GDPR: Setting a New Analytics Standard

Photo by Lukas Blazek on Unsplash

You might be wondering if you are in scope of the new European Union General Data Protection Regulation (GDPR). Chances are if you do business in Europe, if you have employees residing in the EU, or if you have an external website, then you will likely be subject to the GDPR. Any company that touches European Union residents’ personal data will be required to abide by these regulations by May 25, 2018. If companies are in scope but are not compliant, they may be facing a fine of up to 4 percent of total revenue or 20 million euros, whichever is higher.

The GDPR ultimately requires best data practices to be in place for personal data. This will impact the way that systems are architected and integrated as well as security controls, policies, and procedures. While attempting to be GDPR-ready, documentation will be your best friend. The GDPR requires companies to have a Record of Processing Activities that explains which systems process your data, the reason for processing data, and which security measures are in place to protect that data. Whether you are a data controller or a data processor, you will share responsibility for this data and processing activities.

Data controllers determine the means for processing data, and data processors will process personal data on behalf of the controller. Processing by GDPR’s definition “means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (Article 4). This means that data controllers and data processors both process data. For simplicity, I will be addressing processing in general and focus on how GDPR will impact the way companies pursue and practice data analytics. Keep in mind that both controllers and processors share responsibility.

What Does the GDPR Mean for Analytics?

GDPR enforcement will substantially change the behavior of companies that perform data analytics on personal information, whether they are processing on behalf of another company or processing their own employee or customer data.

Many companies have actively practiced ownership of the data subject information. This means that they have seen it as being within their rights to use this data for whatever means they see fit. As long as a data subject has given their consent — traditionally in the form of checking a privacy policy box — companies have processed data in any way that suited their own best interests, including activities such as selling data, tracking behavior, profiling users, and other uses of analytics. Going forward, this will be an issue and may result in a hefty fine if these practices continue.

The GDPR grants rights to data subjects over their own data. This requires companies to let data subjects know what is happening to their information. A one-size-fits-all privacy agreement checkbox will no longer grant companies perceived ownership of personal data. Going forward, if your basis for processing is consent, then consent must be acquired for each processing activity. The request to process data should be specific and unambiguous to satisfy the GDPR requirements. This means data subjects must be clearly informed of and agree to the means of processing. If there is any activity that was not clearly communicated and agreed upon, additional consent must be requested.

Processing of data must be lawful. Traditionally, general analytics have been performed based on consent obtained by a general click-through in a privacy policy and terms of use. The GDPR introduces new standards of lawful processing, including obtaining consent that will make performing analytics more challenging:

“Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  2. processing is necessary for compliance with a legal obligation to which the controller is subject;
  3. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  4. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  5. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” (Article 6.1)

Even if a data subject agrees and provides consent to each data processing activity, or if there is a legitimate interest for processing data, the GDPR now grants them the right to be forgotten. Assuming there are no legal holds on maintaining the personal information, companies will need a process and policy for deleting data subjects’ personal data upon request. Facilitating these new data subject rights can be tricky if data proliferation is not under control.

If a company is relying on legitimate interests as a means for processing, the GDPR grants the data subject the right to object to further processing at any point. This includes but is not limited to data profiling for direct marketing purposes. Any companies that use personal data or behavioral data to profile for marketing or similar purposes should have documented the grounds on which they are claiming legitimate-interest processing. Additionally, they must provide an opt-out option for the data subjects should they refuse to allow their data to be used in these scenarios.

There might be some flexibility on data processing if data is appropriately masked or pseudonymized and is not reasonably likely to be used to identify a natural person. According to Recital 26, “To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” Companies that perform general analytics on data that cannot be tied to a unique person, directly or indirectly, will experience a certain amount of flexibility. It should be noted that if they can tie the information back to a unique individual, they would still maintain full responsibility in facilitating data subject rights in accordance with the GDPR. If your data has been anonymized and you cannot link an individual to the remaining data fields, you will be permitted to perform analytics.

With the GDPR enforcement period starting May 25, 2018, it is very important to be on the forefront in effort and visibility to avoid any fines and maintain a healthy business going forward.

Tips for Companies Performing Analytics

  • Maintain a documented lawful use of processing for any analytics performed on data.
  • Communicate the purpose of processing to data subjects. Request and document separate consent for each use where required.
  • Provide an opt-out option that is clearly communicated to data subjects and be able to develop a procedure to facilitate.
  • Restrict data access on a need-to-view basis and document who has access to what personal data for what purpose.
  • Contain data proliferation.
  • Implement security and privacy best practices, including data masking, pseudonymisation, and anonymization where appropriate.
  • Update policies, procedures, and technical systems to facilitate data subject rights.
  • Do not sell personal data.

Data is being created and collected now more than ever. With so much data in circulation, it is absolutely critical to handle it with care and intention. Be mindful about the privacy of your data subjects and the security posture of your systems. If you perform analytics on personal data, make sure you have a legitimate, lawfully sound, documented purpose, and work to integrate data-handling best practices into your company. This is not a checkmark on a privacy box activity, and compliance will be a moving target. The sooner you can incorporate current best practices into your company design and actively pursue best practices in security and privacy due diligence, the better.

Kira Soderstrom is a Technical Consultant who has been working at Primitive Logic since early 2016 and has been preparing clients for GDPR since late 2016. She has demonstrated expertise in analytics, data science, data security, and data privacy. She holds a Data to Insights Certification from MIT.

Kira Soderstrom, May 2018