The Use of Data From Different Sources in the Frame of Big Data: Legal Issues

Guest blog post by Roberto Bilbao Urquiola from BIOEF

The term ‘Big Data’ refers to large amounts of different types of data produced from various types of sources, such as people, machines or sensors.

The European Commission, governments and private companies have understood the potential benefits of big data. According to “The EU Data Protection Reform and Big Data, Fact sheet March 2016”, big data will allow higher productivity and improved services, which are the source of economic growth. The use of big data by the top 100 EU manufacturers could lead to savings worth € 425 billion, and by 2020, big data analytics could boost EU economic growth by an additional 1.9%, which means a GDP increase of € 206 billion.

It seems that big data has come to stay by the question that has been raised is how to use personal data without informed consent.

The problem is that the data protection rules don’t make progresses at the same pace and a regulation is necessary to assure the privacy of users.

Big data in healthcare is overwhelming not only because of its volume but also because of the diversity of data types and the speed at which it must be managed.

From the Basque region and in the context of MIDAS project, child obesity prevention in the public heath framework has been identified as the key public health policy. To try to bring some light to this topic, a few data sets with anonymized data will be used: clinical data, mobility data from telecom companies, consumption data from supermarkets, social media data, governmental open data, etc. The potential of such data sets is vast, but so are the potential issues that they confront. The challenge lies in the high potential for the abuse and misuse of databases and the need of applying high standards of protection and data anonymization.

Upon the coming into force of the EU General Data Protection Regulation in May 2018, organizations will be legally required to carry out a Data Privacy Impact Assessment (DPIA) prior to the use of data and implementation of new projects/technologies.  The DPIA must be done at early stages of the project and must explain how processing this data could impact the rights and freedoms of the data subjects. And it must detail the measures that will be taken to mitigate the risks and the security safeguards and mechanisms that will be put into place to ensure the protection of personal data and comply with the EU Data Protection Regulation.

From Basque region, by the hand of the Basque Agency for Data Protection, we will develop our own DPIA for the databases we will be using for the MIDAS project.