So where are we at?
• GDPR formally adopted on 4 May 2016 (Star Wars day,
• Comes into force on 25 May 2018, replaces current Data
Protection Act 1998.
• Lots of stuff still unknown – exceptions to the law, whether
the ICO can continue to be pragmatic, how this affect EU
• But we know where to start.
• BREXIT!!!!!! – We simply don’t know but the law will come
into force before we leave, the Government has the option
to keep it, do it’s own thing, or do nothing.
So what do Big Data professionals
need to be thinking about?
• Permission/right to obtain the data (sources)
• Permission or right to use the data
• The right to erasure (‘right to be forgotten’)
• Research exemption?
• Data breaches
• Privacy Impact Assessment and privacy by design
Obtaining and using the data
• So are you legally allowed to use the data?
• Is the organisation providing the data allowed to provide it?
• Has the individual been told that the data might be used for the
purpose you are using the data for?
• Research materially different to marketing, which is materially different
to housing benefit fraud, which is materially different to targeting
• New stuff:
• Consent (if you relay on it) must now be ‘unambiguous’
• Silence, pre-ticked boxes or inactivity should not therefore constitute
• We must be able to evidence consent.
• But there are other ways to justify use of data – legitimate interest,
required by law, for contract purposes, public functions, vital interests
• “Individuals have the right not to be subject to any decision
solely based on automated processing, including profiling, that
produces legal effects or similarly significantly affects him/her.”
• What does this mean?!
• Must use personal data
• Must evaluate personal aspects about the individual
• Similar language to rights under Section 12 current DPA
• Does not apply where:
• Done as part of a contract (so insurance/credit scoring)
• Authorised by law.
• Done on the basis of explicit consent
• So lots of time where this does not actually apply. For
example is a marketing profile a legal effect? Or similarly
The right to be forgotten
• We are already living in this world
• DPA gives the right to erasure of data already (section 14)
• Google vs Costeja Case last year said current law provides a right
to be forgotten
• The sky has not fallen in.
• It is not actually a ‘right to be forgotten’ – how Google do it
• The new law actually provides welcome clarity and
limitation of the right – only applies in certain cases
• So in almost all cases, you will need to remove the data
from use, but need to remember that you have forgotten so
you can show the regulator and the individual that you
forgot – Simples.
• So there is a very good exemption in current law for
research which can be used for POC work
• Personal data can be used for research where:
• The research is not supporting decisions for particular individuals
• The data are not processed in a way that causes damage or
distress to the individuals
• Means you can use data for research purposes
• Makes it exempt from right of access
• Can be kept indiefinitely
• Likely this will be replicated in the new law - but no
guarantees at this stage.
• At present only data breaches that present a risk should be
reported to the ICO.
• Now all breaches should be reported in 72 hours
• You will have to significantly tighten up the data incident
reporting process you currently use, and put some
resource into publicising it.
• You will also have to ensure we have a robust process in
place that considers whether to inform individuals who are
affected – who should take the decision, etc.
Privacy Impact Assessment and
privacy by design and default
• This is basically a means of saying that you need to
document the privacy considerations when you develop
new products and services that use personal data.
• And any technology you design or procure must have
privacy-friendly default settings.
• This plus additional information you need to hold means
lots more paper and documentation of processes, but
putting the time into this gets you 90% of the way to
• Accountability principle requires that organisations
implement ‘appropriate technical and organisational
measures’ to be able to ‘demonstrate’ their compliance with
• Data mapping, data flows, relationships with suppliers,
• Do you need a Data Protection Officer?
• Basically a lot more documentation, box ticking and
• BUT – done well, could it aid compliance?
Consequences of getting it wrong!
• This is the biggest change to the risk involved in do data
• Current fines - £500k maximum
• Current enforcement powers weak and cumbersome.
• New regime significantly increases regulatory powers
• 4% global group turnover
• Definitive or temporary ban on processing
• Competition and FCA levels of risk now attached to data protection
• No longer just the ICO to worry about – if you are active in
any EU country, they can deal with you directly.
• But we expect the ICO to show some pragmatism, as it has
always done when new law comes into force.