Challenges and obstacles to application of GDPR to Big data

The primary focus of General Data Protection Regulation (GDPR) framework is on protecting the rights of individuals to privacy without compromising their personal data stored by state institutions and other organisations including commercial and utility companies. The Big data as it is known allows masses of personal information about day to day lifestyles of individuals to be gathered for a variety of reasons, and what is allowed is set out in the GDPR framework, within security and restriction parameters to provide greater protection and rights to individuals. It is however worth considering whether big data serves its purpose in its entirety or whether it is used to pry into peoples’ behaviour in living their lives in a liberal environment. So, the question is whether it is all necessary?

Data protection law faces many challenges in the digital age, and the emergence of Big Data is perhaps considered to be the greatest. In the big data era, the public enjoys many benefits that internet technology offers to them. But at the same time, they also do face potential breeches of on privacy laws affecting personal data. Failure to protect user accounts and personal data will directly threaten the privacy of users and the security of data.

At present, many organisations believe that once information is processed anonymously the identifiers will be hidden, and then the information will be released but the reality is that the protection of privacy cannot be effectively achieved through anonymous protection only. At present, for an example, China still lacks rules and regulations in user information management, and it does not have a good supervision system in the era of big data. Another concern is the ability of criminals to intentionally fabricate and forge data in big data. The wrong data will inevitably lead to erroneous results. Some people may make up data to create data illusions that are beneficial to them, leading people to make wrong judgments. For example, some websites contain false comments and ratings, and users can easily be lured into buying these goods and services based on the faked comments and ratings. The impact of false information is difficult to measure against the popularity of internet technology and the use of information security technology to screen these data is also very difficult.

The technological advancement highlights the difficulties in sustaining GDPR in its entirety, and right to be forgotten is one such area of concern. This is particularly relevant in circumstances in which an individual from the Euro Zone having a rare disease faced with the option to removing personal files containing genetic variance, and if that person happened to be the only known person with that variance, and access to medical records were denied, that would be an obstacle to medical investigation into the disease. GDPR has not provided an exception in such circumstances.

There is an obviously visible conflict between the data minimization principle of GDPR and the practices of Big Data analysis. Under the Big Data concept firms do provide a clear incentive to collect and retain as much data as they can for as long as possible. In theory, more data will provide greater knowledge and greater benefit to the organisations and the society in general. Therefore, enforcing the data minimizations will limit the success to Big Data. The GDPR states that data minimization could be achieved by pseudonymization. On the contrary one can argue that removing identifiers to achieve pseudonymization could potentially undermine the quality of the results derived, as the data would be purposefully altered.

Justification for gathering mass amount of information about individuals has arisen as a result of evolving advances in communication technology used by billions of people around the globe. In such an environment, safeguarding personal identities has become virtually impossible, against ever increasing threats from unauthorised access by hackers and clandestine activities of various groups such as commercial enterprises. It is a fact of life that we are all under surveillance whether in our homes or outside, and equally whether we use our own transport or public transport systems. In all cases our movements and behaviour in public places are being monitored and recorded for variety of reasons, including personal safety, prevention of crime and vandalism.

Against that background, it is crucially important to strike a balance between privacy of individuals and security of the state and the organisations. Is GDPR the answer to achieve that balance, and does it fit the purpose? The researcher believes that it does to a great extent unless legal constraints in many liberal states prevent application of GDPR in its entirety. The case for revisiting GDPR is to identify lapses in the protection of big data and to ensure personal privacy.



A PhD Student at Cardiff Metropolitan University reading cyber security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vibhushinie Bentotahewa

A PhD Student at Cardiff Metropolitan University reading cyber security.