Data protection in the UK is currently regulated by the Data Protection Act 1998 which pre-dates the advent of Facebook, Twitter, and the smart phone. In December 2015, in the new digital world where Big Data is the latest must have commodity by big businesses, the EU finally agreed the text of the new EU Data Protection Regulation which is intended to strengthen protection of individuals’ personal data.
Compliance with the new Regulation should be considered well in advance of it coming in to force (likely 2018), and as a starting point, it’s pertinent to consider what exactly Big Data is, and what risks are associated with analysing it from a data protection point of view.
Big Data is the somewhat vague term used to describe streams of information from various sources which are so large or complex, and often in a state of flux, that traditional methods of data analysis are incapable of deriving meaningful results. A few examples of Big Data are the postings of every social media user in the world, every debit and credit card transaction, and the locational information from smart phones.
Corporations across various sectors of industry, as well as public authorities, are quickly becoming alive to the value in converting Big Data into an intelligible format which can be used to their commercial advantage. The analysis of Big Data is different from the analysis of traditional data in several ways. Crucially, the new concept uses series of algorithms to identify trends or conclusions that otherwise would not be apparent; compared with traditional methods which test a hypothesis.
The gathering of Big Data comprises such a vast number of potential sources, it is inevitable that in some instances it will include information which would enable the identification of a specific individual (“Personal Data”). Both current legislation and the new EU Regulation deal with the control of collection, storage, and processing of Personal Data.
For example, the Data Protection Act 1998 requires that Personal Data is processed fairly, collected only for specified purposes, and is not transferred to third parties. The requirement of fairness includes processing Personal Data only in a way which could be reasonably expected by the individual. The “specified purposes” requirement generally prevents Personal Data being processed for a purpose unrelated to that which it was originally collected for.
The current Personal Data protection regime – which is due to get stricter under the new EU Regulation – means there is a greater risk in the analysis of Big Data in comparison to the analysis of information collected via more traditional methods. Due to the vast number of potential sources which make up Big Data, it may be difficult to establish exactly where any Personal Data has derived from, and whether it has come via any number of third parties. The sheer volume of sometimes unexpected conclusions that may be drawn by alternative analysis and use of the same underlying Big Data, which may include Personal Data, also means that the purpose for which it is used is more likely to be removed from the original purpose for which the Personal Data was gathered. This makes it difficult to properly disclose the purpose of the data collection in any privacy statement which may be relied on by commercial organisations.
Whilst the risk in Big Data analysis is greater than that posed by traditional data analysis, there is nothing in current UK or proposed EU legislation that prevents it. There are also a number of steps that can be taken to minimise the risk of falling short of the law. For instance, privacy impact assessments can be carried out to establish the likely extent of use, if any, of Personal Data in a Big Data analysis, as well as the extent the analysis will invade an individual’s privacy. Consideration can then be given to whether the Personal Data can be anonymised or otherwise redacted prior to analysis.
Given the already realised commercial value in Big Data analysis, the increased cost of compliance with stricter regulation of personal data is unlikely to restrict or materially impact upon its seemingly exponential growth. Businesses may wish therefore to use the introduction of the new Regulation as an opportunity to review their data protection and privacy policies.
Liam McMonagle is a specialist Intellectual Property Solicitor. If you have queries about Intellectual Property, IT and Media matters please contact Liam on 03330 430350 or email email@example.com.