is used to describe the process of collecting and analyzing vast amounts of data from various sources, including personal data and ‘sensitive data,’ as defined under the GDPR. This, too, is a rather vague definition if you are concerned about compliance, and a definition that will be hard to understand without further legal context – context that will ultimately come from how the GDPR will actually be enforced in the coming months and years.

The Opportunity Cost

In the meantime, the potential costs to innovation in the form of fines on forward-thinking (but non-compliant) tech companies are hard to understate.  Larger still could be the opportunity costs faced by corporations, or even entire economies, if they are not able to realistically capitalize on the innovations that big data enables.  This is especially the case when looking at the advances in productivity that good data analytics can inform. As many already know, big data is regularly used alongside data analytics, which reviews large volumes of data in a short amount of time. Such technology is already helping companies and research institutions around the world make unbelievable gains in terms of the speed and quality of their work. A process that, for obvious reasons, hopefully even the most hawkish regulator would not want to hinder.  

The stakes are also highest for the firms that have been most effective at digging opportunities out of big data and the many technologies that orbit it. Advances in capturing the most value from data analytics have been uneven between public and private institutions – as well as among different industries. Retailers, for example, fare far better than the EU public sector or US healthcare when it comes to making the most out of the data in their possession. This could be in part due to retail’s need to keep up with fickle shoppers and public institutions’ more siloed data between departments, but what is clear is that the institutions that have benefited most from new technology also know that they are the ones who have the most to lose should their use of it be hindered. The cost of a GDPR violation is high enough, but being slowed down by the process of collecting consent from vast numbers of people is no cheap affair either.  

Plenty to collect

Startups, too, with fewer resources for compliance could also suffer. Big corporations may have more numbers to crunch, but they also have more manpower and connections to get them through it. Smaller, more innovative companies are not just trying to keep up with, but redefine marketplaces throughout Europe and beyond. Big data regularly informs the development of better business models, better ad-targeting measures, and various cost-cutting practices throughout an array of industries. The potential cost to nearly every industry as it regards corporate profits is astoundingly high, even for slow adoption, let alone not adopting certain technologies at all. Still, for all of the risks to business that purpose limitation poses, A GDPR-compliant startup or corporate is still in a far better position to seize upon big data’s blooming opportunities than those that are not.

A Data-Driven Path to Compliance

For all of the innovative risks and potential headaches posed by the sometimes clumsy fist of regulatory enforcement, it must be noted that the principle of purpose limitation does not entirely prohibit processing big data. A company can be granted permission to keep doing so, provided it is able to prove that the data being processed is necessary in order to provide a service and that consent has been given regarding its collection. In some cases, authorization from the person giving away their data can ensure that this data may go on being collected, even if the original purpose for its collection is no longer the same as it was in the beginning.

It must also be stated that the purpose limitation will likely do much to help data subjects, so that their personal data is not processed without their explicit consent – But the problems it puts on firms’ backs are not to be underestimated.  Companies that deal with big data analytics must check if the data they process is being processed for the same reason for which it was collected in the first place – No easy task, even for companies with modest amounts of data. If that is not the case, processors must try to get explicit consent from their data subjects, which is also tedious.

Perhaps most important to note is that this process, however painful, also has the potential to inspire more comprehensive regulatory enforcement.  The way in which the GDPR is interpreted and enforced within the sophisticated and ever-changing ecosystem of data-driven business models will certainly evolve. Staying engaged by keeping tabs on advances in technology as they overlap with changes in regulation is especially important. So too is ensuring that you have technical and legal protocols in place to respond to change when it comes.  Taking these and other measures will ensure not only that you reach a reliable level of GDPR compliance, but also remain there.

 

To learn more about data privacy and the GDPR, follow us on Twitter

 

International Transfers of Personal Data after the Schrems II ruling
August 6th, 2020

A Comparison of POPIA and GDPR in Key Areas
July 28th, 2020

HIPAA, the GDPR and MedTech
July 23rd, 2020

Small meetings under the COVID-19 ordinance in Berlin
March 18th, 2020

Response to the GDPR-relevant points in the German Blockchain Strategy of September 2019
September 29th, 2019

GDPR compliant products debunked: it’s all about HOW you use it
September 26th, 2019

GDPR’s Right to be Forgotten in Blockchain: it's not black and white.
August 13th, 2019

What is the difference between personally identifiable information (PII) and personal data?
June 27th, 2019

Personal data and cold calling under the GDPR
June 25th, 2019

Blockchain & DLT under the GDPR explained to the European Commission
June 4th, 2019

Artificial Intelligence (3)
Berlin (1)
Beyond EU (6)
Big Data (2)
Blockchain (10)
Comparison (1)
Court Cases (1)
Data Subjects (6)
DLT (1)
DPO (2)
European Commission (2)
GDPR Canvas (1)
GDPR Status (2)
Germany (2)
International Transfers (1)
IoT (4)
Privacy by Design (7)
Regulation (3)
Speaking (1)
Startups (1)
Strategy (2)
Terminology (2)
WiFi (1)
Workshop (2)
Analysis
Article 17
Artificial Intelligence
Big Data
Blockchain
call center
CCPA
CJEU ruling
Cold calling
compliance
covid-19
Data transfers
Debunked
Europe
European Commission
GDPR
GDPR Analysis
GDPR Compliance
GDPR so far
gdpr workshop
gdpr year one
German Blockchain Strategy
HIPAA
International transfers
marketing
medical data
MedTech
one year gdpr
open workshop
personal data
personally identifiable information
PII
POPIA
Privacy by Design
privacy policy
Retail Analytics
right to be forgotten
right to erasure
Schrems II
south africa
WiFi
WiFi-Tracking
Zcash
August 2020 (1)
July 2020 (2)
March 2020 (1)
September 2019 (2)
August 2019 (1)
June 2019 (3)
May 2019 (2)
April 2019 (1)
February 2019 (2)
January 2019 (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (4)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.