Big Data and Global Data Privacy Regulations

Given Big Data’s benefits and the ability to process large amounts of all types of data at a fast speed, it is easy to think you should integrate all your data into this environment. But just because we can … should we? … and an additional question is, can we?

Big Data technological breakthroughs are enabling the realization of many benefits, including:

• Companies can improve their marketing and analytical insights capabilities, which enables them to grow their competitive advantage with new services and products.
• Consumers will be offered more choices based on their preferences, interests and buying patterns.
• Job seekers will find new opportunities in the area of Big Data, particularly in IT and data governance (DG) sectors.
• Consulting firms will promote their specialized skills in Big Data management.
• Technology firms will provide Big Data hardware and software offerings.

Big Data = Big Privacy Concerns

Given Big Data’s benefits and the ability to process large amounts of all types of data at a fast speed, it is easy to think you should integrate all your data into this environment. But just because we can … should we? … and an additional question is, can we?

When they contain personal information, Big Data environments, such as global data lakes, become subject to complex privacy regulations that are difficult to find out about. To ensure regulatory compliance, it’s key to have an understanding of the data privacy regulations (includes rules, laws, etc.) in the countries in which your company operates and/or has customers.

Not all data is created equally in the eyes of global regulators. We can argue the merits of various types of data, but personally identifiable data — or personal data, as it is referred to in the European Union (EU) — is increasingly being regulated as the global data privacy landscape continues to evolve.

“Just because we can integrate all our data in a Big Data environment does not mean we should … or can … given the global data privacy regulations.”

Personal Data Defined

The General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, will impact members of the EU and companies that do business in the EU. GDPR has this to say about personal data:

“Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”

Additionally, the GDPR includes special categories of data including “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”

The GDPR is introducing significant financial fines — up to 20 million euros or 4% of gross annual turnover, whichever is higher — as the regulation seeks to strengthen individuals’ rights around consent and access. Additionally, the GDPR legislates the right to erasure¹ and also the right of data portability², as well as introducing new profiling measures that will impact Big Data environments.

The GDPR is just one example of tightening data privacy regulation. Data privacy laws vary by country and region. Countries may define personal data differently and may or may not specifically call out sensitive personal data. It’s critical to have an understanding of the data privacy laws in the countries your organization operates and/or has customers in, especially as it relates to the collection and management of personal data in the Big Data environment.

Managing Big Data Concerns

As your organization’s Big Data work team meets to define use cases, they need to ensure the data they want to integrate has analytical and business value. The integrated data must meet data privacy regulatory compliance requirements, which means that some data should not — and in some cases cannot — be integrated into the Big Data environment.

To capture the proper requirements, it is vital that regulatory compliance and legal stakeholders are involved in defining the use case requirements. The team will then understand the regulations and, with the assistance of the DG professionals, be able to translate legal’s recommendations into operationalized practices to ensure data compliance.

Specifically, you need to understand operationalized practices in order to determine if data should and/or can be integrated into the Big Data environment. This includes understanding the privacy principles underlying the various data privacy regulations. FSFP has created the following set of privacy principles, based on experience and industry authorities, which we believe covers the variations across different geographies, and can effectively guide operationalization:

• Management. The company develops an overall privacy framework for documenting policies and procedures and assigns accountability for privacy policies and procedures for personal data. This includes: developing and maintaining a personal data inventory; communication awareness; training; ongoing compliance monitoring; and processes for handling privacy-related complaints.
• Notice. The company provides notice about its privacy policies.  The purposes for which personal data is collected, used, stored, disclosed, transferred and retained — essentially throughout the data’s lifecycle.
• Collection. The company needs to collect personal data only for the purposes identified in the company’s notice.
• Use. The company needs to limit the use of personal data to the purposes identified in the notice and for which the individual has provided implicit or explicit consent.
• Choice and Consent. The company needs to describe the choices available to the individual. The company needs to obtain implicit or explicit consent with respect to the collection, use and disclosure of personal data.
• Disclosure. The company needs to ensure it discloses personal data to third parties only for the purposes identified in the company’s notice and with the implicit or explicit consent of the individual.
• Retention. The company needs to retain personal data for only as long as necessary to fulfill the stated purposes or as required by law.
• Data Security. The company needs to protect personal data. This includes identifying the proper security access roles around authentication and authorization. The use of encryption may also be included. The GDPR captures the concept of “pseudonymous data”— personal data processed so it “can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” The GDPR considers pseudonymous data a type of personal data, but if companies pseudonymize their data they may benefit from some flexibility in certain provisions of the law.
• Quality. The company needs to maintain accurate and complete personal data for the purposes identified in the company’s notice.
• Access. The company needs to provide individuals with access to their personal data so the individual can review and/or update the data.
• Cross-border transfers. The company needs to understand the requirements regulating the movement of personal data. For example, currently (and this also continues in the GDPR regulation) the EU prohibits personal data from being transferred outside the European Economic Area unless the company assures an adequate level of privacy protection. Understanding a company’s Big Data infrastructure assists in understanding whether cross-border transfers will be needed, and if so, what mechanisms are available.

