Big data faces challenges with being GDPR compliant. Anonymised data may become personal data and terms and conditions should be drafted with care.
With the growing know-how in analytics and algorithms, big data or mass data create new business opportunities and ways to efficiently analyse large volumes of data from different sources through new technologies such as data mining, artificial intelligence and machine learning.
When utilizing mass data, one must pay attention to the applicable regulatory frameworks and carefully draft contractual provisions concerning data sharing.
The new Data Strategy of the EU aims to create a single market for the utilisation of data. The General Data Protection Regulation which entered into force a few years ago serves as one of the fundamental pillars for the Data Strategy from the individual’s point of view. The aim of the regulation known as “GDPR” in addition to ensuring the basics for the fundamental protection of privacy, is to create trust in the various service providers of the digitalised society. With the entry into force of the GDPR individuals can trust that companies across the board are subject to essentially the same data protection rules within the EU.
Anonymised data can turn into data considered as personal data under data protection law
Even though most mass data is anonymised, which therefore is not perceived as personal data under the current law, it should be borne in mind that while combining data from large data pools even anonymised data can become “contaminated” and turn into personal data, rendering it subject to the requirements on data security, data protection and enforcing data subjects’ rights set out in the General Data Protection Regulation and imposed by national laws governing personal data processing.
Consider to the following when processing personal data
We always recommend mapping the data your company is processing and to estimate the consequential risks on the company itself and on the rights and freedoms of the data subjects. In case the processed data may be considered as personal data the company ought to consider at least the following:
- Make sure under which role (controller or processor) you are processing personal data
- Ensure your company has a lawful ground to process personal data
- Conduct a data protection impact assessment (DPIA)
- Comply with data subjects’ rights and provide required information
- Conclude an agreement on processing of personal data
- Ensure that your business partners are GDPR compliant
- Update and revise documented data protection and data security principles at regular intervals
What you should consider when drafting terms and conditions concerning data sharing?
Additionally, we recommend paying careful attention to the terms and conditions in agreements concerning data sharing. Among other things the following should be considered when drafting such terms and conditions:
- Determine the mutual responsibilities of each party
- Determine the temporal and geographical scope of the contract
- Is data being purchased or licensed?
- Is there a need or right to transfer data to third parties?
- Who owns the rights to the possibly repurposed data?