Fingers typing on a laptop with notepad, pen and mug in the background
View all research highlights

Making sense of data legislation

Digital Future societies and communities
Published: 8 February 2022

The General Data Protection Regulation (GDPR) came into force in May 2018. It changed the way we use data in the UK and EU. Data controllers and processors can be fined for breaches and non-compliance.

Understanding the legal implications

IT law and data governance researcher, Professor Dr Sophie Stalla-Bourdillon at Southampton, examines what this means for businesses and individuals. 

“I’m trying to see to what extent GDPR changes practice, and whether it meets the needs of individuals – or ‘data subjects’ – and people working with data. I’m also working to understand new opportunities or to what extent GDPR imposes more constraints on the way we deal with data.”

Personal data must be processed for a specific reason, lawfully and transparently. It must be used with consent of the data subject and must not be held for longer than needed.

This change is better for individuals because we now have:

  • the choice to ‘opt in’, rather than ‘opt out’ of company privacy policies
  • the right to have our information removed from company records

The implications for organisations is that they need to make sure governance structures are in place to comply with the legislation.

Creating opportunities with anonymisation

Working with data using techniques like anonymisation or pseudonymisation can also present valuable opportunities. Anonymisation removes information that can identify an individual person in a data set and pseudonymisation replaces it. 

Sophie is studying how these approaches can be used:

“I’m trying to understand what anonymisation is - when you can speak about anonymised data and when you can’t - and what the implication of this spectrum of personal, pseudonymised and anonymised data is.”

Sophie’s work will help companies understand when they are dealing with personal data, and when they are outside of the scope of the GDPR.

Sophie again:

“We want to gather data sets from data providers, and then offer start-ups and innovators the option to use these data sets to innovate, and come up with solutions to specific challenges we're facing.”

Connecting organisations working with data

Southampton is also leading Data Pitch – an international innovation programme working to connect organisations with subject matter experts and start-ups working with data.

The Data Pitch team are investigating how data can be used to solve problems across different industries including:

  • sport and recreation
  • retail supply chains
  • tourism
  • lifelong learning
  • transport

Sophie says:

“I’m working on Data Pitch to understand to what extent data protection creates barriers to open innovation, and the interplay between the two."

Related publications

Data protection by design: building the foundations of trustworthy data sharing
Sophie Stalla-Bourdillon, Gefion Thuermer, Johanna Walker, Laura Carmichael & Elena Simperl, 2020, Data & Policy, 2
DOI: 10.1017/dap.2020.1
Type: article
Data analytics and the GDPR
Sophie Stalla-Bourdillon & Alison, Mary Knight, 2019
DOI: 10.5040/9781509926237.ch-011
Type: bookChapter
Data protection by design: building the foundations of trustworthy data sharing
Sophie Stalla-Bourdillon, Gefion Thuermer, Johanna, Catherine Walker & Laura Carmichael, 2019
DOI: 10.5281/zenodo.3079895
Type: conference

Related institutes, centres and groups

Law and Technology Centre

The Law and Technology Centre brings together leading scholars with shared research interests in the intersection of law and technology drawing on the long-standing reputation of Southampton Law School as a vibrant hub in this field.