Business Intelligence Individual Coursework

Research and Investigation into Ethical and Legal issues pertaining to Collection and Storage
of Personal Data/Information

MSIN1001: Individual Coursework

1
MSIN1007: Individual Coursework
Table of contents:

1. Introduction 3
2. Management Summary 3
3. Findings 4
3.1.Ethical Issues 4
3.2.UK DPA 4
3.3.Privacy and anonymity 5
3.4.Security and safeguarding users personal data 6
3.5.GDPR context, background, enhancements to existing law 6
3.6.How companies should prepare for GDPR 7
3.7.How companies should manage user consent 8
3.8.Implications of a data breach 9
4. Conclusion 10
5. References 11

2
MSIN1007: Individual Coursework
Introduction

Today, personal data is a high-profit business for companies that acquire and resell it.

Over time, these companies have started obtaining data excessively, putting the users at risk
for their privacy. As this has been happening, the majority of users had no other option but to
comply with the requirements of the companies that require their data or users simply did not
know the possible harms.

As good as the current legislation may be, businesses have found a way around it and the data
they have of each and every customer grows with each day.

Access to this data is primarily used to offer target advertisement for customers, but the harms
are big if anyone discovers it with bad intentions.

This is something that has to be prevented in the future and this report will look at what is the
GDPR, the new EU legislation coming in force in May 2018 and how it will resolve this
issue.

Management Summary

The goal of this report is to analyse the current data protection and privacy problems, along
with the ethical issues related to the use of personal data, which is becoming a larger issue in
the past years.

The findings draw attention to two particular legislations Data Protection Act and General
Data Protection Regulation, the second one coming in force on May 25, 2017. Its purpose is
to enhance existing laws and provide more clarity in the way data is requested and processed
and it does so in few major ways:

Companies would be required to request consent multiples times in smaller chunks,

leading to better division of consent and better comprehension by users.
They will have to restructure their databases and divide information based on its
sensitivity and users can request this data
They will know what their information is used for when they are agreeing to the terms
and conditions, also possibly when and for how long.
Consent of children will be limited, requiring them to have a parental consent under
the age of 16.
High fees will be embraced, reaching 20 million euro or 4% of global revenue.

The report concludes that all of these changes are to a smaller or bigger extent necessary and
the consequences for people and companies are rather expected to be positive after the GDPR
is enforced.

3
MSIN1007: Individual Coursework
Findings

1. Ethical Issues

Ethics are essential what enables people to differentiate from what is right and what is wrong.
(Fieser, J. 2002)

The term exists since the times of Ancient Greece and many people have tried to define what
ethics mean, however for the purpose of this report, ethical principles can be defined as
finding a consensus between the things that private companies do and the things that are fair
for the consumers (en.wikipedia.org, 2017)

Today, big tech companies like Google and Uber receive criticism for overusing their power
to stand against governments and have been fined for that multiple times in 2017.

The ethical issue that has to be resolved and will be viewed more closely throughout the
report is that these companies are perhaps invading peoples privacy more than they should
be.

Google has all the data of peoples searches and use it in order to generate relevant
advertisement and so does Facebook for example. However, the trade-off turns out to be
unfair and people are left with no other choice but to continuously sacrifice their privacy in
order to get convenience.

The GDPR coming into force on May 2018 is aiming to put an end to the issue with
companies abusing their powers to collect and sell peoples data.

2. UK Data Protection legislation

According to ico.org.uk, 2017:

The UK Data Protection Act is a UK legislation from 1998 which has 8 core principles
companies need to comply with in terms of protecting personal data:

1. To be fairly and lawfully processed be within the law when requesting and using
personal data
2. To be processed for specified purposes not exceeding the use of data than the
specified purposes
3. To be adequate, relevant and not excessive to only request the needed information
without information that the company can go without
4. To be accurate and up to date to update the information and make sure it is accurate
in order not to create confusions

4
MSIN1007: Individual Coursework
 5. To be kept for no longer than its necessary to be deleted after it is no longer needed
(e.g. a user ended a contract)
6. To be processed with the data subjects rights, which are the right to access a copy,
prevent processing of data, have inaccurate data deleted, to object and be compensated
in events of data breaches.
7. To be secure to ensure it is protected well by the structures and roles assigned within
the organisation.
8. No transfer to countries without adequate data protection usually, countries in the
EEA can receive it, as well as other countries who are perceived to have strong data
protection laws.

