The General Data Protection Regulation (GDPR) has transformed the way companies, regulators and consumers interact with each other, and will resonate for decades to come.
Much media coverage has focused on the administrative compliance burdens posed by the GDPR, or on the sometimes-glaring failures of companies to act responsibly with their consumers’ personal data, which are only now coming to light.
However, there has been less discussion on the question of how companies can continue to conduct analytics on their consumers’ personal data while complying with the GDPR. As enhanced market intelligence based on data analysis has generated great innovations in areas such as fraud detection and better understanding of consumer needs, losing those capabilities would be a disappointing step backwards, both for companies and consumers.
But, given the starkly increased concerns regarding the use of personal data, finding ways to retain the benefits of data analysis while respecting the privacy of individuals is not an insignificant challenge.
GDPR – a real opportunity to better understand your data
Companies need not suffer
If companies want to continue to innovate and thrive by obtaining and using valuable insights from their consumer data, a mere “check the box” compliance approach to the associated data protection concerns is not sufficient. A change in attitude is needed. The private sector must focus not just on complying with the law while using existing consumer data, but rather on adopting innovative ways to use that data while embracing the very spirit behind GDPR.
But how can this be accomplished in a way that satisfies the understandable concerns of consumers, the reasonable goals of regulators and the legitimate data usage needs of companies?
Building trust on all fronts
The answer is privacy by design – the use of technical innovation to create holistic approaches to the use of personal data that place privacy at the forefront of the approach. This contrasts with the common approach to data protection law compliance, which is to make the bare minimum adjustments to data usage necessary so as to technically satisfy legal requirements.
It’s treating data protection – and the responsible use of consumers’ personal data – as a priority, rather than a nuisance to be dealt with. To be clear, this doesn’t mean abandoning intelligent business use of personal data – it means being responsible and transparent with that use; continuing to pursue company objectives, but not at the expense of, or even with priority over, the individual data rights of the customer.
82% of organisations do not know where all their critical data is kept, says research
For many companies – in particular, large organisations in sectors such as financial services, aviation, retail and hospitality that thrive on intelligent analysis of personal data – one of the best ways to do this is through anonymisation. Putting your customer data through a process that renders every individual anonymous, before analytics can begin, will mean that your company will be able to analyse the entirety of its customer datasets, without analysing any actual personal data.
This anonymised data will of course never be as analytically valuable as it was in its identifiable state. But the result of this process, if applied correctly, is a dataset that has been anonymised to the optimal degree to allow for useful data utility while reducing to an insignificant level the risk of re-identification of individuals’ data.
Of course, this must be done in full compliance with GDPR, and that means an independent entity should ideally apply the process. Because if the anonymisation is instead performed in-house, with the company retaining its original identifiable dataset while anonymising its data, there is a high risk of re-identification, requiring the company to work hard to convince regulators and consumers that it will create and maintain sufficient internal walls to prevent that anonymisation from being reversed.
Alternatively, a company could work with an independent third party provider that specialises in such services. Such a firm, acting as the controller of the data, and operating its anonymisation process without any influence or input from its customers, is truly independent and therefore able to provide its customers with a service that anonymises data in full compliance with both the letter and the spirit of GDPR. This approach allows data-driven companies to continue to obtain rich analysis from the datasets they hold while also affirming their commitment to being both responsible and transparent in their data usage.
Nine years on, ‘Big Data’ is finally hitting the mainstream
Let consumers buy into your culture
Companies that are successful in the long term understand that you live and die by your reputation. Finding yourself in a situation where you have been fined by a regulator is bad enough – but allowing your brand to be tarnished among consumers for being non-trustworthy with their data may bring you to a point from which you will struggle to recover.
However, being open with your consumers about how their data will be used and for how long (while adhering to GDPR principles) is a great opportunity to let them buy into your company’s culture and principles – not just your products.
That is why the smarter companies in this data-driven economy will gravitate towards privacy by design approaches including conducting analytics on independently anonymised data. And, in doing so, such companies will be in prime position to benefit from consumer-driven insights.
Written by Aoife Sexton and Michael Ingrassia — Aoife is Chief Privacy Officer and Michael is President & General Counsel of Trūata.
