Why is Analytics Harder
in a GDPR World?
As we mentioned in the introduction, GDPR came into force across the EU in April 2018. GDPR is one of the most far-reaching data protection laws anywhere in the world, and as such it has had a huge impact globally.
This is because, unlike many national data protection laws, GDPR applies to any company that deals with EU residents, wherever they are in the world. In this section we will look at the specific impact GDPR has had on analytics.
We begin with a brief refresher on what data GDPR covers and why you need to comply.
How Does GDPR Define Personal Data?
As already stated, GDPR covers any data that can be used to identify a person. It says that:
“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The complexity here lies in the fact that it covers data that might indirectly identify a person. Often a single piece of data on its own will not be sufficient to identify a person (for instance the John Smith example we already met). However, if you also know that John Smith lives in Edinburgh and works for Starbucks then you may have narrowed it down enough to identify him.
How Does GDPR Define Consent?
GDPR requires that individuals must have freely given informed consent before their personal data can be used. This means that not only must they give the consent, they must understand precisely what they are consenting to and must take some explicit action to indicate this. Importantly, this consent can also be withdrawn at any time.
What Penalties Can GDPR Impose?
GDPR carries some of the toughest penalties in the world for any company that breaches the rules. The potential fines are 20 million Euros or 4% of annual global turnover, whichever is higher. The EU will also have the power to ban non-compliant organisations from trading with any nation that has adopted the GDPR into national law.
What Other Rights Does GDPR Give to Individuals?
A key plank of GDPR is that it grants individuals certain additional rights relating to their personal data. Among others, these include:
- The right to be forgotten (meaning they can ask for all their data to be deleted)
- The right to request a copy of all their data
- The right to withdraw consent for their data to be used at any time
What Else is Covered by GDPR?
GDPR also imposes several other requirements on companies. One of these is that they must take suitable care to ensure that all data is secured. Specifically, a company must
“… implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
This requirement is purposely described in a flexible manner to take account of the specific circumstances of a company. For instance, a boutique coffee shop who keeps a customer mailing list would not be expected to put in place such stringent security measures as a bank.
Another important requirement is the need to promptly notify the authorities and any affected individuals in the event of any security breach.
GDPR defines ‘promptly’ as being within 72 hours of a breach being identified. Companies must also have a plan in place to deal with potential breaches (a so-called Incident Response process). A key part of this is ensuring that all staff have appropriate training and that management in particular know exactly what should be done if they are informed of a potential data breach.
GDPR is not the only data protection legislation you need to be aware of. Many companies might find themselves covered by the US Health Insurance Portability and Accountability Act (HIPAA). Like GDPR, HIPAA has rules covering privacy, security, breach notification and compliance. Unlike GDPR, HIPAA carries both civil penalties (fines) and criminal penalties (with a potential maximum sentence of up to 10 years in prison). However, unlike GDPR, HIPAA only relates to data about health care and health insurance.
While GDPR applies across the EU, its requirements are a minimum standard that must be met. In certain cases more stringent rules may be applied by member countries or states. For instance, within Germany, certain states like Brandenburg have far more strict rules relating to health records.
One of the greatest impacts of GDPR is it means companies need to adopt the principle of privacy by design. This directly impacts how a modern analytics stack needs to be built. For instance, the requirement that consent can be withdrawn at any time means that you can’t assume that because a given analysis didn’t breach GDPR in the past that will always be true. Consent may have been withdrawn in the meantime, and so this needs to be explicitly checked each time you run the analysis.
It also pays companies to design a system that allows an individual to easily access their own data and to give or withdraw their consent. Clearly this has big implications for the Data Security function since it is vital to ensure that it really is the correct individual who is requesting the data.
What If My Existing System Isn’t Compliant?
Of course, many companies have already got existing analytics stacks. For these companies they have the choice of either retrospectively adding in privacy-preserving techniques or replace their entire stack. Which of these options is best will depend on a number of factors. These include the scale of your system, the volume of data you hold, whether your data includes large amounts of personal data and whether you expect to need to use that data.
Later in this paper we will explain how anonymisation can help you achieve GDPR compliance without the need to completely replace your analytics stack. We will also show why pseudonymisation and other simple approaches to anonymisation may not suffice.
Building a Privacy-preserving analytics stack – better understand how to comply with the requirements imposed by GDPR while still leveraging data analysis.
In this section we will explore the Data Security and Privacy function in detail. We will explain in detail what we mean by each term and explore some of the techniques used.
Since GDPR only relates to personal data, any data that is not personal is not covered by the regulation. This means that if you are able to completely remove any personal identifiers from the data, that data is no longer subject to the rules. This is where anonymisation comes in.