The age of Big Bata
In this digital age, more and more products are connected to the Internet and can be remotely controlled, such as televisions, thermostats, washing machines and even lightbulbs.
Through analysis of large data collections (‘’Big Data’’), new insights can be gained about the use of these products, but also about the users themselves.
This triggers the question: How does Big Data relate to Privacy?
Big Data, Little Privacy?
There are many privacy concerns in relation to Big Data, especially where it involves the analysis of personal characteristics and behavior. A commonly used argument is that Big Data is ‘anonymous’. However, by connecting all available data, detailed user profiles can be made, and can often be traced back to individuals, by using ‘unique identifiers’ such as IP addresses or a mobile number. In that case, ‘unpersonal’ data become ‘personal’ data, in which case the privacy laws apply.
Disconnect between Big Data and privacy
Big Data does not match well with privacy laws, for at least the following reasons:
- In the General Data Protection Regulation (GDPR), there is the concept of data minimization: the obligation is to collect as little data as possible, while in Big Data the whole point is to collect as much data as possible;
- Personal data may not be used for other purposes than the purpose the personal data was originally collected for (purpose limitation). Whereas in Big Data, the goal is to gain new insights. The exact purpose is then difficult to determine in advance;
Track-and-trace while you shop?
Some companies have experienced firsthand that new technology can clash with privacy laws. The company Bluetrace, that used ‘wifi-tracking’ to track visitors in shops, received a penalty from the Dutch Data Protection Authority. Bluetrace collected location data of shopping people on the basis of their Bluetooth signal, without informing them in advance. Moreover, Bluetrace collected and stored more data than strictly necessary for keeping track of visitor numbers. Bluetrace was obligated to inform all visitors in advance that they could be traced inside shops, but all personal data (e.g. unique mobile telephone codes) had to be irreversibly anonymized and erased within 24 hours after collecting the personal data.
Another Big Clash: track-and-trace your employees
The Dutch Data Protection Authority also investigated two other companies, where employees received a smart bracelet (wearable). It was a gift to the employees, but the employer received insights about the amount of movement and the sleep patterns of the employees. This is health data, which is a special category of personal data.
A basic privacy principle in labour relations is that employers may not have access to the health data of employees, even if the employees gave their consent. Due to the dependent nature of an employment relationship, an employee may feel forced to give consent, in which case the consent is not freely given.
Therefore, the processing of personal data of employees cannot be based on consent. After the investigation by the Dutch Data Protection Authority, the two companies stopped tracking the health data of their employees.
Big Data under the GDPR
We can safely conclude that the rapid technological developments can clash with privacy laws. And the privacy laws became much stricter in the entire European Union, with the GDPR since 25 May 2018.
The GDPR contains much stricter privacy rules than the previous privacy law, including:
- Restrictions on profiling and automated decisions.
- The new principles of ‘privacy by design’ and ‘privacy by default’.
- Before introducing a new technology, it may be required to conduct a Data Protection Impact Assessment (DPIA).
- Many organizations have to appoint a Data Protection Officer (DPO), especially when dealing with sensitive personal data, such as health data.
- Organizations should keep an internal record of all data processing done under their responsibility.
Privacy, a Big hindrance or business enabler?
Most organizations are already aware that in case of non-compliance with the GDPR, the Data Protection Authority may impose fines up to 10 or 20 million Euros, or 2 to 4% of the worldwide turnover, for each violation, whichever is higher.
So this is a good reason to take into account privacy (GDPR) into account from the start, if you consider using large data sets for your business. This is especially the case if you use large sets of personal data, or if the Big Data results may (negatively) impact any persons (e.g. higher prices, exclusion, negative outcome).
However, the main driver for embedding privacy into your business should NOT be to avoid the possible risk of fines and sanctions. The first reason should be to safeguard the privacy of your customers and employees, and second the protection of your business reputation and to avoid heavy fines.
Without the trust of your customers and employees, there will (eventually) be not much left of your business anyway.
There is a BIG misconception that nothing is allowed anymore under the GDPR. This is completely false! There are still many possibilities to use Big Data (that include personal data) for your business, if you have legitimate reasons to do so. You just have to be transparent about it, document and communicate it.
So the important question that all organizations should ask themselves today is:
“How can I embed Privacy in my business and use it as an enabler for my business, instead of a hindrance?”
If you would like to discuss this topic further with me, or if you have other questions about privacy, just send me a message.