The objective of this module is to gain an overview of the ethics surrounding big data and the legislation that governs it.
Upon completion of this module you will:
- Gain knowledge on how to recognize the necessity of regulating big data
- Obtain an understanding of the difference between privacy and data protection
- Understand the need to implement data protection actions into your own business
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Data set Legislation
1. This programme has been funded with
support from the European Commission
Module 4:
Legislation
2. DATA SET SKILLS FOR BUSINESS
Module 4:
Legislation
The objective of this module is to gain an overview of the ethics
surrounding big data and the legislation that governs it.
Upon completion of this module you will:
- Gain knowledge on how to recognize the necessity of regulating big
data
- Obtain an understanding of the difference between privacy and data
protection
- Understand the need to implement data protection actions into your
own business
Duration of the module: approximately 1 – 2 hours
3. DATA SET SKILLS FOR BUSINESS
How about Ethics
Legislation
GDPR
Legal Glossary
1
2
3
4
Ethics of big data
Aspects of big data ethics
Privacy vs Data Protection
Basics of GDPR
Individual Rights
GDPR implementation
5. With the increase of computing power,
electronic devices and accessibility to the
Internet, more data than ever is being
produced, collected and transmitted.
Nowadays Big Data is big enough to raise
practical, rather than merely theoretical
concerns about ethics. Big data itself, like
all technology, is ethically neutral.
The use of big data, however, is not.
6. DATA SET SKILLS FOR BUSINESS
ETHICS OF BIG DATA
Collecting and analysing big data has become a powerful way to unlock
actionable insights across any business, but it also brings with it some
concerns about big data ethics that need to be addressed.
Because accessing and storing data is so easy, some organizations
collect everything and keep it forever. It is not just the large
governmental agencies collecting data like this, many major grocery
store chains, investment banks and even the postal services have
a predictive analytics function with the sole purpose of collecting and
analyzing data in order to predict buyer behavior.
QUESTIONS FOR STUDENTS
What if all this data collection takes a negative turn?
“Data can be either
useful or perfectly
anonymous but never
both”
Paul Ohm
7. Aspects Of Big Data Ethics
Big data is already outpacing our ability to understand its
implications. Businesses are innovating every day, and the pace
of big-data growth is practically immeasurable. To provide a
framework for dissecting the often nuanced and interrelated
aspects of big data ethics, the following key components can
help untangle the situation.
Identity Privacy
Ownership Reputation
8. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
“Is online existence identical to offline existence?”
If our historical understanding of what identity means is being
transformed by big-data technologies, then understanding
our values around the concept itself enhances and expands
our ability to determine appropriate and inappropriate
action.
Big data provides others the ability to quite easily summarize,
aggregate, or correlate various aspects of our identity—
without our participation or agreement.
If big data is evolving the meaning of the concept of identity
itself, then big data is also evolving our ethical relationship to
the concept the word represents.
Identity Privacy
Ownership Reputation
9. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
“Who should control access to data about you?”
Plenty of people would argue that we have gained a degree of control over how
the world perceives us e.g. Victims of abuse or people who suffer from the same
disease can share their experiences and gain an invaluable sense of connection and
community through the use of anonymous online identities.
But, have we lost or gained control over our ability to manage how the world
perceives us?
There are two issues.
Why do we expect the ability to self-select and control which facts we share with
the world online to be the same as it is offline? The difference between online and
offline expectations regarding the degree of control individuals have over open
access to data about themselves is a deeply ethical inquiry.
The goal is to understand how to balance the benefits of big-data innovations
with the risks inherent in sharing more information more widely.
• Second, should individuals have a
legitimate ability to control data about
themselves, and to what degree?
• First, does privacy mean the same
thing in both online and offline in the
real world?
Identity Privacy
Ownership Reputation
10. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
Identity Privacy
Ownership Reputation
The degree of ownership we hold over specific information about us
varies as widely as the distinction between privacy rights and privacy
interests.
Does the information about our family history, genetic
makeup, and physical description, preference for Coke or
Pepsi, or ability to shoot free throws on the basketball court
constitute property that we own?
As open data markets grow in size and complexity, open government
data becomes increasingly abundant, and companies generate more
revenue from the use of personal data, the question of who owns
what—and at what point in the data trail—will become a more vocal
debate.
“What does it mean to own data about ourselves?”
11. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
Identity Privacy
Ownership Reputation
One of the biggest changes born from big data is that now the
number of people who can form an opinion about what kind of
person you are is exponentially larger and farther removed
than it was even a few short years ago. And further, your ability
to manage or maintain your online reputation is growing farther
and farther out of individual control. There are entire companies
now whose entire business model is centered on “reputation
management”. We simply don’t know how our historical
understanding of how to manage our reputation translates to
digital behavior.
At a minimum, this is sufficient reason alone to suggest further
inquiry.
“How can we determine what is trustworthy?”
12. “Privacy on the
internet? That‘s an
oxymoron”
Catherine Butler
LEGISLATION
1. Privacy vs. Data Protection
13. Most users have been unaware of the
volume of personal data retained by
entities for various purposes. This is
beginning to change as awareness of
the data privacy debate is increasing.
The two trends—increasing
popularity of big data and
increasing awareness of data
privacy—are beginning to come to a
head and companies that intend to
capitalize on this era of big data need to
be conscious about and address these
basic ethical concerns.
15. PRIVACY DATA
PROTECTION
vs.
Is there any difference?
YES
• Privacy relates to the appropriate use
and control of data
• Data privacy protocols around the world
address the control people have over
their personal data and how they can
protect it from unwanted or harmful
uses
• It covers issues such as: what type of
data will be processed, where will it be
held, how long will it be held for
• Privacy applies whenever the data is:
- Collected
- Processed
- StoredWhich relates to a living individual
person who can be identified by that data.
• Data protection relates to the
confidentiality, availability and
integrity of data
• It focuses on two main areas –
the physical security of premises
and the logical security of data
and digitized information
• It covers issues such as: the
confidentiality, integrity and
availability of data, the
protection of networks, the
physical security of sites,
equipment, transport and
people
16. Data privacy, also called
information privacy, is the
aspect of information
technology that deals with
the ability an organization
or individual has to
determine what data in a
computer system can be
shared with third parties.
PRIVACY
17. PRIVACY
EU data protection rules mean that your personal data can only be processed
in certain situations and under certain conditions, such as:
– if you've given your consent (you must be informed that your data is being collected)
– if data processing is needed for a contract, for a job application or a loan request
– if there is a legal obligation for your data to be processed
– if processing is in your 'vital interest’, e.g. doctor needs access to your private medical
data
– if processing is needed to carry out tasks in the public interest or tasks carried out by
government, tax authorities, the police or other public bodies
Personal data about your racial or ethnic origin, sexual orientation, political
opinions, religious or philosophical beliefs, trade-union membership or health may not
be processed except in specific cases (e.g. when you've given explicit consent or when
processing is needed for reasons of substantial public interest, on the basis of EU or
national law). These rules apply to both public and private bodies.
Collection and processing of personal data
18. Data protection is the
process of safeguarding important
information from corruption,
compromise or loss. The
importance of data protection
increases as the amount of data
created and stored continues
to grow at unprecedented
rates.
Data Protection
19. ...is data which relates to a living individual who can be
identified:
from that data, or
from that data and other information which is in the
possession of the data controller,
And includes any expression of opinion about the individual
and any indication of the intentions of the data controller or
any other person in respect of the individual.
•...is PII data, consisting of Information as to:
•the racial or ethnic origin of the data subject,
•his political opinions,
•his religious beliefs or other beliefs of a similar nature,
•whether he is a member of a trade union,
•his physical or mental health or condition,
•his sexual life,
•the commission or alleged commission by him of any
offence.
Sensitive Personal Information
PII
Personally Identifiable Information
SPI
Data protection applies whenever we deal
with 2 types of information:
Data Protection
20. It is no exaggeration to say that we are
nothing more than a collection of data
to most of the institutions—and many
of the people—with whom we deal.
Big data poses enormous challenges
for data protection— both by
processors and regulators. It
simultaneously changes the context
and raises the stakes for Data
protection.
21. Impact: Credit/debit card information and/or contact
information of up to 110 million people compromised.
Details: The breach of Target costumers began before
Thanksgiving, but was not discovered until several weeks later.
The retail giant initially announced that hackers had gained
access through a third-party HVAC vender to its point-of-sale
(POS) payment card readers, and had collected about 40 million
credit and debit card numbers.cc
Impact: 145 million users compromised
Details: The online auction giant eBay reported a cyber
attack in May 2014 that it said exposed names, addresses,
dates of birth and encrypted passwords of all of its 145
million users. The company said hackers got into the
company network using the credentials of three corporate
employees, and had complete inside access for 229 days,
during which time they were able to make their way to the
user database.
