The University of Southampton
Research

Decoding data protection and GDPR

Exploring anonymisation and data-led innovation

Published: 27 November 2017

The data landscape in the UK will be changing in May 2018, when the General Data Protection Regulation (GDPR) comes into force. This legislation will revolutionise the way that data is handled across the UK and EU, holding data controllers and processors accountable with heavy fines for data breaches or non-compliance.

The benefits and challenges facing companies, organisations and individuals as a consequence of these changes can be confusing.  Dr Sophie Stalla-Bourdillon, Associate Professor in Information Technology and Intellectual Property Law, and Director of the Institute for Law and the Web (ILAWS), is working to better understand the GDPR and what it means for us all from a legal perspective, as well as promoting data-led innovation.

“I am trying to see to what extent the new GDPR will change practices, and whether it will meet the needs of individuals – or ‘data subjects’ – and people working with data,” she says.

“I am also working to understand whether the GDPR will open new opportunities or to what extent it imposes more constraints on the way we deal with data.”

The GDPR is, in many cases, a restatement of what was there with some sanctions at the end. It’s more comprehensive, because it enlarges a list of rights. It is more about security and the obligations of all the parties as well. The whole logic was already there with the Data Protection Act; it was just ignored.

Dr Sophie Stalla-Bourdillon - Associate Professor in Information Technology and Intellectual Property Law, and Director of the Institute for Law and the Web (ILAWS)

Understanding GDPR

Under the GDPR all personal data must be processed for a specific reason, with consent of the data subject, lawfully and transparently. Data must also not be held for longer than necessary.

This change will bring with it many benefits. For example, people will have the opportunity to ‘opt in’ to company privacy policies rather than having to ’opt out’ and will have the ‘right to be forgotten’ – meaning information can be removed from records of companies or organisations. Power will very much be with the individual.

It will mean a lot of work for organisations and companies and will inevitably be expensive and time consuming. However, Sophie emphasises that this is not all bad news:

“Actually, it will force companies to put data governance structures in place within their own organisations, and that’s a good thing,” she says. “It can appear costly in the first place, but it’s a way to encourage best practice around the use of data, and companies will soon realise that they don’t need all of the data they currently have."

Defining anonymised data

There are ways that companies and organisations can work with data outside of the scope of the GDPR. By using anonymised data, companies, businesses and organisations could share data more readily for research or analytics, in order to answer questions or solve problems.

However, the exact definition of anonymised data is unclear, meaning that it is hard for companies to know to what extent they need to be compliant with the regulation, or not. The steps required to get to the stage of anonymisation are also covered by the GDPR, and so the regulation still applies up until the point when the data is fully anonymised.

Along with her team, including a group of computer scientists at the University, Sophie is working to define anonymised data in order to help companies and organisations work with and share data easily and safely.

“I am trying to understand what anonymisation is, when you can speak about anonymised data and when you can’t, and what the implication of this spectrum of personal, pseudonymised and anonymised data is,” says Sophie.

Understanding what anonymised data really is can be complex, but ultimately the ambition is to significantly and meaningfully reduce the risk of re-identification. Sophie explains:

“Let’s assume you have a data set with some records of individuals; the records are organised at the individual level, but you don’t get names or addresses. However, you still have a number of attributes attached to that individual."

“If I only look at my data set, I could maybe make an argument that there is no way I can identify the individual; but if I combine that data set with extra information, potentially I could, and that’s when the individual is identifiable – because there is another data set available.”

Sophie’s work on anonymised data will enable companies to understand exactly when they are dealing with personal data, and when they are outside of the scope of the GDPR.

We want to gather data sets from data providers, and then offer the possibility to start-ups and innovators to use these data sets in order to innovate and come up with some solutions to specific challenges that we are facing.

Dr Sophie Stalla-Bourdillon - Associate Professor in Information Technology and Intellectual Property Law, and Director of the Institute for Law and the Web (ILAWS)

Innovating with data

Sophie is also exploring how data protection works alongside enterprise. The University of Southampton is leading Data Pitch – an international innovation programme working to unite organisations with subject-matter experts and start-ups working with data. Alongside the Open Data Institute UK (ODI), Dawex and Beta-i, Sophie and the team at Data Pitch are understanding how organisations can best create value from sharing data, establishing a European Data Innovation Lab, and identifying solutions to challenges using innovations with data. This work is funded by the EU’s Horizon 2020 programme.

Sophie says: “I am working on Data Pitch to understand to what extent data protection creates barriers to open innovation, and the interplay between the two."

“We are assessing data sets before sharing, and saying whether it is personal data or not and whether we need to pseudonymise or anonymise the data. Data providers also have the option to work with our IT innovation team to pseudonymise or anonymise data here at the University.”

The Data Pitch team are aiming to explore how data can be used to solve problems across numerous industries; they intend to improve access to sport and recreation and future-proof retail supply chains. They are also tackling challenges in tourism, lifelong learning and transport. Start-ups have been selected, and the teams are beginning the task of finding data-led solutions in these areas.

While the GDPR is more thorough, it is not in place to restrict data sharing; it simply protects data subjects when data is shared. Using anonymised data (or pseudonymised data ­– when organisational and technical measures are put in place to protection identifying additional information) would help start-ups and businesses remain compliant with the GDPR while they innovate.

More information about Sophie's research

You may also be interested in

Making the internet faster

Making the internet faster

Our research connects the planet; the whole global internet relies on our invention of erbium-doped fibre amplifiers that boost optical signals to allow fast telecommunications.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×