Big Data – What is it and how does it affect you?

Big data is rapidly developing into a multi billion euro industry.  Ever more data is being collected by big corporations and increasingly sophisticated means of analysing such data enables companies to garner insights into their customers and business that were not previously possible and to in turn monetise this information.  While much big data that is gathered does not include any personal data, there are concerns that the technological developments in this area are far outpacing changes legislation and that data protection legislation does not take adequately account of these developments where personal data is concerned.

What is it?

Big data is the aggregation of large amounts of data that is analysed in a way to make it valuable for business to bring about change or enhance competitiveness or efficiency.  It is characterised by the four Vs  – volume, variety, velocity and value.

1. Volume:  It uses enormous datasets which are collected form a diverse range of sources such as internet searches, credit card purchases, phone usage or social media interaction.  The resulting data is so large that it cannot be analysed by traditional methods.
2. Variety:  As illustrated above big data may come from a variety of sources which traditionally would not have been possible to combine for example  information from social media use together with data from a store cards and online searches will combine to produce a more a detailed picture of a users preferences.
3. Velocity:  The beauty of big data for businesses is that analysis and processing can take place so quickly sometimes in real time.  The results will recalibrate themselves as new data in input.
4. Value:  The volume, variety and velocity of the data can result in very valuable information for business.  It can reveal patterns between sources of data that may result in useful insights or identifying trends or market predictions that would not otherwise be identifiable.  It can allow a business to interact with a customer on a very personalised basis.

The analysis of big data can result in unexpected correlations in data sets and can discern or predict information about people such as whether they are gay or pregnant although they may not be openly so and target marketing to them in that regard.

What are the data protection concerns for individuals?

If the datasets used contain personal data there are a number of concerns:-

1. Has the valid consent been given for the processing of the data in this manner?  Often the data used in big data sets was collected for some other purpose.
2. Where data is not sufficiently anonymised data mining may be possible to collate personal information about a person that would facilitate identity theft of other cyber crime.
3. There is a concern that data may be used for profiling which may lead to discrimination so rather than being used to identify general trends it may be used to make decisions about individuals.

What steps should businesses take to ensure data protection compliance?

1. Consent:  Ensure that valid consent is properly given.Consent is usually offered as or justification to the processing of personal data in big data sets.  However, to be valid, such consent should be informed, specific and freely given.  The manner in which the data will be used and the benefits of such use should be explained.  The difficulty of course is that so many of us just click ‘agree’ to terms and conditions without actually reading them or consenting is a pre-requisite to the use of a service or website.  Furthermore, we may never know that our data has been used in a particular way.  Therefore business should be explicit in explaining what is being consented to.
2. Fair Processing:  Data protection legislation requires that data must be obtained and processed fairly and lawfully.  Therefore a number of matters should be considered:
   • How was the data obtained?  E.g. – was it a pre-condition for the use of a service?
   • Was the data subject aware of how it was to be processed and by whom?
   • Was valid consent given? If data was collected for one purpose but is now being used for another purpose has further consent been obtained?
3. Purpose:  Data should only be collected for specified and legitimate purpose.  It may not be further processed for any use that is incompatible with the original purpose. Therefore the further processing is not necessarily prohibited but careful consideration is required to ensure it is not incompatible.
4. Time period:  Data should only be held for so long as is strictly necessary for the purpose for which it was obtained.  This can often be at odds with the concept of big data where increasing the amount of data is the name of the game.

As big data collection, sharing and analysis become ever more prevalent there will in time undoubtedly be more explicit data protection rules pertaining to it. In the meantime, businesses, particularly those using data they have not themselves collected, need to satisfy themselves that the data was obtained in a fair manner with explicit consent to the use by third parties. Where possible, businesses might consider anonymising personal data so that it is no longer personal data.  As a data subject remember your consent can always be withdrawn. However, to withdraw, you must first know that you have consented  Therefore, it is important not to blindly opt in or agree to terms and conditions without considering the consequences of where the data might go or what it might be used for.

For further information on the above, please contact Elaine McGrath at emcgrath@reddycharlton.ie