When your organization understands the impact of privacy principles related to data privacy regulations, it helps to ensure that Big Data use cases incorporate regulatory compliance requirements. Regulatory compliance is further enabled through data provenance and data pedigree requirements as companies need to be able to trace (or audit) the personal data throughout their various systems, including the Big Data environment.

Regarding data provenance, this means the ability to trace and verify the creation of data and how it has been used or moved among different systems and third parties, including how it was altered throughout its life cycle. Data pedigree is important, too, as it means maintaining a record of the ancestry of the data.

A company needs to understand, and be able to evidence, where the data came from and where it goes. This is done by tagging the personal and/or sensitive data. If the data is not properly tagged, it may impact the overall integrity of the Big Data environment, should a regulatory issue or inquiry come up. Tagging the data also enables the company to more easily understand and adapt to, changes in the data privacy landscape.

Managing Privacy: Think Globally, Act Locally

If you’re grappling with Big Data and global data privacy issues, you’re not alone — many companies are also seeking to understand and manage the complex and evolving privacy landscape. While there is no prescribed path to ensuring regulatory compliance in the Big Data environment, governing regulatory compliance is vital to maintaining your company’s reputation.

Remember, managing privacy concerns isn’t a one-team job. Partner with the DG team (and its processes) and include the regulatory compliance and legal stakeholders who understand the evolving global privacy laws, as they relate to your company and Big Data plan. This will help ensure that integrated Big Data meets data privacy regulations — both at home and abroad.

1 The right to erasure, a.k.a. right to be forgotten, is where individuals have the right to have their data “erased” in certain situations.
2 The right of data portability means individuals have the right to request their data be ported to themselves or a new provider, under certain situations, and the current provider needs to provide the information in a machine-readable format.

First San Francisco Partners (FSFP) is not a law firm nor does it represent one. Therefore, neither FSFP, nor any of its employees, consultants and sub-contractors, provide legal advice on data privacy regulations (e.g., GDPR).

FSFP expects that any enterprise that engages FSFP leverages the enterprise’s Legal and Data Privacy experts, often with outside Counsel, to interpret the data privacy regulation or law (e.g., GDPR) as they require.

Furthermore, FSFP expects that the designated enterprise’s Legal and Data Privacy expert(s) participate throughout any engagement involving FSFP to provide advice, guidance and interpretation (along with advice and/or guidance from designated outside Counsel) of the impact of the data privacy regulation or law (e.g., GDPR) on the enterprise.

FSFP’s role is not to provide this advice and/or guidance, but rather FSFP partners with the appropriate enterprise Legal and Data Privacy experts and other key personnel in Data Governance, IT, Risk, Procurement, etc., to translate the Legal and Data Privacy experts’ interpretation into operationalized practices supporting data privacy compliance.

FSFP does not guarantee compliance with any applicable laws and/or regulations (e.g., GDPR) in any jurisdictions (e.g., the European Union.) The expectation is that the enterprise reviews and vets the FSFP work products – including, but not limited to – content, deliverables, Readiness Assessment tools (e.g., GDPR) – essentially all artifacts – with accredited legal experts for final opinions.

Article contributed by Lynn Laverty. She is a senior data governance consultant with more than 30 years of experience across the financial services, insurance, healthcare and automotive industries. Lynn’s track record includes transforming operational functions in major, multi-site global organizations and being a senior leader in global data governance, data privacy, information technology and the broker/dealer space. She brings a demonstrated ability for developing strong working relationships with people across all levels and functions and has expertise in planning and executing business and customer-focused objectives.