The Freedom of Information Act is another UK legislation from 2000, which allows the
public to request data from public bodies (e.g. the government) (foia.gov, 2016)

It provides the right to access data on request, unless that harms the security of the country.

Both of these legislations are important, because they provide transparency and they are
necessary for people to trust organisations more, as well as to encourage organisations to be
more fair and respectful of peoples rights.

On the negative side, both of them take a lot of time to implement, as well as training of
employees and adopting particular computer software, which makes it difficult for small
companies/public bodies with small budget to comply sufficiently.

3. Privacy and anonymity

Having privacy means being able to do things freely without the fear that someone will spy on
them or access data that can harm them (e.g. if it goes public).

For instance, because of government surveillance, people feel limited in what they say or do
due to fear of being seen.

Anonymity is giving people the freedom to express their opinions by having no name or
distancing themselves from their real personality. For instance, people feel safe that anything
they say or do will not affect their actual personality and when being anonymous.

For example, people will not announce that they are homosexual because they are likely to
receive judgement that can impact their whole personality in the long run. If however they are
anonymous, they are likely to make claims about homosexuality online or announce their
sexual orientation in safe spaces.

5
MSIN1007: Individual Coursework
Furthermore, anonymity is used widely in political elections when people cast their votes
anonymously.

Weaknesses of anonymity

Some of the weaknesses of anonymity are that governments cant find criminals if they dont
have any information about them. For example, there are instances of police departments
using social media like Facebook to discover and track down criminals. (Knibbs, K. 2013)

As companies like Google and Facebook grow, peoples privacy and anonymity is reducing.
The more personal data there is on the web, the easier people are to be discovered, judged,
made conclusion for, tracked down, bullied, etc.

4. Securing and safeguarding users personal data

There are varieties of ways in which personal data can and should be protected in companies
and it is their responsibility to keep it safe once they have acquired the user consent to keep it.

The most common way of protection for user data is encrypting files so they cant be accessed
by third parties. This means that passwords are created to protect files from being accessed by
hackers.

Another safeguarding approach is to employ more people in roles that guarantee data security,
as well as data classification. Data classification refers to structuring the information in few
different sections based on its sensitivity.

Another important step is to back up and be able to recover all the files on the system by
storing them in additional data storage. This way, even if a big malware gets into the system
and deletes all the data, it can still be recovered from the additional data storage before the
company faces detrimental consequences.

As noted in the DPA, information should be disposed after it is no longer necessary. For
example, this mean that one someone no longer has an account for some application, they
should delete the data they have about him. This ensures that information will not be leaked
and reduces the potential harms of a data breach.

In the future, companies should be continuously coming up with better protection software
and guaranteeing that they can handle the threat of hackers as they are constantly improving.

5. GDPR context, background, enhancements to existing law

Currently, businesses are still fighting governments, receiving fines for abusing personal
privacy and things do not change because it is not clear enough what data is taken, when and
for what purposes.

6
MSIN1007: Individual Coursework
The aim of GDPR is to provide greater transparency between the company policies and the
user by requesting separate agreements for every way in which his data may be used.
Furthermore, it will allow people decline giving their data instead of being faced with an
unfair trade-off for convenience when they dont have any other choice but to give consent.

The GDPR will start functioning on May 25, 2018.

According to Ico.org.uk, 2017, GDPRs principles are:

(FOIMan, 2017)

1. Lawfullness, fairnesss, transparency being within the law, company processing

what it specifically what it promised to the user, provide transparency to the data
subject of what data is used and for what.
2. Purpose limitations no unnecessary data should be obtained about a data subject
apart from the one they agreed to and an additional consent should be requested for
each change.
3. Data minimisation Only minimum amount of data should be kept about a data
subject.
4. Accuracy Data must be kept updated
5. Storage limitations Data must be deleted after it is no longer necessary
6. Integrity and confidentiality Requires security processes to be put in place to prevent
third parties theft.

