The GDPR on analytics

I have never forgotten my laptop on a train. I have never let a USB stick fall out of my pocket nor sent files to an unintended recipient. I delete out all personal information. This once amounted to gold standard data protection. Not so anymore.

The spirit of the General Data Protection Regulation (GDPR) is clear in what it seeks to achieve – to prevent unfettered data sharing and place the public back in control. It will alter many business models that trade on the flow of data from EU citizens. Legislation takes about 10 years to catch up with technology. On 25 May, it most certainly will.

Our industry is reviewing systems, firming up contracts and launching re-permission campaigns. Ensuring continued compliance, however, is a challenge given that the GDPR is a work in progress with the Information Commissioner’s Office (ICO) in the process of laying out the details and sizing up implications to the data economy.

Given the varied and widespread application of data, one doubts whether the principles of the statute could be made genuinely prescriptive. The more left to interpretation, the more imbalanced the playing field will be. For now, we need to be content with some of the nitty-gritty up in the air because it may remain so for a long time. The real learnings will happen in the courts. The aim is not to be the first to appear in the dock when that time comes.

This calls for proactive risk assessments rather than the reactive “Oops, there was a data breach – lets fix it!” In addition, the GDPR mandates shared responsibility. Sitting at the confluence of data flows are processors, analysts, strategists and engineers. With responsibility for planning, warehousing, matching, and dissemination, they are called upon to be the most vigilant.

The good news is that almost all of requirements of the GDPR were covered through the combination of the existing legislation, MRS Principles and Fair Data Accreditation. Market research is therefore in a relatively strong position but a little extra is required to see us right in the eyes of the law.

Here are the three biggest ways your analytics might fall foul of the GDPR.

When repurposing data

The GDPR calls for more granular consent than the Data Protection Act did. If the data is used for purposes other than that for which it was collected, analyses are prohibited. This may have serious implications for the data stream you currently work with – the whole idea of representative data flies out of the window. The most common example of this is profiling data collected from or alongside transactional data, where a separate informed and positive opt-in is required. Blanket agreements or burying consent within your terms and conditions is insufficient, even retrospectively.

When moving data

When storing and processing data outside the EEA, we will need to ensure that everything you do complies with the GDPR including cloud services that cannot be ring-fenced geographically. Here we include data services (APIs) which are commonly used for scoring data. At the time of writing, there lacks a strong financial incentive/enthusiasm for data services outside the EEA to invest this.

When anonymising data

Regulations still apply after data has been anonymised. I do wonder whether this idea will truly land within the final iterations. Nonetheless, I expect this to be of special concern when the uniqueness of a response might be traced back to an individual.

Strict adherence to the GDPR flags up some knotty issues for analytics. This is primarily the case where big data has been collected passively and not for market research purposes. It changes what is possible with data and sets us on new trajectories. Until the dust settles, we need to continue to innovate while keeping a critical eye on data that crosses our path.

Ryan Howard is director advanced analytics at Simpson Carpenter