Impact: 3 billion user accounts
Details: In September 2013 Yahoo announced it had been
the victim of the biggest data breach in history, likely by “a
state-sponsored actor,” in 2014. The attack compromised
the real names, email addresses, dates of birth and
telephone numbers of 500 million users. The company said
the "vast majority" of the passwords involved had been
hashed using the robust bcrypt algorithm.
With an increasing number of data breaches splashed across front
page news, companies have good reason to take security seriously
22. GDPR
1. The Basics of GDPR
2. Individual rights
3. Implementation of GDPR
As we were approaching this Big Data industrial
revolution, the laws governing its protection had
reached a point where they were a bit like an old
operating system. In need of an update or they
would have become unfit for purpose. Each
country, concerned about citizens’ personal data,
big data analytics and security, was attempting to
come up with its own legislation to control data. In
the European Union companies have to follow the
GDPR legislation.
23. General Data Protection
Regulation (GDPR) is a
single set of legislation
across Europe that gives
individuals get better
control of their personal
data.
GDPR
What is the
GDPR?
Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process data
under the
GDPR?
What are
the
consequenc
es of not
acting by
GDPR?
THE BASICS OF GDPR
24. The EU's General Data Protection Regulation (GDPR) is the
result of four years of work by the EU to bring data protection
legislation into line with new, previously unforeseen ways that
data is now used.
Currently, the UK relies on the Data Protection Act 1998,
which was enacted following the 1995 EU Data Protection
Directive, but this will be superseded by the new legislation. It
introduces tougher fines for non-compliance and breaches,
and gives people more say over what companies can do with
their data. It also makes data protection rules more or less
identical throughout the EU.
GDPR
What is
the
GDPR?
Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can
I process
data under
the GDPR?
What are
the
consequen
ces of not
acting by
GDPR?
25. Firstly, the EU wants to give people
more control over how their personal
data is used
By strengthening data protection
legislation and introducing tougher
enforcement measures, the EU hopes
to improve trust in the emerging
digital economy.
Secondly, the EU wants to give
businesses a simpler, clearer legal
environment in which to operate,
making data protection law identical
throughout the single market.
The GDPR will apply automatically in all EU
member states from 25 May 2018.
While the overwhelming majority of IT
security professionals are aware of GDPR,
just under half of them are preparing for its
arrival, according to a snap survey of 170
cyber security staff by Imperva. Just 43%
are assessing GDPR's impact on their
company and changing their practices to
stay in step with data protection
legislation, Imperva found.
GDPR
What is
the
GDPR? Why was
the GDPR
drafted?
When will the
GDPR apply?
Who does
the GDPR
apply to?
When can
I process
data under
the GDPR?
What are
the
consequen
ces of not
acting by
GDPR?
26. 'Controllers' and 'processors' of data need to abide by the
GDPR.
A data controller states how and why personal data is
processed, e.g. government, while a processor is the party
doing the actual processing of the data, e.g. IT firm.
Even if controllers and processors are based outside the EU,
the GDPR will still apply to them so long as they're dealing
with data belonging to EU residents.
It's the controller's responsibility to ensure their processor
abides by data protection law and processors must
themselves abide by rules to maintain records of their
processing activities. If processors are involved in a data
breach, they are far more liable under GDPR than they were
under the Data Protection Act.
GDPR
What is
the
GDPR? Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does the
GDPR apply
to?
When can
I process
data under
the GDPR?
What are
the
consequen
ces of not
acting by
GDPR?
27. Once the legislation comes into effect, controllers must
ensure personal data is processed lawfully, transparently, and
for a specific purpose. Once that purpose is fulfilled and the
data is no longer required, it should be deleted.
Penalties for violation of record keeping, security, breach
notifications and privacy impact assessment are greater of
$10 million or 2% of entity‘s global gross revenue.
Penalties for violations olegal justification for processing
(consent), data subject rights and cross-border data transfers
are greater of $20 million or 4% of entity‘s global gross
revenue.
GDPR
What is
the
GDPR? Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process data
under the
GDPR?
What are the
consequences
of not acting
by GDPR?
28. DATA SET SKILLS FOR BUSINESS
Why not take BREAK and READ
Article 2 in the Resource
Section:
Guide to General Data Protection
Regulations (GDPR)
29. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
INDIVIDUAL RIGHTS
A key part of the regulation requires consent to be given by the
individual whose data is held.
