Tip one: Know when data laws are engaged and who has to comply.
However "big" the data, the same simple rule applies. The eight data protection principles in the Data Protection Act 1998 ("DPA") must be obeyed by "data controllers" who are "processing" "personal data." And don't necessarily fall for the "non personally-identifiable information" tag sometimes trotted out. The chances are that, if you dig deeper, there is "personal data" as defined by the DPA. There may even be circumstances where a device's IP address will be so regarded.
Even if "personal data" is not involved, so called "cookie" consent and disclosure laws may still apply (and, in a third-party advertising network context, potentially the CAP Code on online behavioural advertising disclosure and do not track rules). This is because neither requires the "processing" of "personal data" as such. For example, the simple storing of information on a device or the accessing of information on it will be enough to bring cookie laws into play.
Tip two: Understand the key data law obligations
Big data enjoys no special exemption from basic data law hygiene. So bake "privacy by design" into all your new data project processes. For instance, if social network service users have posted content about your brand you want to use, don't even think about doing so unless you are satisfied, as an absolute minimum, that your purpose is lawful, that "fair processing" rules are satisfied and that the network users are being made aware and, where required by the DPA, have given consent.
Tip three: Take special care when using or operating as service providers
The vast majority of high profile data security breach cases where substantial fines have been imposed have involved foul-ups by date processors. Controllers and processors alike need clear pre-contract due diligence procedures, provisions in their statutory written contracts allocating responsibilities and liabilities, and reach-through powers against sub-contractors.
Tip four: When appending personal data sets, normal data protection laws apply
Much of the value in big data lies in its re-use, for example by combining an individual's social media postings with data sets already held about (hopefully) the same individual.
But apart from the need to ensure that this satisfies the "fair and lawful processing" DPA principle, the second, "purpose limitation" principle must also be observed. In essence, this means that unless the uses to which the combined data sets are to be put - for instance more sophisticated analytics and profiling followed by more targeted marketing of different products - are "compatible" with those for which the original data sets were collected, further consent is likely to be needed before such uses can start.
Tip five: Remember the "organisational" in the obligation to "take appropriate technical and organisational security measures."
The "organisational" element of the seventh data protection principle is often lost sight of. Compliance is not just a technical issue. No matter how sophisticated the data security software, in the cloud or elsewhere, both big data and data law compliance will be at big risk if internal structures and systems have not demonstrably been developed, put in place and followed so as to maximise data security.
Thank you for your input
Thank you for your feedback
DataIQ is a trading name of IQ Data Group Limited
10 York Road, London, SE1 7ND
Phone: +44 020 3821 5665
Registered in England: 9900834
Copyright © IQ Data Group Limited 2024