With less than a year to go until it comes into effect, organisations are really starting to get to grips with what GDPR will mean in practice. We’ve talked to lots of customers who are concerned about the implications that GDPR might have for the way in which they collect and analyse customer data. Much of what constitutes ‘big data’ is personal data and the use of this kind of data definitely does have implications for data protection, privacy and individuals’ associated rights. And these rights are going to be strengthened by GDPR. So does this spell trouble for big data analytics? We don’t think so. Here’s why.
Firstly, the Information Commissioner makes it very clear that the aim of GDPR and associated legislation is not to restrict big data analytics but rather to provide a framework for effective regulation. Big data analytics and data protection are not mutually exclusive but the one can enhance the other.
It’s also worth reiterating that not all big data is personal data and it’s only personal data that’s covered by GDPR and other data protection legislation. Lots of big data analytics is based on non-personal data, for example analysis of weather data, transport patterns or asset maintenance. Similarly, it’s often possible to take personal data and anonymise it for the purposes of analytics, thus descoping it from data protection regulations.
That said, much big data analytics clearly does involve personal data, meaning data that can be used to identify named individuals either directly or in combination with other available datasets, and so data protection is clearly relevant in this space. The Information Commissioner points to three main areas of consideration.
- Does the way in which individuals’ data is being used have an intrusive effect on them? There’s a particular concern here with regard to how data can be used to profile individuals.
- Is the use of people’s data for big data analytics within the scope of what they might reasonably expect?
- How transparent can the organisation be about the ways in which it is processing personal data? Given the complexity of much big data analytics, this can be a challenge.
It’s beyond the scope of a blog post like this to give detailed advice on all areas of GDPR compliance but there are a few general principles that will help you ensure that you’re prepared.
- Know what data you hold – This can be harder than it looks. You need to be able to know where the different components of your customer data originally come from and where they are now stored. In large organisations this can mean tracing the path that data takes through numerous different systems.
- Know how the data is used – what happens to the data once it’s in your possession? How are you using it and for what purpose? How is the data being transformed? What processes is it subject to?
- Understand what consent has been granted – you need to know whether consent was explicitly asked for at the point at which the data was collected and whether it was granted. Under GDPR regulations consent can be revoked at any time so you need a way of tracking not just whether an individual originally consented but whether they’ve since revoked that consent. You need to make sure that the analytics models you’re using can filter out data where consent has not been granted and can be updated to take into account changes in consent or where individuals have requested that their data be removed.
- Ensure that your data is held securely – you need to make sure that whatever analytics platform you’re using is properly integrated with your organisation’s security systems and that you can effectively control who has access to your customer data. Customer data needs to be encrypted and held securely at all stages during the analytics cycle, not just at the point at which you collect it.
- Ensure you can monitor compliance on an ongoing basis. This also can be trickier than it looks. Do you have a complete end-to-end understanding of where your data goes as it flows through the analytics cycle and what happens to it at each stage? Are you able to monitor effectively each of the processes involved? Are you able to ensure ongoing GDPR compliance can be maintained?
- Ensure that you can prove that you’re GDPR compliant. To do this you need to be able to report and audit how you’re using personal data, another logistical challenge in large organisations. Think about how you can develop your systems to provide a complete audit trail of the information that’s required for reporting GDPR compliance.