Aligning big data processing and data protection risk assessments
EU GDPR is understandably dominating business agendas, particularly those who process large amounts of data. Information security business leaders are making it their objective to understand and implement meaningful strategies to support the business in achieving compliance.
Noord-Group spoke with former Senior Policy Officer, Alastair Barter, from the Information Commissioner’s Office. Currently working with organisations implementing EU GDPR strategies, Alastair shared some valuable insight on the practicalities of compliance. Sanity-check your strategy and join us for Noord InfoSec Dialogue this October. Register your interest to be part of the dialogue.
Noord: With companies investing heavily in Big Data projects, what will compliance with EU GDPR mean for those strategies?
AB: We’re going to see a lot of the current issues pan out in the future under GDPR, which is really an evolution of data processing laws to keep up with modern uses of data. You might have seen the ICO released some guidance on big data. We are looking at some of the main issues under the DPA and GDPR, one being around challenges of getting consent, if that’s what you’re relying onto process information in the big data context. More specifically we look at the principles of purpose limitation and data minimisation – effectively not gathering too much information. And part of this is data retention and deletion, in terms of which data you retain and for how long – you may need to provide details to consumers about how long you plan to hold their data for. Other practical issues to consider are subject access requests, so [for example] if somebody asks about data you hold about them, how do you extract that from the ever more complex streams of big data?
An important piece is looking at who is controlling and who is processing information. Big data processing is triggering and engaging some of the key data protection principals. And under GDPR it may be more difficult for companies to satisfy some of the conditions that the regulations look at, particularly around that first point of consent. If that’s your basis for processing, you are going to need a strong burden of proof to show that people know what they are consenting to regarding the use of their data. The two key strands of EU GDPR are the increased and improved rights for individual and the increased accountability of organisations. I think both of these strands interlink and they work quite neatly with the big data context. Organisations are going to have to be aware of that structural shift in balance between the rights of the individuals and their own legitimate interests and goals.
Noord: What are you finding to be some of the common pitfalls in interpreting EU GDPR?
AB: One of them is definitely when an organisation is looking for a legal basis to process data. There has been a focus on strengthening consent under GDPR and many organisations have focussed on that, rather than looking at other legitimate legal grounds they might have for processing data. So while consent has been strengthened it’s not the only option for organisations to pursue. I think this is important to point out. In some of the big data contexts you might think of contractual obligations or other legitimate interests the organisation has to base their process on. We have seen some issues around looking at the new rights individuals might have and the new points around accountability and how organisations might go about achieving those under GDPR. There are increased transparency requirements.
For example, the information you have to deliver to individuals when you gather their data may be more prescriptive. This may include how long you are going to keep that data for and perhaps who do transfer it to. In a big-data-agile project context, it could become more difficult and more challenging to meet these requirements within GDPR. Take also the right of access to data. How do you return all of the info you hold about an individual when you’re gathering it and you’re using a lot of info potentially for your analytics. Some of it may be anonymised, some parts might be aggregated, others not. How are you going to respond to that subject access request? It can be a complex task to identify personal data and the rights under GDPR will give individuals the ability to ask for that information initially free of charge. So I think when there is more complex , higher volume processing possible by utilising big data analytics organisations really need to consider individual’s rights to access data, object to processing or contest automated decisions made about them.
From a regulatory perspective, it would be to ensure that people at appropriate levels of seniority within organisations are taking data procreation seriously, that is something that GDPR really focuses on. It’s important for the higher levels of organisations to have accountability as that data is so vital for the digital economy, it so vital for a lot of organisations. Many organisations make a business of data and solely data and GDPR is evolving the data protection law to keep up with innovation and new uses of data. The important thing for me is to get the messages of privacy and information rights across to the senior level individuals within organisations and make sure that they are aware of what is coming down the line.
Security has become the definition of business and technology enablement. Noord InfoSec Dialogue has become a must-attend for CISOs, directors and heads of information security. The reason is simple, true peer-to-peer engagement. Simply filling seats is not the objective. We believe in putting people with the same challenges in the same space, in a highly interactive environment, so that knowledge can be shared and practical take aways can be reached. Register your interest to be part of the dialogue.