Organisations will need to be able to show how and when
consent was obtained. This consent does not need to be explicitly
given, it can be implied by the person‘s relationship with the
company.
However, the data obtained must be for specific, explicit and
legitimate purposes.
Individuals must be able to withdraw consent at any time and
have a right to be forgotten; if their data is no longer required for
the reasons for which it was collected, it must be erased.
30. The right to be informed
- The right to be informed
encompasses your obligation
to provide ‘fair processing
information’,
typically through a privacy
notice.
- It emphasizes the need for
transparency over how you
use personal data
The right of access
- Individuals have the right
to access their personal
data and supplementary
information.
- The right of access allows
individuals to be aware of
and verify the lawfulness
of the processing.
The right to rectification
- The GDPR gives individuals
the right to have personal data
rectified.
- Personal data can be
rectified if it is inaccurate or
incomplete.
The right to erase
- The right to erasure is also known
as ‘the right to be forgotten’.
- The broad principle underpinning
this right is to enable an individual
to request the deletion or
removal of personal data where
there is no compelling reason for
its continued processing.
The right to restrict
processing
- Individuals have a right to ‘block’ or
suppress processing of personal data.
- When processing is restricted, you are
permitted to store the personal data, but
not further process
it.
- You can retain just enough information
about the individual to ensure that the
restriction is respected
in future.
The right to data
portability
- The right to data portability
allows individuals to obtain and
reuse their personal data for their
own
purposes across different services.
- It allows them to move, copy or
transfer personal data easily from
one IT environment to another in
a safe and secure way, without
hindrance to usability.
The right to object
The right to object
Data Protection gives people the
right to object to the use of their
personal information in certain
circumstances.
You have the right to object to
your data being used for direct
marketing.
Rights in relation to
automated decision
making and profiling
- The GDPR has provisions on:
automated individual decision-making
(making a decision solely by automated
means without any
human involvement);and
profiling (automated processing of
personal data to evaluate certain things
about an individual).
- Profiling can be part of an automated
decision-making process.
31. AWARENESS
INFORMATION
YOU HOLD
COMMUNICATI
NG PRIVACY
INFORMATION
INDIVIDUAL
RIGHTS
SUBJECT ACCESS
REQUESTS
LAWFUL BASIS
FOR
PROCESSING
PERSONAL DATA
CONSENT CHILDREN
DATA BREACHES
DATA
PROTECTION
OFFICERS
INTERNATIONAL
GDPR IMPLEMENTATION
Companies are required to implement appropriate technical and organisational measures in
relation to nature, scope, context and purposes of their handling and rocessing of personal data.
Data protection safeguards must be designed into products and services from the earliest stages
of development.
12 steps you can make in your company to implementate GDPR
1 2 3 4
5 6 7 8
9 11 12
32. DATA SET SKILLS FOR BUSINESS
Why not take a BREAK and READ
Article 2 in the Resource Section:
Big Data: A Survey
-Min Chen
33. AWARENESS1
You should make sure that decision makers
and key people in your organization are
aware of GDPR and they appreciate the.
Implementing the GDPR could have
significant resource implications, especially
for larger and more complex organizations.
You may find compliance difficult if you leave
your preparations until the last minute.
34. INFORMATION YOU HOLD2
You should document what personal data you hold,
where it came from
and who you share it with. GDPR requires you to
maintain records of your processing activities.
You can’t confirm that data is correct or that your
organisation is in compliance unless you know what
personal data you hold, where it came from and who
you share it with. You should document this. Doing
this will also help you to comply with the GDPR’s
accountability principle, which requires organisations
to be able to show how they comply with the data
protection principles, for example by having effective
policies and procedures in place.
35. COMMUNICATING PRIVACY
INFORMATION
3
You should review your current privacy notices
and put a plan in place for making any
necessary changes in time for GDPR
implementation. Currently when collecting
data you must give people certain information,
e.g. identity and intended use.
This is usually done through a privacy notice.
There will now be additional requirements.
36. 4 INDIVIDUAL RIGHTS
Check your procedures to ensure they cover all the
rights individuals have.
The GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-
making including
profiling.
37. 5 SUBJECT ACCESS REQUEST
You should update your procedures and plan how you will
handle requests to take account of the new rules:
- In most cases you will not be able to charge for
complying with a request.
- You will have a month to comply, not the current 40
days.
- You can refuse or charge for requests that are manifestly
unfounded or excessive.
