The document provides an overview of ethics, legislation, and privacy issues related to big data. It discusses the necessity of regulating big data and the differences between privacy and data protection. It also provides details on the General Data Protection Regulation (GDPR), including its goals, requirements for companies, and individual rights it aims to protect.

1. D: DRIVE
How to become Data Driven?
This programme has been funded with
support from the European Commission
Module 5: Legislation

2. Smart Data Smart Region | www.smartdata.how
This programme has been funded with support from the European Commission. The author is
solely responsible for this publication (communication) and the Commission accepts no
responsibility for any use that may be made of the information contained therein.
The objective of this module is to provide an overview of
ethics, legislation and privacy issues of big data.
Upon completion of this module you will:
- Be able to recognize the neccessity of regulating big
data
- Understand the difference between privacy and data
protection
- Know how to implement actions of data protection into
your own (future) company
Duration of the module: approximately 1 – 2 hours
Module 5:
Legislation

3. Smart Data Smart Region | www.smartdata.how
This programme has been funded with support from the European Commission. The author is
solely responsible for this publication (communication) and the Commission accepts no
responsibility for any use that may be made of the information contained therein.
1
Legislation2
GDPR3
– Ethics of Big Data
– Aspects of Big Data Ethics
4 Legal Glossary
How about Ethics?
– The Basics of GDPR
– Individual Rights
– GDPR Implementation
– Privacy vs. Data Protection

4. With the increase of computing power,
electronic devices and accessibility to the
Internet, more data than ever is being
produced, collected and transmitted.
Nowadays Big Data is big enough to raise
practical rather than merely theoretical
concerns about ethics. Big data itself, like all
technology, is ethically neutral.
The use of big data, however, is not.
Smart Data Smart Region | www.smartdata.how

5. Collecting and analysing big data has become a powerful way to unlock
actionable insights across any business, but it also brings with it some
concerns about big data ethics that need to be addressed. Because accessing
and storing data is so easy, some organizations collect everything and hang
on to it aforever, since the value of any piece of information is only known
when you can connect it with something else that arrives at a future point in
time.
And it is not just the CIA collecting data like this. Major grocery store chains,
investment banks and even the postal services have a predictive
analytics function with the sole purpose of collecting and analyzing data in
order to predict buyer behavior.
Smart Data Smart Region | www.smartdata.how
ETHICS OF BIG DATA
Data can be either useful or
perfectly anonymous but never
both.
Paul Ohm
Smart Data Smart Region | www.smartdata.how
What is your opinion on the ethics of Big
Data? Complete Exercise 1 of Learners
workbook #5

6. Smart Data Smart Region | www.smartdata.how
Aspects Of Big Data Ethics
Big data is already outpacing our ability to understand its implications. Businesses
are innovating every day, and the pace of big-data growth is practically
immeasurable. To provide a framework for dissecting the often nuanced and
interrelated aspects of big data ethics, the following key components can help
untangle the situation.
Identity Privacy
Ownership Reputation

7. Privacy on the
internet? That‘s an
oximoron.
Catherine Butler
Smart Data Smart Region | www.smartdata.how

8. Most users have been unaware of the
volume of personal data retained by entities
for various purposes. This is beginning to
change as awareness of the data privacy
debate is increasing. The two trends—
increasing popularity of big data and
increasing awareness of data privacy—
are beginning to come to a head and
companies that intend to capitalize on this
era of big data need to be conscious about
and address these basic ethical concerns.
Smart Data Smart Region | www.smartdata.how

9. PRIVACY DATA
PROTECTION
vs.
Smart Data Smart Region | www.smartdata.how

10. PRIVACY DATA
PROTECTION
vs.
Is there any difference?
Smart Data Smart Region | www.smartdata.how

11. PRIVACY DATA
PROTECTION
vs.
Is there any difference?
Smart Data Smart Region | www.smartdata.how
YES

12. PRIVACY DATA
PROTECTION
vs.
Is there any difference?
Smart Data Smart Region | www.smartdata.how
YES
• Privacy relates to the appropriate use and
control of data
• Data privacy protocols around the world address
the control people have over their personal
data and how they can protect it from
unwanted or harmful uses
• It covers issues such as: what type of data will
be processed, where will it be held, how long
will it be held for
• Data protection relates to the
confidentiality, availability and integrity
of data
• It focuses on two main aread – the
physical security of premises and the
logical security of data and digitized
information
• It covers issues such as: the
confidentiality, integrity and availability
of data, the protection of networks, the
physical security of sites, equipment,
transport and people