The rights of the data subject will include a right to increased transparency and in the long
run, which will result in better understanding about why and how their data is being taken.
Some of the possible benefits could be that people are paid for their data or promised better
conditions, because the access to their data will be more difficult.

6. How companies should prepare for GDPR

In order to be prepared for the changes of GDPR, most companies can hire consultants to help
them with implementing the changes in their companies. For instance, many companies are

7
MSIN1007: Individual Coursework
predicted to spend additional money on legal and advisory help for GDPR.

Some of the main steps they need to take are

1. Structure their database. This means that they will have to collect all of their data and
put it in separate directories so it can be easy to discover and also on some types of
data they may want to put encryption so it is better protected. This may mean that for
instance more valuable data should require better encryption as the consequences of it
leaking are bigger.
2. Request consent in different ways (so users are better informed). This basically means
that users will need to be better informed when they are giving their consent to
companies. According to the GDPR, companies will need to ask consent at different
stages for different purposes they may want to use it for. This may mean that consent
will be required multiple times. They also need to be prepared to adopt ways of asking
for that consent. Additionally, they need to decide at what stages do they need to ask
for consent in order to have their processes legal.
3. Build stronger security to protect the user data from breaches. As penalties of GDPR
are very high, it is essential for businesses to guarantee better security for their clients
and also ensure that they will not be penalized for not keeping their data safe.

Therefore, companies need to address these important changes early on in order to be

prepared for the GDPR which comes into force in May 2018.

7. How companies should manage user consent

Comparison between DPA and GDPR regarding user consent

Compared to the DPA, GDPR has more clarity and explains further when and how should
consent be requested.

According to GDPR, user consent must be obtained multiple times by adding different types
of consent for the different purposes. In a way, it has to be in smaller chunks instead of an
entire Terms and agreements document. This would work similar to the App Store where
when downloading an application, it asks for different types of information and it has icons so
it is visible and clear to users what data is taken from them. The only difference would be that
GDPR also requires companies to provide a reasonable explanation into what they are going
to do with the data.

GDPR also addresses special categories of users. Special categories of users can be defined as
children or impaired people. However, GDPR primarily focused on children consent. It gives
a definition that children under the age of 16 must ask for parental consent, unless the
government within a certain country decides to lower it down to 13 years of age. (Ico.org.uk,
2017)

8
MSIN1007: Individual Coursework
This is because in many cases children are unable to recognize the particular harms that can
arise out of them providing their data and companies can enter into their privacy without them
making a rational choice about it. Therefore, to protect children from exposing data about
themselves, GDPR considers parental consent as an alternative, until children are grown up
and can make these choices on their own.

What are the benefits and negatives of GDPR approach to consent?

On the positives, GDPR requires a more detailed and comprehensible way of providing
information to data subjects. This would allow users to make a more informed choice.

Second benefit is that users would have to give consent for different things. This implies that
they can reject some functions of the website/application and only use the once they need.
The result of this is that Facebook and other companies can no longer access all types of data
on the presumptions that users agree to everything, but will have to ask for different types of
consent.

Furthermore, the approach to consent for special users can protect them from sharing their
data on the internet until they can grow up and make these choices rationally.

On the negative side, GDPR slows down giving consent and people need to spend longer time
giving consent on all types of different actions they want to make.

Additionally, it will be really difficult to companies to decide where to ask consent in order
not to be fined and may require them a lawyer just to make sure they have handled all the
different types of request.

Lastly, teenagers under 16 are likely to feel annoyed by the requirement that their parents
must give consent for few major reasons. First of all, children are allowing access to all of
their privacy to their parents by asking them for request all the time. They will not be able to
make decisions to go into some areas of interest that they may want to keep private from their
parents. Another reason is some children in the ages of 16 may not go along that well with
their parents and it could be frustrating each time they ask for their consent, as well as the
parents may decline consent on purpose so they cannot access the pages. Thirdly, when their
parents are working or are away, they may not respond on time to the request and this makes
the whole process of browsing websites, registering and being active on the internet very
clumsy and irritating.

