New data protection regulations and Big Data projects

This is currently a hot topic and the countdown to May 2018 is underway. The new General Data Protection Regulation (“GDPR”) has everyone focused everyone’s attention.

Beyond the approaching deadline, this interest is also justified by the fines. They are unprecedented, ranging from 4% of the previous year’s overall worldwide turnover to 20 million euros.

What are the key principles of the GDPR?  Why are operators particularly concerned? What impact does it have on big data?

7 key principles for understanding the GDPR

The GDPR consists of 99 sections and 7 principles. Personal data must be:

1. handled in a lawful, fair and transparent manner with regard to the person concerned.
2. collected for specified, explicit and legitimate purposes and not further handled in a way incompatible with those purposes.
3. adequate, relevant and limited to what is necessary for the purposes for which they are handled.
4. accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are handled, are erased or rectified without delay;
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is handled.
6. handled in such a way as to guarantee appropriate security of personal data, including protection against unauthorised or unlawful processing and against loss, destruction or accidental damage, by means of appropriate technical or organisational measures.
7. The data controller is responsible for enforcing the regulations and must be able to demonstrate that they are being complied with.

To ensure compliance with this regulation, the CNIL advocates an approach that respects the following steps:

• appointment of a data governance manager,
• mapping of the handling of personal data,
• prioritisation of measures to address the risks that handling poses to rights,
• risk management,
• organisation of internal procedures and compliance documentation to demonstrate compliance.

Mobile operators particularly affected by the new regulation

Personal data protection remains an area of major concern for European citizens.

According to a survey published by the Commission of the European Union in June 2015, 63% of customers do not have confidence in online businesses when it comes to protecting their personal data. Mobile operators and Internet Service Providers are in second position (62%).

Operators must therefore take advantage of regulation to restore their image and regain customer confidence.

Big data projects and the requirements of the GDPR

In the telecoms sector, several big data projects using customers’ and employees’ personal data have already been launched. They mainly aim to improve customer knowledge and personalisation of offers, as well as fraud and churn prevention (change of operator).

The GDPR does not focus specifically on big data, which involves the collection of large volumes of data. However, certain principles of big data may give rise to questions.

Let’s see some of them (big data vs GDPR):

Data mining vs purpose limitation

When it comes to the use of big data, two approaches coexist. On the one hand, there is the analysis of data to meet a specific need. And on the other hand, exploration which consists in collecting data without a precise objective (at least before the goal is identified or set). With the purpose limitation principle of the GDPR, will data mining still be possible? And if so, with which precautions?

The concept of data lake vs data minimisation

To facilitate access to high volumes of data, big data creates data lake. These are huge repositories of data from different sources that are stored in their raw state. The data lake does not filter the data and thus it is not restricted to what is necessary. This seems to run counter to the principle of data minimisation.

Machine Learning vs retention limitation

Learning algorithms are more powerful the more data they have. What data retention limit needs to be set in order not to be in breach?

Complex data cross-referencing vs Data Protection Officer (DPO) responsibility

Big data analysis involves cross-referencing multiple data sources.  This makes it difficult to track and trace data flows. Will the DPO, a key person in terms of the GDPR, be able to demonstrate regulatory compliance?  In all cases, it is crucial that the latter is able to understand the flows, pattern and structure of the company’s personal data.

In this race against time to comply with the GDPR, companies are involved in a game with high stakes.

Some, as I have seen since October, are updating their request for consent on their website. Others have mobilised multidisciplinary teams including management, specialise staff, lawyers and IT to ensure they are ready.

When it comes to big data, a number of questions still remain to be answered. Companies need to strike a balance between regulatory compliance and extracting value from data processing.