GDPR has imposed greater restrictions on how businesses may use – or ‘process’ – personal data. The regulations give the individual much more control over information organisations hold about them. But what about open data –
that’s information that is apparently freely available to everyone. It may be contained on a public register created by a public body for example. Can businesses continue to freely re-use that data?
At Nath Solicitors in London we understand that, in the wake of GDPR, many of our clients are unclear about the extent to which they can continue to use open data sources for business development and other purposes. Here we explain what constitutes open data and how businesses and employers can exploit it for their commercial advantage – without falling foul of GDPR.
WHAT IS OPEN DATA?
Open data is publicly available data that can be freely used and redistributed while still protecting personal data.
In the UK and the EU there is a vast amount of public sector information (PSI) that’s produced and paid for by public sector bodies like ministries, agencies and organisations funded by the public sector. Under EU law it’s well established that some of this data should be available freely for use and re-use, including for commercial use.
Open data may include geographical information, statistics, weather data and data from publicly funded research projects and digitised books from libraries. The theory is that this information is capable of generating value for the economy through its re-use. It’s used most commonly in sectors such as technology, finance and investment and healthcare.
HOW CAN MY BUSINESS ACCESS OPEN DATA?
PSI open data has huge potential for the commercial sector. Many comparison websites for example use data from scores of different government departments and public bodies to help consumers make the right purchasing choices on a range of goods.
Of course the SMEs and new businesses that we represent won’t always have the same ability to access open data as larger entities might do. Challenges include determining how to collect, store and use open data – particularly when the data contains information that could identify a particular individual. Issues around GDPR will then inevitably arise.
HOW DOES GDPR AFFECT OPEN DATA USE?
A warning: Encouraging access to open data doesn’t mean a free for all for businesses seeking a commercial benefit from it. Businesses should always seek specialist legal advice to ensure their use of open data is consistent with GDPR. Failure to do so could result in heavy fines imposed by the Information Commissioner’s Office under the new high sanction regime of GDPR.
While most open data doesn’t include personal data (datasets usually consist of commercial information such as sales figures) some PSI open data will contain information about individuals that amounts to personal data under GDPR. If the open data you want to use contains personal information then you must usually seek the consent of the individual. Clearly when dealing with huge datasets it’s simply not practical to seek the consent of all the individuals concerned. But you can rely on one of the other lawful bases for processing data under GDPR. These are:
- Contract – where data processing is necessary for you to discharge a contract with the individual
- Legal obligation – where processing the information is necessary to comply with the law
- Vital interests – when the processing of data is essential to protect a life
- Public task – where you need to process the data to do something in the public interest
- Legitimate interests – when processing is necessary in the legitimate interests of you or a third party
If you can rely in one of these grounds you effectively dispense with the need for consent.
Alternatively you may be able to anonymise the data by removing personally identifiable information from the data.
The key thing to remember is that under GDPR individuals must give explicit consent to the processing of their data – whether it’s open data or not – unless one of the exceptions above applies or it’s possible to remove all personal references within the data that are capable of identifying an individual.
CONTACT OUR DATA PROTECTION SOLICITORS LONDON
If you wish to discuss open data and how your company may benefit from it in a way that is GDPR compliant please contact Nath Solicitors on 44 (0) 203 670 5540 or contact the firm online. We offer bespoke GDPR compliance packages to businesses in London and across the UK.