13. Smart Data Smart Region | www.smartdata.how
PRIVACY
Data privacy, also called
information privacy, is the
aspect of information
technology that deals with
the ability an organization or
individual has to determine
what data in a computer
system can be shared with
third parties.
Privacy applies whenever the data is:
- Collected
- Processed
- Stored
Which relates to a living individual person who can be identified by that data.
EU data protection rules mean that your personal data can only be processed in certain
situations and under certain conditions, such as:
– if you've given your consent (you must be informed that your data is being collected)
– if data processing is needed for a contract, for a job application or a loan request
– if there is a legal obligation for your data to be processed
– if processing is in your 'vital interest', for example if a doctor needs access to your
private medical data when you've had an accident
– if processing is needed to carry out tasks in the public interest or tasks carried out by
government, tax authorities, the police or other public bodies
Personal data about your racial or ethnic origin, sexual orientation, political
opinions, religious or philosophical beliefs, trade-union membership or health may not be
processed except in specific cases (e.g. when you've given explicit consent or when
processing is needed for reasons of substantial public interest, on the basis of EU or
national law). These rules apply to both public and private bodies.
Collection and processing of personal data

14. Smart Data Smart Region | www.smartdata.how
DATA PROTECTION
Data protection is the
process of safeguarding important
information from corruption,
compromise or loss. The
importance of data protection
increases as the amount of data
created and stored continues
to grow at unprecedented
rates.
Data protection applies whenever we deal with 2 types of information:
Personaly
Identifiable
Information
Sensitive
Personal
Information
PII SPI

15. It is no exaggeration to say that we are
nothing more than a collection of data to
most of the institutions—and many of the
people—with whom we deal. Big data
poses enormous challenges for data
protection— both by processors and
regulators. It simultaneously changes the
context and raises the stakes for Data
protection. As personal data are
universally collected and shared across
sectorial and national boundaries,
inconsistent data protection laws pose
increasing threats to individuals,
institutions, and society.
Smart Data Smart Region | www.smartdata.how

16. Impact: 3 billion user accounts
Details: In September 2016 Yahoo
announced it had been the victim of the
biggest data breach in history, likely by “a
state-sponsored actor,” in 2014. The attack
compromised the real names, email
addresses, dates of birth and telephone
numbers of 500 million users. The company
said the "vast majority" of the passwords
involved had been hashed using the robust
bcrypt algorithm.
Impact: 145 million users compromised
Details: The online auction giant eBay reported a
cyberattack in May 2014 that it said exposed names,
addresses, dates of birth and encrypted passwords
of all of its 145 million users. The company said
hackers got into the company network using the
credentials of three corporate employees, and had
complete inside access for 229 days, during which
time they were able to make their way to the user
database.
Impact: Credit/debit card information and/or
contact information of up to 110 million people
compromised.
Details: The breach of Target costumers began
before Thanksgiving, but was not discovered until
several weeks later. The retail giant initially
announced that hackers had gained access through
a third-party HVAC vender to its point-of-sale (POS)
payment card readers, and had collected about 40
million credit and debit card numbers.
With an increasing number of data breaches splashed across front page
news, companies have good reason to take security seriously.
Learn more about one of the biggest data
breaches in 2018, Cambridge Analytica in
Exercise 2 of Learners workbook #5

17. Afterall, they gain a
lot of data for each
user. For example,
just take a look at all
data Uber gets from
each individual who
takes a ride from
point A to point B.
Smart Data Smart Region | www.smartdata.how

18. As we were approaching this Big Data
industrial revolution, the laws governing its
protection had reached a point where they
were a bit like an old operating system. In
need of an update or they would have become
unfit for purpose. Each country, concerned
about citizens’ personal data, big data
analytics and security, was attempting to come
up with its own legislation to control data. In
the European Union companies have to follow
the GDPR legislation.
Smart Data Smart Region | www.smartdata.how

