Big data is a hot topic at the moment, with businesses, scientists and governments all keen to see what benefits it can suggest. But big data is not a game that is played by different rules. If it involves individual data, you need to go after the Data Protection Act. The ICO’s report gives our perspective as the regulator of that law.
1. What big data is
Big data is often defined by the so-called ‘three Vs’: volume, multitude and velocity: big data typically uses massive datasets, brings together data from different sources and can be used to analyse data in real time. But it is difficult to produce a watertight definition. Big data has been described as a phenomenon rather than a technology, and that’s a useful distinction.
Two. Why the ICO cares
Some big data won’t use individual information at all – for example when using climate data. That doesn’t concern us. But if big data uses individual information, such as data from social media or loyalty cards, then the ICO is interested. Using private data brings legal obligations under the Data Protection Act, and that’s regulated by the ICO.
Three. Big data can be done within the law…
This report isn’t attempting to discourage big data. Even aspects where big data and data protection seem in opposition can be resolved. For example, using all available data (rather than a sample) is considered a key feature of big data. This doesn’t obviously fit with a data protection principle that insists information must not be excessive. But that contrast doesn’t have to be a deal breaker, so long as the organisation addresses from the outset what it expects to learn from its research, and ensures the data used is relevant and not excessive for that aim.
Four. …but it’s lighter if you think about the law at an early stage
The key to that work is to consider it early in the process. We’ve spoken of privacy influence assessments and ‘privacy by design’ before, but it is crucial here. By thinking about data protection issues sooner, areas like whether to get people’s consent, using data fairly and keeping information secure become far simpler.
Five. Concentrate on the benefits
There’s a danger that organisations rush to attempt big data without thinking about what they want to achieve. By thinking about what benefits they hope to achieve, organisations will be in a better position to explain those benefits to customers. This goes some way to conforming with data protection law, and could also suggest a competitive advantage if it helps the organisations be seen as responsible and trustworthy custodians of customer data.
6. Anonymisation can help
Anonymisation is one route to consider. Done correctly, it means the information being analysed is no longer considered private data. Take the use of mobile phone data to track the movement of crowds of people. By unwrapping out the data that identifies individuals prior to the analysis, the anonymised data can be collective, for example providing retailers a chance to analyse footfall in a particular location. However, anonymisation is an enhancing challenge, with the ever-growing amount of publically available information enhancing the risk that individuals could be re-identified. Organisations must consider this risk.
7. The data protection principles still work (and you have to go after them)
Some commentators have argued that existing data protection law can’t keep up with the rise of big data and its fresh and innovative approaches to private data. That is not our view. The basic data protection principles already established in UK and EU law are supple enough to cover big data. Applying those principles involves asking all the questions that anyone undertaking big data ought to be asking. Big data is not a game that is played by different rules.
The same principles form the core of the proposed fresh EU regulation. What we need to modernise is the law around those principles, so regulators have the right contraptions to effectively enforce the law and improve data subjects’ rights, including transparency and more effective control of private data.
So read the report, understand the issues, and make sure you’re conforming with the law to reap the total benefits of big data.