GDPR and big data - friends or foes?

Is the GDPR a guiding light to the benefits of big data, or its death knell?

We have only just started to reap the benefits of big data - from foreseeing deadly infections to fraud detection. It is a key source of value for many industry sectors: profiling, spotting market trends, product performance analysis and forecasting future outcomes.

The use of large data sets that are collated and analysed to discern patterns and make optimal decisions is an exciting journey many companies are only just starting to explore. There is, however, a potential darker side to the perceived benefits of big data: the effect on personal privacy. In this regard, is the GDPR a welcome guiding light to the benefits of big data, or will it strike a fatal blow to the utility of it, in an attempt to protect our privacy?

What is the GDPR?

The GDPR will come into force on 25 May 2018 and will replace the current data protection legal framework based on the EU Data Protection Directive (95/46/EC). It will apply to any organisation worldwide that collects and processes the personal data of individuals located in the EU ("data subjects"). It enables individual Data Protection Authorities to impose significant fines for breaches, in some cases up to the higher of 4% of annual worldwide turnover and EUR20 million, which has certainly made organisations take note of the need to comply.

So why does big data cause problems in the context of the GDPR?

Big data sets will often include personal data, and in many cases, it is not possible to separate the personal data from the non-personal data. The aim of big data is to uncover relationships within and amongst the information, through analytics and processing. Given the accuracy and trustworthiness of any particular data set may not be exact, but rather directionally representative, the starting point of big data itself runs contrary to a fundamental principle of the GDPR - that the accuracy of the personal data of a particular data subject in the possession of an organisation must be maintained and protected.

Furthermore, Article 22 of the GDPR prohibits automatic processing, including profiling, where such processing has a legal effect on a data subject, or similarly significantly affects the data subject. In this regard, profiling is defined as 'any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.'

Some of the privacy risks particularly pronounced in the context of big data profiling therefore include:

1. Processing of personal data outside of the purpose for which it was collected;
2. Use of incorrect and/or outdated information;
3. Discrimination or bias against certain individuals or groups resulting from the application of certain profiling algorithms; and
4. Processing of personal data in excess of what is needed in order to process it.

Because automatic processing involves such high risks to privacy, it is prohibited in principle under the GDPR, except where:

• It is performed based on (explicit) consent; or
• It is required to enter into or perform a contract, provided the data subjects concerned can contest an automatic decision and obtain human intervention.

Furthermore, the GDPR provides that sensitive personal data may only be automatically processed based on explicit consent, irrespective of the effect of such processing, and that data subjects must be informed of the use of automatic processing and given information on the logic used, as well as the potential consequences.

Organisations have already accumulated large amounts of data - and the GDPR applies not just to data sets created going forward, but also to those already in existence today, insofar as such that pre-existing data sets would be the subject of processing after the GDPR comes into force. It will undoubtedly prove problematic in practice to obtain the required explicit consent for specific uses of a data set that already exists (and is, in fact, already in use).

So how can big data be used in practice under the GDPR?

It is imperative that businesses review their current use of profiling and automated processing practices and processes, to:

• Identify where they are using these processing approaches and whether there is personal data involved;
• Understand the work required in respect of "cleaning" data sets, to permit their use in a GDPR-compliant way, including possible use of pseudonymisation of the personal data;
• Understand the effects of using profiling and automated processing, in particular where they affect "legal, or significant other interests";
• Ensure that a valid legal basis is applicable to their use of profiling (i.e. explicit and valid consent of the data subject, or falling within the "contract exemption");
• Enable them to provide information on the algorithmic logic used and the consequences of that algorithmic determination, to the data subject; and
• Ensure there is a process in place for data subjects to obtain human intervention in respect to a decision reached on the basis of automated processing.

Is the GDPR the death knell of big data?

There are clearly some specific challenges in reconciling data protection principles set out in the GDPR with the characteristics of big data analytics. However, these are not insurmountable, nor incongruous with the aims of the GDPR. Organisations should, however, think through the why and the how in respect of big data profiling, and ensuring transparency and privacy by design are at the heart of their 'big data journey'. With the EU's 2015 Digital Single Market Strategy targeting big data as a 'catalyst for economic growth, innovation and digitisation across all economic sectors […] and for society as a whole,' it is imperative that big data is seen as an opportunity to be actively nurtured and better understood, including through the prism of privacy compliance, so that its potential may be fully realised.

Akber Datoo is the founder and managing partner of D2 Legal Technology LLP (D2LT), a boutique legal data consulting firm dedicated to the capital markets space.

With his unique skill-set as both a qualified lawyer and technologist, Akber helps financial institutions create and implement legal risk and data governance frameworks for regulatory compliance and business optimisation.