- If you refuse a request, you must tell the individual why
and that
they have the right to complain to the supervisory
authority and to
a judicial remedy.
You must do this without undue delay and at the latest,
within one month.
38. LAWFUL BASIS FOR PROCESSING
PERSONAL DATA
6
You should identify the lawful basis for your
processing activity in GDPR and update your
privacy notice to explain it.
Under the GDPR some individuals’ rights will be
modified depending on your lawful basis for
processing their personal data.
The most obvious example is that people will have
a stronger right to have their data deleted where
you use consent as your lawful basis for
processing. You will also have to explain your
lawful basis for processing personal data in your
privacy notice and when you answer a subject
access request.
39. CONSENT7
You should review how you seek, record
and manage consent and whether you
need to make any changes. Refresh existing
consents now if they don’t meet the GDPR
standard.
You should read the guidance the ICO has
published on consent under the GDPR, and
use our consent checklist to review your
practices. Consent must be freely given,
specific, informed and unambiguous.
40. 8 CHILDREN
Do you need to put systems in place to verify
individuals’ ages? Or obtain parental consent.
GDPR will bring in special protection for children’s
personal data, particularly in the context of
commercial internet services such as social
networking.
The GDPR sets the age when a child can give their
own consent to this processing at 16 If a child is
younger then you will need to get consent from a
person holding ‘parental responsibility’. This could
have significant implications if your organisation
offers online services to children and collects their
personal data.
41. 9 DATA BREACHES
You should make sure you have the right procedures in
place to detect, report and investigate a personal data
breach.
GDPR introduces a duty on all organisations to report
certain types of data breach to the ICO, and in some
cases, to individuals
You should put procedures in place to effectively detect,
report and
investigate a personal data breach.
You may wish to assess the types of personal data you
hold and document where you would be required to
notify the ICO or affected individuals if a breach occurred.
Larger organisations will need to develop policies and
procedures for managing data breaches. Failure to report
a breach when required to do so could result in a fine, as
well as a fine for the breach itself.
42. DATA PROTECTION OFFICERS
You should designate someone to take responsibility for
data protection compliance.
You may need to designate a DPO
It is most important that someone in your organisation,
or an external data protection advisor, takes proper
responsibility for your data protection compliance and
has the knowledge, support and authority to carry out
their role effectively.
10
43. DATA PROTECTION OFFICERS
You should consider whether you are required to
formally designate a Data Protection Officer (DPO). You
must designate a DPO if you are:
-a public authority (except for courts acting in their
judicial
capacity);
- an organisation that carries out the regular and
systematic
monitoring of individuals on a large scale; or
- an organisation that carries out the large scale
processing of special categories of data, such as health
records, or information about criminal convictions. The
Article 29 Working Party has produced guidance for
organisations on the designation, position and tasks of
DPOs.
10
44. INTERNATIONAL11
If your organisation operates in more than one EU
member state, you should determine your lead
data protection supervisory authority and
document this.
The lead authority is the supervisory authority in
the state where your main establishment is. Your
main establishment is the location where your
central administration in the EU is or else the
location where decisions about the purposes and
means of processing are taken and implemented.
45. No matter what volumes of data
they’re dealing with, it’s crucial for
businesses to get a good handle on
where their data is, how it’s stored
and who has access to it.
The GDPR comes at a time when
customer expectations have never
been higher over the privacy of
their data. Putting the power back
into the hands of customers can
only serve the businesses who rely
on them, helping to build a far
more positive relationship and
engender consumer trust.
46. LEGAL GLOSSARY
PERSONAL DATA
Any information relating to a person who can be identified,
directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, online
identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social
identity of that person.
CONTROLLERS
Owners of the data, who are responsible for data protection and
make sure processors are compliant.
PROCESSORS
Work with the data and have to take responsible actions with
the data. The relationship between Controllers and Processor
must be documented.
PROFILING
Any automated processing of personal data to determine
certain criteria about a person.
BREACH AND NOTIFICATION
A breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or
access to, personal data transmitted, stored or otherwise
processed.
DATA SUBJECT ACCESS REQUESTS
The right of the individual to understand what is stored and
how it is used.
DATA PROTECTION OFFICERS
Public Authorities who have expert knowledge on data
protection laws. They deal with a large scale processing of
special types of personal data.
47. DATA SET SKILLS FOR BUSINESS
FINISH by WATCHING Video 1
in the Resource Section:
Digital ethics and the future of humans in
a connected world
-Gerd Leonhard (Ted X talk)