The big data at the foot off the wall called GDPR
Able to store an inexhaustible number of digital data, is “Big Data” compatible with the GDPR?
Have you ever wondered how much data everyone produces every day ? All these data which necessarily exceed human understanding (it is a question of petabytes or even zetaoctets) do not disappear by magic… In reality, they are gathered to form what is called big data.
The immensity of personal data and the big data
Big data is therefore the name given to the system(s) that allow(s) to store an inexhaustible number of digital data that new technologies produce (because of their operation) in order to analyze them.
This includes for example gps data, online shopping, emails and other texts, videos, photos, sounds and any other kind of documents…
A scientific definition was given in 2001 by Gartner (then Meta Group). Doug Laney exhibited big data according to the “3V” principle:
- Volume of data to be processed
- Variety of information (from several sources, structured or unstructured or semi-structured…)
- Velocity to reach
The submerged part of the iceberg
To achieve complete customer satisfaction and meet unaware customer needs, companies use these masses of data.
If at the first time the giants of the Web were the only ones to have recourse to it, it is necessary to be aware that this practice spread to a large majority of companies…
Let’s take a concrete case : I am a company whose ambition is to create an application for teenagers who practice an intense sporting activity. Very quickly questions of content, design… will appear. So, to position myself as a leader, don’t you think the better way is to use big data to get all the data of this typology target and have a great feedback of their habits, their needs, their desires, their tastes…?
This processing at a very large scale of data, thus allows thinkers to propose solutions always more adapted to the needs of consumers and thus to appear as unavoidable in their field.
Perfect, you say? And yet…
If consumers are asked what information about them is in big data, are they able to answer? Do they know which company(ies) benefit from it? Since when? For how long? What they get out of this treatment? How to stop the treatment?…
If the answer to these questions is difficult or even impossible to provide, we must know that in reality very concrete answers exist. They are simply unknown to the owners of these data…
→ Here the GDPR comes into play.
The power loss over personal data, the GDPR as a solution ?
The GDPR clarifies, strengthens, modifies existing data protection standards and creates new ones. It does so in a clearly stated desire to guarantee greater protection of personal data.
In this quest for protection and in order to guarantee ever-increasing minimum protection, it lays down basic principles to be respected in all circumstances. This is the case with the concept of Privacy by Design. A fundamental principle.
The privacy by design principle
This concept is not new and comes from Canada. If an element must remain concerning this principle, it is the following:
A priori: i.e. the systems implemented to collect the data must allow users to know the data processing that will be done (comes into play fairness, transparency and lawfulness).
Until the end of the treatment: this requires that the protection takes place from the processing of the data until its extinction.
So how do you reconcile a system in which data is used without the knowledge of its owner with the GDPR and the rights that guarantee?
Big data and the GDPR: a common ground?
What are the garantees of the GDPR?
- Inventory the data: this will start with everyone taking responsibility for the data they own. Who owns what? To answer this question, the DGMP asks companies to list all the data in its possession (processing activities register).
.This directory therefore has a dual purpose :
- To retribute the data to their owners and thus make them responsible for any action taken on them.
- Give individuals back power over their data (and thus guarantee their rights).
- Protect: in order to protect all natural persons, the GDPR intervenes at several levels.
As a first step, it requires companies to guarantee a set of rights. This will allow individuals to regain power over their data that was previously completely beyond their control.
Secondly, it obliges a certain behaviour concerning data processing. The GDPR requires companies to respect the obligations of transparency, fairness and lawfulness. These three seemingly harmless words are in fact what will guarantee the protection of companies’ use of these people’s data.
Therefore, big data is not incompatible with the GDPR, but a giant step remains to be taken before the solutions given by the GDPR are applied by all companies…