Challenges and Obstacles to Application of GDPR to Big Data

The primary focus of the General Data Protection Regulation (GDPR) framework is on protecting the rights of individuals to privacy, without compromising their personal data stored by state institutions and other organizations including commercial and utility companies.

Big Data, as it is known, allows masses of personal information about day-to-day lifestyles of individuals to be gathered for a variety of reasons, and what is allowed is set out in the GDPR framework, within security and restriction parameters to provide greater protection and rights to individuals.

It is however worth considering whether Big Data serves its purpose in its entirety, or whether it is used to pry into peoples’ behavior in living their lives in a liberal environment? So the question is whether it is all necessary?

Data protection law faces many challenges in the digital age, and the emergence of Big Data is perhaps considered to be the greatest. In the Big Data era, the public enjoys many benefits that internet technology offers to them, but at the same time, they also face potential breaches affecting their personal data. Failure to protect user accounts and personal data will directly threaten the privacy of users and the security of data.

At present, many organizations believe that once information is processed anonymously the identifiers will be hidden, and then the information will be released. However the reality is that the protection of privacy cannot be effectively achieved through anonymous protection only.

At present, for an example, China still lacks rules and regulations in user information management, and it does not have a good supervision system in the era of Big Data.

Another concern is the ability of criminals to intentionally fabricate and forge Big Data. The wrong data will inevitably lead to erroneous results, for example some people may create data to create data illusions that are beneficial to them, leading people to make wrong judgments.

For example, some websites contain false comments and ratings, and users can easily be lured into buying these goods and services based on the faked comments and ratings. The impact of false information is difficult to measure against the popularity of internet technology, and the use of information security technology to screen this data is also very difficult.

Technological advancements highlight the difficulties in sustaining GDPR in its entirety, and the right to be forgotten is one such area of concern. This is particularly relevant in circumstances in which an individual from the Euro Zone is faced with the option to removing personal files and if they had a rare disease and was the only known person with that variance, and access to medical records were denied, that would be an obstacle to medical investigation into the disease. GDPR has not provided an exception in such circumstances.

There is an obviously visible conflict between the data minimization principle of GDPR and the practices of Big Data analysis. Under the Big Data concept, firms do provide a clear incentive to collect and retain as much data as they can for as long as possible.

In theory, more data will provide greater knowledge and greater benefit to the organizations and society in general. Therefore, enforcing the data minimizations will limit the success to Big Data. GDPR states that data minimization could be achieved by pseudonymization, whilst on the contrary, one can argue that removing identifiers to achieve pseudonymization could potentially undermine the quality of the results derived, as the data would be purposefully altered.

Justification for gathering mass amounts of information about individuals has arisen as a result of evolving advances in communication technology used by billions of people around the globe. In such an environment, safeguarding personal identities has become virtually impossible against an ever increasing threat. It is a fact of life that we are all under surveillance whether in our homes or outside, and equally whether we use our own transport or public transport systems.

Our movements and behavior in public places are being monitored and recorded for variety of reasons, including personal safety, prevention of crime and vandalism.

Against that background, it is crucially important to strike a balance between the privacy of individuals and security of the state and the organizations. Is GDPR the answer to achieve that balance, and does it fit the purpose? We believe that it does to a great extent, unless legal constraints in many liberal states prevent application of GDPR in its entirety.

The case for revisiting GDPR is to identify lapses in the protection of big data and to ensure personal privacy.

What’s Hot on Infosecurity Magazine?