In the future, GDPR may want to reconsider the option about children consent.

8. Implications of data breach

GDPR puts an emphasis on breaches and tries to prevent them. There are few changes in the
way companies operate already mentioned restructuring data and increasing security of
systems. Both of these are necessary in order to build better defence against data breaches.

9
MSIN1007: Individual Coursework
Comparing the DPA and the GDPR, the first thing that can be noticed is that the fees for non-
compliance of the GDPR are much higher (10 million or 2% of global revenue compared to
560,000 euro for serious breaches), therefore very likely to incentivize businesses to comply
with them. (ico.org.uk 2017)

The effects on companies and users if they do not comply will be severe and some companies
may also be taken out of business due to the high fees they need to pay.

For bigger companies, the biggest damage is unlikely to be the fee as they will be able to pay
it several times in one year. The bigger problem for them will be media reports and lose of
peoples trust which may damage their overall reputation and take them out of business in the
long run.

Companies, large or small, need to take the GDPR seriously and avoid possible data breaches
as this may have long-lasting consequences on their company.

If they comply, however, companies may have certain benefits as a result of their compliance.

Their users might build better trust in them as their reputation will be enhanced in terms of
security if there are no data breaches.

Additionally, the requirement to structure data can make it easier for them to answer request
and also process this data.

The request to delete unnecessary data may save the companies hundreds of thousands, if not
millions of dollars of storage space just by clearing it out and once cleared, it would also be
easier for employees to browse data when it is not as overloaded with all sorts of information.

Conclusion

In conclusion, current legislation will be enhanced by the GDPR in 2018 as it provides

additional solutions on some of the problems existing today such as reduced privacy and
ethical problems around companies practices.

GDPR will have additional results such as strengthening data protection, classifying it into
section, providing greater transparency and more informed consent.

In the future, the relationships between users and companies may strengthen and build
additional trust if these companies are not fined for breaches and have a good public image.

Furthermore, users are likely to start understanding data what it is used for, when and which
exact data. With this knowledge, they will be able to make better decisions on whether they
want to give their consent to different types of requests.

Based on this, GDPR is going to enhance the way consent is requested and processed for the
better of people and they will get a better understanding of the data they provide.

10
MSIN1007: Individual Coursework
References

1. En.wikipedia.org (2017) Ethics (online) Can be found at:

https://en.wikipedia.org/wiki/Ethics (Viewed 20 Nov. 2017)
2. Ico.org.uk (2017) Key areas to consider (online) Can be found at:
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-
areas-to-consider/ (Viewed 19 Nov. 2017)
3. Ico.org.uk (2017) Guide to data protection (online) Can be found at:
https://ico.org.uk/for-organisations/guide-to-data-protection/ (Viewed 20 Nov. 2017)
4. Ico.org.uk (2017) Breach notification (online) Can be found at: https://ico.org.uk/for-
organisations/data-protection-reform/overview-of-the-gdpr/breach-notification/
(Viewed 19 Nov. 2017)
5. Knibbs, K. (2017) In the online hunt for criminals, social media is the ultimate snitch
(online) Available at: http://www.govtech.com/public-safety/can-the-police-use-
facebook-to-investigate-crimes.html (Viewed 20 Nov. 2017)
6. Foia.gov (2016) What is FOIA? (online) Available at: https://ico.org.uk/for-
organisations/guide-to-data-protection/ (Viewed 20 Nov. 2017)
7. Fieser, J. (2002) Ethics (online) Available at: http://www.iep.utm.edu/ethics/ (Viewed
21 Nov. 2017)
8. FOIMAn (2017) GDPRs Duty to Document (online) Available at:
https://www.foiman.com/archives/2654 (Viewed 21 Nov. 2017)

11
MSIN1007: Individual Coursework