GRC Tuesdays: Part One—Big Data Privacy Risks and the Role of the GDPR
Data privacy concerns anyone using the intra- and internets of our global big data community. But many social media and web shop customers, employees, and global organizations aren’t fully aware of the privacy risks their online activity poses. Likewise, many individuals and businesses don’t realize there are actions they can take to guard themselves against the most hazardous risks.
There are two parties prompted to take protective actions by the General Data Protection Regulation—individuals and organizations with global customers coming from the European Union and other countries.
Major Privacy Threats and Their Impacts
There are multiple ways that Big Data analytics can invade personal privacy. The inherent risks are1:
- Discrimination:Use predictive analytics for determination on individuals
The use of predictive analytics by the public and private sector can be used by the government and companies to make determinations about our ability to fly, to obtain a job, get a clearance, or a credit card. The use of our associations in predictive analytics to make decisions that have a negative impact on individuals can lead to discriminations.
- Embarrassment of breaches: Create public awareness by exposing personal information – identity theft
Examples include data breaches at multiple retailers like Target and Home Depot, restaurant chains like P.F. Chang’s, online marketplaces like eBay, government agencies, universities, online media corporations like AOL and the recent hack of Sony that not only put unreleased movies on the web but exposed the personal information of thousands of employees. Also, public awareness about credit card fraud and identity theft is at an all-time high.
- Abolishment of Anonymity: Removing only a few data sets can lead to re-identification
Without rules for anonymized data files, it’s possible to combine data sets. Without first determining if any other data items should be removed prior to combining to protect anonymity, ir’s possible that individuals could be re-identified.
- Government exemptions: Collecting and adding more and more personal information to governmental databases
As an example, Americans are in more government databases than ever, including that of the FBI, which collects Personally Identifiable Information (PII) including name, any aliases, race, sex, date and place of birth, Social Security number, passport and driver’s license numbers, address, telephone numbers, photographs, fingerprints, financial information like bank accounts, employment and business information and more. And who guarantees AAA quality of that data?
- Data Brokerage: Selling of unprotected and incorrect data profiles
Numerous companies collect and sell consumer profiles that are not clearly protected under current legal frameworks. The data files used for big data analysis can often contain inaccurate data about individuals, use data models that are incorrect as they relate to individuals, or simply be flawed algorithms.
- Data misinterpretation: Having more data is no substitute for having high-quality data:
While one can find countless political opinions on social media, these aren’t reliably representative of voters. A substantial share of tweets and Facebook posts about politics are computer-generated.
The role and importance of information management and governance in data privacy will be a key success factor for all organizations with European Union customers. Next week, I’ll break down the fundamentals of the required changes that will go into effect with GDPR.