Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Big data needs big protection


Published on

Big data needs big protection

Published in: Government & Nonprofit
  • Be the first to comment

  • Be the first to like this

Big data needs big protection

  1. 1. The General Data Protection Regulation and Big Data Lambeth, International House October 2016
  2. 2. So who are you? 2
  3. 3. So where are we at? 3 • GDPR formally adopted on 4 May 2016 (Star Wars day, coincidentally) • Comes into force on 25 May 2018, replaces current Data Protection Act 1998. • Lots of stuff still unknown – exceptions to the law, whether the ICO can continue to be pragmatic, how this affect EU based subsidiaries. • But we know where to start. • BREXIT!!!!!! – We simply don’t know but the law will come into force before we leave, the Government has the option to keep it, do it’s own thing, or do nothing.
  4. 4. Is it as bad as they say? 4
  5. 5. So what do Big Data professionals need to be thinking about? • Permission/right to obtain the data (sources) • Permission or right to use the data • Profiling • The right to erasure (‘right to be forgotten’) • Research exemption? • Data breaches • Privacy Impact Assessment and privacy by design • Accountability • Fines! 5
  6. 6. Obtaining and using the data • So are you legally allowed to use the data? • Is the organisation providing the data allowed to provide it? • Has the individual been told that the data might be used for the purpose you are using the data for? • Research materially different to marketing, which is materially different to housing benefit fraud, which is materially different to targeting services. • New stuff: • Consent (if you relay on it) must now be ‘unambiguous’ • Silence, pre-ticked boxes or inactivity should not therefore constitute consent…….. • We must be able to evidence consent. • But there are other ways to justify use of data – legitimate interest, required by law, for contract purposes, public functions, vital interests 6
  7. 7. Profiling • “Individuals have the right not to be subject to any decision solely based on automated processing, including profiling, that produces legal effects or similarly significantly affects him/her.” • What does this mean?! • Must use personal data • Must evaluate personal aspects about the individual • Similar language to rights under Section 12 current DPA • Does not apply where: • Done as part of a contract (so insurance/credit scoring) • Authorised by law. • Done on the basis of explicit consent • So lots of time where this does not actually apply. For example is a marketing profile a legal effect? Or similarly significant? 7
  8. 8. The right to be forgotten • We are already living in this world • DPA gives the right to erasure of data already (section 14) • Google vs Costeja Case last year said current law provides a right to be forgotten • The sky has not fallen in. • It is not actually a ‘right to be forgotten’ – how Google do it • The new law actually provides welcome clarity and limitation of the right – only applies in certain cases • So in almost all cases, you will need to remove the data from use, but need to remember that you have forgotten so you can show the regulator and the individual that you forgot – Simples. 8
  9. 9. Research exemption? • So there is a very good exemption in current law for research which can be used for POC work • Personal data can be used for research where: • The research is not supporting decisions for particular individuals • The data are not processed in a way that causes damage or distress to the individuals • Means you can use data for research purposes • Makes it exempt from right of access • Can be kept indiefinitely • Likely this will be replicated in the new law - but no guarantees at this stage. 9
  10. 10. Data breaches • At present only data breaches that present a risk should be reported to the ICO. • Now all breaches should be reported in 72 hours • You will have to significantly tighten up the data incident reporting process you currently use, and put some resource into publicising it. • You will also have to ensure we have a robust process in place that considers whether to inform individuals who are affected – who should take the decision, etc. 10
  11. 11. Privacy Impact Assessment and privacy by design and default • This is basically a means of saying that you need to document the privacy considerations when you develop new products and services that use personal data. • And any technology you design or procure must have privacy-friendly default settings. • This plus additional information you need to hold means lots more paper and documentation of processes, but putting the time into this gets you 90% of the way to compliance. 11
  12. 12. Accountability • Accountability principle requires that organisations implement ‘appropriate technical and organisational measures’ to be able to ‘demonstrate’ their compliance with the Regulation • Data mapping, data flows, relationships with suppliers, contracts etc. • Do you need a Data Protection Officer? • Basically a lot more documentation, box ticking and process. • BUT – done well, could it aid compliance? 12
  13. 13. Consequences of getting it wrong! • This is the biggest change to the risk involved in do data protection badly. • Current fines - £500k maximum • Current enforcement powers weak and cumbersome. • New regime significantly increases regulatory powers • 4% global group turnover • Definitive or temporary ban on processing • Competition and FCA levels of risk now attached to data protection • No longer just the ICO to worry about – if you are active in any EU country, they can deal with you directly. • But we expect the ICO to show some pragmatism, as it has always done when new law comes into force. 13
  14. 14. 14 Any Questions?