GRC Tuesdays: Part One—Big Data Privacy Risks and the Role of the GDPR

Data privacy concerns anyone using the intra- and internets of our global big data community. But many social media and web shop customers, employees, and global organizations aren’t fully aware of the privacy risks their online activity poses. Likewise, many individuals and businesses don’t realize there are actions they can take to guard themselves against the most hazardous risks.

There are two parties prompted to take protective actions by the General Data Protection Regulation—individuals and organizations with global customers coming from the European Union and other countries.

Major Privacy Threats and Their Impacts

There are multiple ways that Big Data analytics can invade personal privacy. The inherent risks are¹:

1. Discrimination:Use predictive analytics for determination on individuals

The use of predictive analytics by the public and private sector can be used by the government and companies to make determinations about our ability to fly, to obtain a job, get a clearance, or a credit card. The use of our associations in predictive analytics to make decisions that have a negative impact on individuals can lead to discriminations.

2. Embarrassment of breaches: Create public awareness by exposing personal information – identity theft

Examples include data breaches at multiple retailers like Target and Home Depot, restaurant chains like P.F. Chang’s, online marketplaces like eBay, government agencies, universities, online media corporations like AOL and the recent hack of Sony that not only put unreleased movies on the web but exposed the personal information of thousands of employees. Also, public awareness about credit card fraud and identity theft is at an all-time high.

3. Abolishment of Anonymity: Removing only a few data sets can lead to re-identification

Without rules for anonymized data files, it’s possible to combine data sets. Without first determining if any other data items should be removed prior to combining to protect anonymity, ir’s possible that individuals could be re-identified.

4. Government exemptions: Collecting and adding more and more personal information to governmental databases

As an example, Americans are in more government databases than ever, including that of the FBI, which collects Personally Identifiable Information (PII) including name, any aliases, race, sex, date and place of birth, Social Security number, passport and driver’s license numbers, address, telephone numbers, photographs, fingerprints, financial information like bank accounts, employment and business information and more. And who guarantees AAA quality of that data?

5. Data Brokerage: Selling of unprotected and incorrect data profiles

Numerous companies collect and sell consumer profiles that are not clearly protected under current legal frameworks. The data files used for big data analysis can often contain inaccurate data about individuals, use data models that are incorrect as they relate to individuals, or simply be flawed algorithms.

6. Data misinterpretation: Having more data is no substitute for having high-quality data:

While one can find countless political opinions on social media, these aren’t reliably representative of voters. A substantial share of tweets and Facebook posts about politics are computer-generated.

Conclusion

The role and importance of information management and governance in data privacy will be a key success factor for all organizations with European Union customers. Next week, I’ll break down the fundamentals of the required changes that will go into effect with GDPR.

Learn More 

• Read our other GDPR  and  GRC Tuesday blog posts.

Sources

• ¹Taylor Armerding at:CSO| Dec 8, 2014 
• ²KPMG
• ³EY
• Reform of EU data protection rules
• Ernest Davis is Professor of Computer Science at the Courant Institute of Mathematical Sciences, New York University.