By Michael Irene, PhD
There is a new saying: “data is the new oil”. It serves as a lubricant in many industries. To have more data is life for companies. As such, companies mine data in order to generate new information. David Hand, the British statistician, summarises data mining as “discovery of interesting, unexpected or valuable structures in large datasets.”
The keyword here is “large”. For data mining to be effective, companies must collect more information than is necessary which violates the purpose limitation principle in the Nigerian Data Protection Regulation. Companies, according to the regulation, must always collect data for the purpose agreed to by the data subject.
Data mining, therefore, might seem a hard chore for most companies. However, with the right technical and organisation measures in place, companies can mine data in a legitimate manner.
A business can collect data for the purposes of ensuring that they serve their customers better. For example, an air conditioner company can predict with greater degrees of accuracy when maintenance is required for their units located in various buildings. The company can decide to collect data such as temperature, vibration, noise, and images as such, giving them enhanced the ability to detect future faults with greater accuracy. This can be solved by (a) appropriate notification of data subjects (b) right consent mechanism.
From a business-to-business(B2B) perspective, a software company can help a farm carry out accurate analysis by mining data. This usually does not raise data protection issues. For example, the information from an agricultural solution, measuring the level of moisture in the soil, and potentially issuing a command to turn on a watering system for a given amount of time to reach a defined, set level, requires some level of data collection and analysis.
However, from the business-to-consumer(B2C) perspective, this can raise the data protection issue. A company provides a home automation system to customers, which provides temperature readings from a home, and automatically initiates air conditioning systems and window blinds to reach a cooler temperature with less sun impacting the levels and feeds this to an individual’s phone need to be wary of many things. Are we intruding in a way that would expose the customers to danger? Have we carried out a data protection impact assessment? Are we processing the right data?
There are pitfalls in data mining. If done wrongly it could expose a company to a data protection breach. If data identifies an individual, it best practice not to use it for extra purposes.
Data that does not identify an individual can be used without consent and other beneficial purposes of the company. To be on the safe side, the company that would need to analyse data needs to incorporate a robust anonymization system.
Companies can carry out data mining however, they need to employ the right technical and organisational measures for them to be on the right side of the law. To avoid been fined or exposed to data breaches, companies should gain consent from customers directly or find another lawful basis. Most companies, these days, mine data but it can be done legally and purposefully without violating or intruding into the privacy of individuals.