Businesses around the world are using big data to make better decisions and improve their processes. Big data analytics can provide businesses with an advantage over their competitors. However, businesses mining and analysing big data sets must comply with a variety of complex Irish and EU laws and regulations. New EU data protection laws coming into effect from May 2018 mean data protection compliance will become even more important. Businesses using big data need to act now to keep data secure and become compliant with data protection laws and regulations. Businesses need to make ‘data protection by design’ and ‘data protection by default’ part of the DNA of their organisation.
Legal challenges with big data
Big data, and the insights big data analytics provide, can be a very valuable asset for businesses. However, managing the legal risks around big data, particularly in relation to data protection and privacy, is a challenge for many organisations.
What is big data?
Generally, the term ‘big data’ refers to the large scale processing, analysing and storing of enormous volumes of, often unstructured, computer-generated data from a variety of sources in near real-time.
Counter-intuitively though, big data is not actually about the data. It is the insights gained from sifting through the big data, known as ‘analytics’, which can help businesses make better decisions and improve their processes. This can offer a business an advantage over its competitors.
Practical uses of big data analytics
Businesses can use big data analytics to improve their existing processes and create new business models. It can allow the business to identify opportunities for new products and services, make online advertisements more targeted, or optimise its pricing.
Big data can also help a business manage its existing risks in a non-customer facing way. The outputs of big data can help the back-office function spot outlier transactions, which may indicate fraud or cyber-security breach. For a Fintech company, big data can help validate credit-worthiness decisions and make more informed decisions about them.
Data protection and privacy law
Big data carries legal risks that are common to many businesses that process and store data relating to living individuals. Privacy and data protection laws will apply to the business if the big data set contains any personal data, including sensitive personal data, such as names, addresses, health records, bank details or unique identifiers.
One of the biggest legal challenges for business seeking to mine big data sets is compliance with data protection laws and regulations. For regulators, the difficulty is that big data sets are often cross-jurisdictional and unstructured, which can make it difficult to determine what national privacy laws and regulations apply.
A new European General Data Protection Regulation (“GDPR”) will come into force on 25 May 2018. The GDPR represents the future of data protection and will replace the current EU data protection directive. As it is a regulation, it will apply directly and will not need to be implemented through each Member State’s national laws. However, Member States retain discretion in some areas. The GDPR brings with it a greater compliance burden for businesses processing and storing big data and increased accountability obligations. Organisations will be required to introduce internal record keeping and some businesses may need to appoint a data protection officer (“DPO”). The GDPR also has a wider scope than existing laws meaning it will capture both data and companies that previously fell outside the remit of the EU data protection regime.
Other legal challenges
Big data also brings specific legal risks related to data, such as data licensing issues, IP ownership and competition law questions about control over very large big data sets.
A business should carefully review any licence terms on which a big data set is provided and negotiate appropriate warranties and protections with the data’s owner. It is also important to document who owns the intellectual property rights in the data outputs once the data has been analysed.
Competition law is also becoming an increasing risk area for businesses. Control of extremely large sets of big data may raise market share or other anti-trust concerns from EU regulators.
Rising to the challenges
There are significant potential benefits for businesses that can leverage the insights of big data analytics to help them make better decisions and improve their processes. There are also real risks. These risks are multiplying as the volume of data being collected grows.
A business must be mindful of security and governance processes so that the personal data it stores or processes is secure and protected from misuse and hacking.
Businesses dealing with big data should also have appropriate privacy compliance processes and standards in place and be open and transparent about how information will be collected, processed and transferred. The new EU-wide data protection laws coming into force in 2018 will impose a greater compliance burden and increased accountability obligations on businesses. With the GDPR in mind, businesses using big data need to ensure ‘data protection by design’ and ‘data protection by default’ is part of the DNA of their organisation.
To help prepare for the GDPR, we have launched our "Getting Ready for the GDPR" Guide. The Guide will serve as a helpful resource for those looking to get to grips with the GDPR. Download the Guide here.