Personal information is a new asset class according to the World Economic Forum...

...delivering a new wave of economic and societal value. However, even with such obvious benefits, we often hear privacy, information security and data sovereignty being used as reasons not to develop a personal data capability

Multi-national organisations face the challenge of meeting the privacy and security laws multiple jurisdictions.

Although complex, it’s not impossible to enable a big data capability. It simply requires the same rigour businesses apply to other aspects of their operations.

The reality is that you can do a lot with personal ‘big’ data without breaching privacy laws or acting unethically. Understanding what the risks are and ensuring you can mitigate these is an important step on the journey to big data success.

Untrained users are the number one privacy risk

Education and training will go a long way to preventing privacy breaches with big data and indeed, any personal information.

Collecting personal information

• Whether collecting personal information directly via a third party or ‘creating’ it, certain mandatory matters must be notified to the individuals whose personal information it is.
• You must have an individual’s consent to collect sensitive information (unless an exception applies).
• Seeking consent to use personal information ‘after the fact’ for a secondary big data purpose can be costly and difficult; it should be built in during the design phase.
• Where health or personal information is being handled for big data activities it may be difficult to obtain an individual’s consent but it is required.
• To ensure the relevant notification is given or consent obtained (if required) your policy and wording on websites, forms and all other sources through which the personal information is submitted must be clear and accurate.

You’re accountable for the de-identification, accuracy, use and storage and sharing of information.

Hackers like ‘data-rich’ personal information

Hackers are likely to target stores of valuable and sensitive personal information. Make sure you have the correct controls in place to prevent security breaches of this type. Encryption is one example but a comprehensive ‘prevent, protect and respond’ protocol is essential.

When building your big data analytics capability, you must consider privacy, information security and data sovereignty as core design elements in your solution.

With multiple jurisdictions and therefore varying requirements, global organisations must have a solution that will work within local guidelines but can be aggregated up for a more granular view of customers, suppliers and staff.

Key points when developing a privacy compliant big data capability:

• Understand your jurisdictions and cross-border obligations
• Constantly train and educate your people
• Secure the data at a granular level
• Assess the impact on privacy and security

Consider a privacy impact assessment (PIA) to establish areas of concern within your organisation including:

• De-identification
• Whether you will be recreating personal files with big data analytics
• How personal information will be collected and whether notices have been provided correctly and relevant consent obtained
• What personal information is needed and its purpose

Undertaking an information security risk assessment may also identify the steps required to protect personal information within your organisation.

There are a number of key areas to consider when using, storing, gathering, generating or altering personal information. Keep these in mind when organising and/or assessing your big data capability and practices.

De-identifying and re-identifying personal information

This is a critical area for big data & privacy. You must have robust and current de-identification policies, procedures and methods to maintain an individual’s privacy. This includes re-identification assessments to understand how effective your solutions are.

Ignorance is not an excuse and with fines of up to 4% of global revenue for privacy breaches in the EU from May 2018, it can be very expensive.

Managing and maintaining personal information

‘Privacy by design’ is the catch-cry for big data analytics & privacy issues. The idea is to achieve culturally-embedded privacy to ensure all levels of your business are compliant. A privacy management framework, explained in our next article, is one of the steps toward achieving privacy by design.

Collection, consent, notification and use of personal information

Personal information collected can only be used for the primary purpose/s identified in the notice provided on collection, unless an exception applies.

You cannot use personal information for any purpose other than that originally identified and you can’t collect more personal information than is needed for your legitimate business activities.

Security and incident preparation

Organisations must build on their traditional security and incident controls. They must shift from the ‘perimeter approach’, where an organisation attempts to guard the entirety of its data and information systems (a bit like building a wall), to an approach that operates at the data level, wherever that data resides.

The focus must be on protecting the information ecosystem — it’s an information first, system second approach. Organisations are still accountable even when data held is outside their systems by third parties. Knowing who has responsibility for that information and where it’s kept is essential.