On May 25, 2018, the General Data Protection Regulation (GDPR) came into effect for those who store the data of European Union (EU) citizens or might potentially receive traffic from them. In essence, it gives EU residents more control over their data and includes a right-to-erasure portion that allows people to request that companies delete their details in some cases.
Besides ensuring that data gets collected legally, the law obliges the relevant entities to protect that information and safeguard it from misuse. Following some types of data breaches, the affected companies must also notify the individuals harmed. Failing to so could trigger fines of up to €20m ($23.2m) or 4% of a business' annual worldwide revenue, for the worst violations.
Before GDPR came into force, there was rampant speculation about how and when fines would get imposed, and if the new regulations would have a substantial effect on data ethics at large. So, what has happened since?
Stronger enforcement is on the horizon
On the consumer side of things, it may seem like the most obvious indication of GDPR's existence comes in the form of those annoying pop-ups that fill the screen and prevent progression when a person arrives at a website that operates in the EU and has not yet submitted data-handling choices for it.
But, Giovanni Buttarelli, the EU's data protection supervisor, warns it will not be long before much more significant effects are evident. When speaking to TechCrunch, he clarified such a transition should happen "before the end of the year". He also has plans that span beyond GDPR that would also affect the ethics of big data.
Buttarelli wants to publish a proposed framework for how EU privacy supervisors and antitrust regulators would work together on data-related issues. He intends for that manifesto to get revealed on the anniversary of GDPR initially coming into effect, meaning it could come out in a matter of months.
Furthermore, the newly formed European Data Protection Board aims to streamline the investigation of potential fines, so in the future, there should not be such a substantial span of time between the mistreatment of data and when a company receives notifications of wrongdoing.
The potential link between robust data collection and stifled competition
Today's society is one where the companies that can find out the most about their customers are often the ones that get ahead. That is why Margrethe Vestager, an EU commissioner who oversees competition, believes data collection practices could impact how well companies can compete in the marketplace.
For example, antitrust regulators are concerned about companies gathering data so thoroughly that they shut out other companies, thereby restricting competition. Vestager has noted that she sees data as a new form of currency, meaning GDPR is within her realm.
Visit Innovation Enterprise's AI and Big Data Innovation Summit in London on October 31 – November 1, 2018
Data scientists must treat data differently
Besides letting people request companies get rid of their data, GDPR also requires companies to anonymize their data, unless identifying information is crucial to its worthiness.
As such, professionals working with big data need to take out identifying details before processing the information. Similarly, the businesses employing them should allow for training to occur or verify their workers knowhow to handle big data to avoid ethical violations and significant fines.
When companies abide by GDPR stipulations, they must treat data collected for human resources purposes differently than before these new standards came into effect. GDPR includes it in "special categories of data" that need additional protections.
If companies and their data scientists do not stay up to speed with how GDPR has changed things, they could find themselves unknowingly violating ethical best practices, not to mention in danger of incurring fines.
Consent does not give blanket permissions
Data scientists wishing to operate ethically must also realize when a person gives initial permissions for data usage, it does not mean those examining the data have all-encompassing consent for things like data clustering and segmentation. Each time a business wants to use data differently, they have to obtain explicit permission first.
Another interesting thing about consent as it relates to GDPR is that people must be free to either give it or not. At NPR.com, if a person opts not to provide consent, they can still visit the text-only version of the site that does not collect cookies.
Conversely, if people do not consent to Facebook's terms of service, they cannot use the site. On the first day of GDPR enforcement, both Facebook and Google caught the eye of privacy watchdogs for appearing to force people into accepting service agreements.
Data collection could cause health-related conundrums
People in the healthcare field bring up how GDPR makes it difficult to know how to handle data ethically in emergency situations, such as getting consent from a patient in the EU who has a sudden cardiac arrest. Analysts say incidences of those often-fatal heart issues could go down with access to big data that provides much-needed societal details.
But, GDPR could restrict collecting observational data from patients and using it to draw informed conclusions that could lead to the survival of more patients.
Similarly, health professionals mention that since data related to genetics, race, ethnicity and medical information falls under those special categories of data mentioned earlier, there is a chance following the ethical guidelines according to GDPR could restrict clinical trials that depend on big data to create risk profiles and otherwise propel medical advancements.
Reports have come from clinicians who say they spend too much time dealing with bureaucratic hurdles and communicating with parties that have become overly afraid of sharing their data due to the potential for violating ethics with sensitive patient data, too. So, it is necessary to be careful that big data ethics and GDPR do not have chilling effects on medical progress.
Data analysts and businesses should expect further developments
The era of GDPR is only starting. Although this coverage explores some of the ethical concerns already apparent, more will undoubtedly arise over time.