The late English author Sir Thomas Malory once penned, “The month of May was come, when every lusty heart beginneth to blossom, and to bring forth fruit.” This May will bring forth more anxiety than romance as the European Union’s General Data Protection Regulation (GDPR) takes effect. Alex Hickey (@its_ahickey) reports a PriceWaterhouseCooper (PWC) survey taken in late 2017 found “89% [of impacted organizations] are unprepared for the upcoming changes to data handling.”[1] One reason the number of unprepared businesses is so large is because they don’t understand the regulations. “According research conducted by cyber security firm Trend Micro,” reports Nicholas Fearn (@nicholasgfearn), “there’s a great deal of confusion among businesses about such regulations.”[2] The regulation requires use of “state of the art” practices, but that term is not defined. Even what constitutes personal data is not as clear cut as you might think. If your company is not European-based, you may be thinking you don’t much care what the GDPR says. You should. David Horrigan explains, “If you’re sitting in Des Moines, thinking, ‘I don’t care what the Europeans do, I’m in Iowa,’ you probably should care because the GDPR affects not only EEA nations, but any organization offering goods or services to European data subjects or organizations controlling, processing, or holding personal data of European nationals — regardless of the organization’s location. Yes, Des Moines, that means you, too.”[3]

Big Data and GDPR

Katherine Denham (@katjdenham) notes, “GDPR will apply to all firms that handle customer data, meaning no sector is immune.”[4] If you think ignoring the regulation is no big deal, think again. Denham reports, “Companies that fall foul of GDPR will be subject to fines of up to €20m or four per cent of worldwide turnover, whichever is higher. So even for the big players, this new penalty is no walk in the park.” While types of personal data affected by the regulation are clearly identifiable, things are not as straight forward as they may seem. Chris Lippert (@lippertchris), a senior associate at Schellman & Company LLC, discusses the nuances and potential traps contained in the regulation’s definition of personal data.[5] He begins with the definition:

“‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

He notes the term “any information” is a broad term and one which should concern any company collecting and storing data. John Leonard (@_JohnLeonard) provides a couple of hypothetical situations that makes the point. “A piece of data such as someone’s age or gender might not be enough identify that individual on its own,” he writes. “However, if it is likely that the organization will be able to combine that information with other data, such as a post code in the future in order to build up a profile, then it may indeed be considered as personal data. A photo of a person in a crowd where they are not the main subject may not be personal information, but if the individual is the focus then that picture could be categorized as such.”[6] It takes little imagination to understand why trying to determine when and where the regulation applies. Akber Datoo (@akber_datoo), founder and managing partner of D2 Legal Technology LLP, notes, “Big data sets will often include personal data, and in many cases, it is not possible to separate the personal data from the non-personal data. The aim of big data is to uncover relationships within and amongst the information, through analytics and processing.”[7] The regulation, however, limits the type of automatic processing that can be done on private information. Datoo openly questions whether the regulation tolls a death knell for Big Data. He explains:

“Article 22 of the GDPR prohibits automatic processing, including profiling, where such processing has a legal effect on a data subject, or similarly significantly affects the data subject. In this regard, profiling is defined as ‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.’ Some of the privacy risks particularly pronounced in the context of big data profiling therefore include:

• Processing of personal data outside of the purpose for which it was collected;
• Use of incorrect and/or outdated information;
• Discrimination or bias against certain individuals or groups resulting from the application of certain profiling algorithms; and
• Processing of personal data in excess of what is needed in order to process it.

Because automatic processing involves such high risks to privacy, it is prohibited in principle under the GDPR, except where:

• It is performed based on (explicit) consent; or
• It is required to enter into or perform a contract, provided the data subjects concerned can contest an automatic decision and obtain human intervention.

Furthermore, the GDPR provides that sensitive personal data may only be automatically processed based on explicit consent, irrespective of the effect of such processing, and that data subjects must be informed of the use of automatic processing and given information on the logic used, as well as the potential consequences.”

Datoo concludes, “There are clearly some specific challenges in reconciling data protection principles set out in the GDPR with the characteristics of big data analytics. However, these are not insurmountable, nor incongruous with the aims of the GDPR. Organizations should, however, think through the why and the how in respect of big data profiling, and ensuring transparency and privacy by design are at the heart of their ‘big data journey’.” Horrigan notes the greatest onus falls on data controllers rather than data processors. He explains, “When determining how the GDPR affects you, an initial consideration is whether you’re a data controller or merely a data processor. The difference is significant.” He goes on to write:

“Article 4 of the GDPR provides the following definitions:

• A controller is ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.’
• A processor is ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.’

GDPR article 5 provides that data controllers assume responsibility for and must demonstrate compliance with the principles for handling personal data, while article 24 mandates that controllers implement technical and organizational measures to ensure GDPR compliance.”

Summary

Regardless of whether you are confused, concerned, or unprepared for the implementation of GDPR, it’s coming. Just because you don’t live or work in Europe, don’t dismiss the possibility that GDPR could adversely affect your business. Your best preparation is information and I suggest you read all you can about the regulation and then quickly do all you can to ensure you are in compliance.

Footnotes
[1] Alex Hickey, “6 months to GDPR: What’s next?” CIO Dive, 28 November 2017,
[2] Nicholas Fearn, “GDPR is confusing businesses, claims Trend Micro report,” Computing, 7 November 2017.
[3] David Horrigan, “How GDPR will impact data management practices,” Information Management, 22 November 2017.
[4] Katherine Denham, “GDPR ignorance: Should we be worried?” City A.M., 9 October 2017.
[5] Chris Lippert, “The GDPR and personal data … Help!” Information Management, 31 October 2017.
[6] John Leonard, “What is personal data?” Computing, 28 November 2017.
[7] Akber Datoo, “GDPR and big data – friends or foes?” Computing, 26 July 2017.