A Privacy Roadmap for Avoiding Major Risks with Big Data

The benefits of big data continue to grow across sectors, driving innovation, efficiency, and enabling more informed decision making, among other positive developments. Traditionally, legal protections have often applied ad hoc, rather than proactively. This approach raises the risk of legal exposure and can prompt a brand crisis if there’s a data breach or related disaster. While the General Data Protection Regulation, which will take effect in the EU next year, sets clear guidelines for businesses incorporating several key privacy and consumer protection considerations, as discussed below, in shaping an organization’s big data practices can help avoid or mitigate big data disasters.

Privacy Review

Privacy considerations can be effectively incorporated as one of the early steps when exploring and designing big data strategies. Identifying legal risk areas upfront and understanding implications of data breach can support informed and strategic decision making related to what particular types of data should be collected, the risks associated with such data collection, and what safeguards should apply to manage these risks.

Matching up the business case for collecting data points can also help companies assess whether the particular business need is commensurate with the related risk of data breach. For example, certain legal obligations also are more likely triggered when working with sensitive types of information, including health, financial, precise geolocation information, or data pertaining to minors.

De-Identified Data Carries Obligations

One common dismissal of a privacy assessment is that big data does not include any personally identifiable information (PII). However, with respect to big data, and the ability to analyze data sets efficiently to identify individual behavioral patterns and personalized forecasts, this is an outdated concept. According to the U.S. Federal Trade Commission (FTC), businesses should conduct privacy analyses for data that can be re-identified to become personal information. This is typically due to technological advances and the ability to combine disparate pieces of data to lead to identification of a computer, device, or consumer, even if the individual pieces of data alone do not constitute personally identifiable information.

In an era of big data, reasonable protection against this type of reverse engineering should include a combination of technological fixes, as well as administrative protections. Assessing the capabilities and risks is more likely to lead to a balanced, informed approach to managing those risks.

Attention to Self-Regulation

Big data participants also should be mindful of self-regulatory codes that directly, or through contract terms, may layer on obligations. For example, the Network Advertising Initiative (NAI) applies strict requirements for the ad tech industry, including requiring opt-in consumer consent before merging personal data with previously-collected data that is linked or reasonably linkable to a particular computer or device (unless involving certain proprietary data), and to pass on those obligations in contract terms with business customers and enforce them. Other self-regulatory or industry standards also may apply. Failure to assess how such restrictions can impact the business case around big data can lead to a mismatch of expectations all-around, in addition to potential legal exposure.

Cyber Defenses

Various sources put the average cost of a data breach anywhere from USD $4 million to $7 million. If big data systems are compromised, whether intentionally by a hacker unintentionally due to an employee’s mistake, the number of exposed data points increases any potential exposure exponentially, and can negatively impact the brand.

Data security is appropriate anytime a system involves information that is protected; the expectations increase as the scope and sensitivity of data increases as well, and those responsible for such data. Both business and legal expectations require that robust, advanced cyber protections are implemented and frequently updated to address ever-evolving vulnerabilities and threats.

* * *

Big data may be somewhat new; however, many of these legal considerations are not. Addressing them proactively, and updating these considerations as technology and the market evolves, will help maximize the possibilities of big data in a sustainable way going forward.