IAPP Summit: BYOB (Bring Your Own Legal Basis)

Presentation Transcript
Gary LaFever Gary LaFever:
[00:06] Let me start off by why you can't do big data, which starts with “What is big data?” And so, big data when we use the term is iterative data analytics, artificial intelligence, and machine learning. By definition, it's asking that second, third, fourth, fifth, nth question that you don't know when you start off. That's the magic of big data. So, that is big data.

[00:39] Does your company perform big data analytics using EU personal data? Because if you do, what happens when you can no longer use that data?

[00:50] There's a huge difference between the lawful processing of big data under the General Data Protection Regulation (GDPR) and being compliant. And so, that distinction is significant. Why? Because the ways that you used to do big data, which we call here linked or readily linkable data are no longer permitted because they were premised on consent of the data subject. And how is a data subject going to give you unambiguous specific consent in advance to something by definition you don't yet know?

[01:29] We defined big data as interactive questions. So, if I can't give you the first question, it's impossible to get the data subject’s consent to the second, third, fourth, and the one after that. So, you have to have a new legal basis and new technologically enforced approach to do big data.

[01:49] You can be compliant by not doing big data. How many companies look to big data for their growth? They take the result of their operations and their transactional flow and they're looking to use that to increase the value of their organization. Other organizations are focused on secondary use of data. So, you have to be very, very careful that you don't ask your advisors and your technology providers to make you compliant but rather to have lawful processing of data.

[02:20] Very simple. If you're talking to a technology provider whose technology is more than 12 months old, there is no way it was developed to satisfy the GDPR because the very specific requirements for Pseudonymisation under Article 4(5) and data protection by default did not exist a year ago. So, you need to look at whether they meet your needs that you have today, tomorrow, next year, and next May under the GDPR.

[02:49] The 1, 2, 3s of BigPrivacy. First, we decouple the data from the identifying elements. This is what in the GDPR they refer to as Article 4(5). Decoupling the information value of the data from the means of attributing data back to the individual. Step one.

[03:16] Step two, protect the data by default so that only those data elements that were necessary or are necessary to support a very specific authorized use are revealed, no more. And then upon completion of use, they’re re-protected. This is the first half of the requirement for data protection by default.

[03:39] The third step, having done those two - decouple the data and protect the data by default enables something that is very powerful, which is the granular control of sharing based on time, purpose, place that actually gives you the value you're looking for from the data without revealing any more of identifying information that is necessary.

[04:01] But that's dynamic de-identification, which is the use of different pseudonymous identifiers at different times for the same data element. That's what decouples the information value from the means of attributing it back to the data. That's what enables you to protect the data by default to begin with. And in doing so, you can control the sharing.

[04:23] Before you go to do data analytics of big data, you have to have the right. And that right, for the most part, used to be premised on consent that no longer works. So, before anyone tells you their analytic system can do X, Y, or Z, you need to ask yourself: “What rights do I have to do that to the data?” Because the rights you had yesterday will not work tomorrow.