25 / 01 / 2019
GDPR Becomes Very Real
3 TAKEAWAYS FOR CONDUCTING DATA ANALYTICS FROM RECENT REGULATORY ACTION ON GDPR BY AOIFE SEXTON, CHIEF PRIVACY OFFICER
The GDPR has been in place for eight months and regulators across Europe are beginning to flex their muscles. Recent actions by European regulators reinforce the high bar set by the GDPR around transparency and consent – reminding those across industries of the true intent and meaning of the regulations in the first place.
So, what have we learned?
There are three major takeaways from the recent decisions. These takeaways apply to all companies processing personal data but they are even more significant for those companies doing data analytics and who rely on consent as their lawful basis.
1. Make sure the information you provide to your users is easily accessible
Make sure it is clear and comprehensive. Don’t be too vague or too generic in how you describe the purposes of processing, in this case, the analytics you will perform. Don’t spread the essential information about analytics across multiple documents or make the user have to take several actions in order for them to get the complete picture.
2. Obtaining consent in compliance with GDPR is complex
It’s not as simple as saying that you “obtained valid consent.” Was the consent specific to the use? Was it unambiguous? Was it freely given? Was it informed? The thresholds for what it takes to have “obtained valid consent” (including for data analytics) are high – and higher than perhaps many companies realise.
3. Regulators are serious about enforcing these high thresholds
They are not going to “give companies a pass” because they received some form of user consent. They view the high thresholds for transparency and consent under GDPR to be what they say on the tin – real thresholds that need to be met in order for the law to be complied with – and they are willing to levy significant fines against those who fall short in meeting them.
For most companies doing data analytics, the recent developments are a wakeup call for them to take stock and meaningfully challenge themselves about how they currently provide information and obtain consent from users – and whether their practices will fall short of the thresholds set.
Such companies should take this opportunity to ask themselves some hard questions, such as “is there a better way for us to perform analytics?” They might want to look at a fresh approach – “what if we did not conduct analytics on any personal data but instead conducted analytics on non personal data? And what if we could avoid sacrificing utility in so doing?”
This is possible today – through independent anonymization of data. This approach can ensure regulatory compliance, while maximising data utility and maintaining the privacy of the individual.