Part 2. Legal compliance = primary enabler of Smart Data and Data protection by design and by default
As stated in the introductory post in this blog series, my aim is to develop a sound legal methodology for the generation of #SmartData from #bigdata in order to allow us to successfully harness value in massive datasets through the correct application of the data protection by design approach. It goes back to pure legal compliance basics: ensuring that data is collected in a lawful manner in order to permit analysis of the same.
Of course, we can’t forget that big data does not always equate to personal data. Big data could instead be related to information about objects or natural phenomena or technical information which the EDPS pointed out in 2015 (Opinion 7/2015): “one of the greatest values of big data for businesses and governments is derived from the monitoring of human behaviour, collectively and individually”.
Analysis is key in harnessing value
The analysis and prediction of human behaviour is where value is really found in that it allows decision makers to make decisions that are beneficial, also economically, due to their accuracy and consistency. This is true with respect to big data analytics based on personal data used for university admissions, job recruitment, customer profiling, targeted marketing, and health services. By way of an analysis of vast data sets in any of the aforementioned fields, common threads can be used to predict whether or not Candidate X is fit for a position, or if Individual Y will develop heart disease in the future, providing insights which equate to value.
What is data protection by design?
Data protection by design means full compliance with the fundamental principles of data protection. Fairness and the very quality of data, and anonymisation and pseudonymisation techniques are of utmost importance in Smart Data Environments. A perfect understanding of the different parties involved in data processing, the controller, processor and joint-controller and the obligations and responsibilities of such parties are key.
But let’s go one step further to a more ethical nuance of privacy by design. The EDPS, in Opinion 7/2015 – Meeting The Challenges Of Big Data: A Call For Transparency, User Control, Data Protection By Design And Accountability, stated that, “we need to protect more dynamically our fundamental rights in the world of big data”. In this way, traditional principles of data protection including transparency, proportionality and purpose limitation are are at once to be strengthened and complemented by more recent principles such as accountability, privacy by design and privacy by default.
Data protection by design, following this logic, becomes a dynamic means for compliance with the fundamental privacy principles and the related obligations, protecting fundamental rights in the world of Smart Data. We can find confirmation of this hypothesis in Recital 4 of Regulation 679/2016 (GDPR) where it is stated that “[t]he processing of personal data should be designed to serve mankind.”
We can find guidance with respect to data protection by design and by default in Article 25 of Regulation 679/2016 which reads:
- Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
- The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons. (…)
Again, we return to the vitality of compliance with data protection principles, the ultimate objective which can be successfully achieved through the correct application of the data protection by design approach.