19. Smart Data Smart Region | www.smartdata.how
GDPR
What is the
GDPR?
Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process data
under the
GDPR?
What are
the
consequenc
es of not
acting by
GDPR?
THE BASICS OF GDPR
A single set of legislation
across Europe that gives
individuals get better
control of their personal
data.
By strengthening data
protection legislation and
introducing tougher
enforcement measures,
the EU hopes to improve
trust in the emerging
digital economy. Secondly,
the EU wants to give
businesses a simpler,
clearer legal environment
in which to operate.
The GDPR will apply
in all EU member
states from 25 May
2018.
'Controllers' and 'processors' of
data need to abide by the GDPR.
A data controller states how and
why personal data is processed,
while a processor is the party
doing the actual processing of the
data.
Once the legislation comes into
effect, controllers must ensure
personal data is processed
lawfully, transparently, and for a
specific purpose. Once that
purpose is fulfilled and the data
is no longer required, it should
be deleted.
$10 million or 2% of
entity‘s global gross
revenue
or
$20 million or 4% of
entity‘s global gross
revenue

20. INDIVIDUAL RIGHTS
A key part of the regulation requires consent to be given by the individual whose data is
held. Concent means „any freely given, specific, informed and unambiguous indication
of his or her wishes by which the data subject, either by statement or by a clear
affirmative action, signifies agreement to personal data relating to them being
processed“.
Organisations will need to be able to show how and when consent was obtained. This
consent does not need to be explicitly given, it can be implied by the person‘s
relationship with the company. However, the data obtained must be for specific, explicit
and legitimate purposes.
Individuals must be able to withdraw consent at any time and have a right to be
forgotten; if their data is no longer required for the reasons for which it was collected, it
must be erased.
Smart Data Smart Region | www.smartdata.how

21. The right to be
informed
The right of access
The right to
rectification
The right to erase
The right to restrict
processing
The right to data
portability
The right to object
Rights in relation to
automated decision
making and profiling
Smart Data Smart Region | www.smartdata.how

22. Smart Data Smart Region | www.smartdata.how
GDPR IMPLEMENTATION
Companies are required to implement appropriate technical and organisational measures in relation to nature, scope, context and
purposes of their handling and rocessing of personal data. Data protection safeguards must be designed into products and
services from the earliest stages of development.
AWARENESS
INFORMATION YOU
HOLD
COMMUNICATING
PRIVACY
INFORMATION
INDIVIDUAL RIGHTS
SUBJECT ACCESS
REQUESTS
LAWFUL BASIS FOR
PROCESSING
PERSONAL DATA
CONSENT CHILDREN
DATA BREACHES
DATA PROTECTION BY
DESIGN AND DATA
PROTECTION IMPACT
ASSESSMENTS
DATA PROTECTION
OFFICERS
INTERNATIONAL
12 steps you can make in your company to implementate GDPR
1 2 3 4
5 6 7 8
109 11 12
Take these steps in your own company in
Exercise 3 of Learners workbook #5

23. No matter what volumes of data they’re
dealing with, it’s crucial for businesses to get a
good handle on where their data is, how it’s
stored and who has access to it. The GDPR
comes at a time when customer expectations
have never been higher over the privacy of
their data. Putting the power back into the
hands of customers can only serve the
businesses who rely on them, helping to build
a far more positive relationship and engender
consumer trust.
Smart Data Smart Region | www.smartdata.how

24. LEGAL GLOSSARY
PERSONAL DATA
Any information relating to a person who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number,
location data, online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that person.
CONTROLLERS
Owners of the data, who are responsible for data protection and make sure
processors are compliant.
PROCESSORS
Work with the data and have to take responsible actions with the data. The
relationship between Controllers and Processor must be documented.
DATA PROTECTION OFFICERS
Public Authorities who have expert knowledge on data protection laws. They deal
with a large scale processing of special types of personal data.
PROFILING
Ay automated processing of personal data to determine certain criteria about a
person.
BREACH AND NOTIFICATION
A breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data transmitted,
stored or otherwise processed.
DATA SUBJECT ACCESS REQUESTS
The right of the individual to understand what is stored and how it is used.
Smart Data Smart Region | www.smartdata.how

25. www.smartdata.howwww.facebook.com/smartdatasr