In discussions on GDPR Big Data regularly pops up as one of the reasons for a new approach to privacy at the EU level. So what are the key Big Data-related provisions of the new European data protection law – the General Data Protection Regulation?
Looking at the GDPR Big Data is nowhere specifically mentioned. But there are a few areas that have been either drafted with a view to encompass Big Data-related issues or carry additional weight in the context of Big Data.
1. Data processing impact assessment
According to the GDPR, where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
This criterion is most likely going to be met in cases of Big Data analytics, IoT or Cloud operations, where the processing carries high privacy risks due to the properties of either technology or datasets employed. For example, linking geolocation data to the persons name, surname, photo and transactions and making it available to an unspecified circle of data users can expose the individual to a higher than usual personal safety risk. Involving data from connected IoT home appliances or using a Cloud service to store and process such data is likely to contribute to this risk.
2. Pseudonymisation
According to the GDPR, ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
At least two aspects link pseudonymisation to Big Data. First, if implemented properly, it may be a way to avoid the need to obtain individual consent for Big Data operations not foreseen at the time of data collection. Second, paradoxically, Big Data operations combining potentially unlimited number of datasets also makes pseudonymisation more difficult to be an effective tool to safeguard privacy.
3. The appointment of a Data Protection Officer
GDPR requires personal data controllers and processors to appoint a Data Protection Officer if the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
Although there is no specific reference to Big Data, it is easy to see how these criteria would be fulfilled in case of performing Big Data analytics such as linking on a regular basis multiple datasets comprising records on individuals’ behaviour.