Big Data Regulation: Navigating the Maze

As technology advances companies are not the sole benefactors of change and renewal. Governance then needs to not only tackle oncoming challenges to national security, but also requires a social conscience; civil protections. As information is the ‘oil of the 21st Century,’ policy must protect consumers against the unlawful use of their personal data. However, regulation precipitates an increase in positions within a company, opening up opportunities for those policy literate and technically trained.

The prominence of policymakers in this arena has ultimately resulted in an increasingly complex regulatory framework on big data and how to use it; companies require guidance and parameters. Unfortunately, these regulations are viewed as obtuse, a stop-gap to the seamless transition of data-driven decision making in companies. So the key questions here are; first, how do companies navigate this maze of policy? Second, how can they not only use data regulation to their advantage, but also come to appreciate it? And third, will Brexit impact big data regulation?

Volume, variety, veracity and velocity are the four core characterisations of using big data. There are huge benefits for companies that invest in these four areas of data collection and analysis, for instance investment banks can use big data for predictive analysis and much more.

The regulation of such large amounts of data come under two legal frameworks; intellectual property rights (protecting the data), and data protection/privacy law (using the data in a lawful and fair way). Protecting the database, by safeguarding the IP, is central to ensuring a company complies with intellectual property rights. Investing in safeguards is not an unworthy investment; aside from large amounts of data mining, the IP should be a priority to protect anyway. Binding license terms do not only protect the consumer, but also the company. If data is stolen by a third party actor intellectual property rights provide the safeguards to both consumer and company in the event of damage. The real question mark for the future of intellectual property rights is how companies insure their frameworks and databases.

Data protection and privacy laws are commonly cited as the real thorn in the side of data-driven decision making, as typically the more data you collect, the more accurate your analysis. Data protection/privacy provides safeguards from excessive data mining and protects the consumer, which should be prioritised by companies. The application of data protection is a difficult and intrepid field; anonymization may adhere to policies directly, yet other sets of data require an identifiable element in order to be useful for analysis.

Thus, ‘privacy by design’ is important to implement to ensure that from the outset the analysis of big data is done in accordance with law at every stage of the information lifecycle. Pseudonymisation is one method of enveloping privacy enhancing technology into the data strategy adopted by a company. Essentially, it encrypts the identifiable data, make it very difficult, or impossible, to obtain from third parties. Protecting the consumer is central to this strategy and should remain central to the overall objective of any investment bank.

It is within direct interest of a company to sufficiently and effectively account for and navigate around data protection policies. The key reason is client retention; protecting a client’s data appears more trustworthy, thus the client is less likely to move to a competitor and stay. KPMG highlights the centrality of a strong ethical code to data operations. Individuals in data analytics need to be up-to-speed with the requirements data protection and understand the importance of changes in policy.

Brexit provides the next challenge for managers of risk, overseeing data protection and facilitating the navigation of the policy. The EU Data Protection Directive, enforced since 1995, has been the standard level of legislative compliance companies have aligned their operations with. Whilst the new General Data Protection Regulation (GDPR), replacing the Directive, will not come into force until 2018.

Companies are gearing up for adoption to GDPR, ensuring that the central tenets are enveloped within their structures. The most troubling aspect of GDPR for companies is the fact that it requires more cross-department dialogue. Legal and compliance must work aside the technical team who must then confer with the business force. Bringing together this triangular structure will require either a central figure, such as a Data Privacy Officer, or a particularly astute Chief Data Officer. As the role evolves, and GDPR becomes the norm, the task of adoption will minimise and products will adapt.

The future of data regulation is somewhat precarious as a result of the violently shifting policy arena in the UK, especially when it comes to trading in data post-Brexit. Moreover, the continuing prominence of data-driven decision making is centralising the need for a continuance adaptive regulation. This does not, however, mean that companies are in direct opposition to the policy, nor does it have to be a hindrance to operations. First and foremost, it is within the interests of the company to protect its client’s data. Second, companies will hire more risk management to secure data operations comply with regulatory standards at every stage of the information lifecycle. The regulation of data works on a complementarity principle; companies that embrace this, and strategize alongside regulation will face fewer data protection issues.