More than a year after GDPR came to be, the adage “data is the new oil” couldn’t be truer – only it’s taken a whole new shape, as GDPR infractions and data scandals burn up corporate coffers. Regulators had long warned businesses of steep fines amounting to 4 percent of a company’s annual turnover or €20 million – the higher of the two. The massive leap in penalization has understandably contributed to the general scare around GDPR, given how previous fines amounted to €500,000 at its worst. But not all businesses are proactively working towards being GDPR-ready, either due to a rudimentary grasp of the regulation, or lack of resources to implement the same. Statistics reveal that nearly one-third of European businesses admit that they are yet to achieve GDPR compliance. If the recent round of GDPR fines have taught us anything, it’s that a lackadaisical approach can land companies in the proverbial financial soup. Let’s take a look at learnings from GDPR penalizations and how businesses are GDPR-proofing their operations.
What is GDPR?
We’ll first address the bare basics of GDPR in this section, for the benefit of readers who are not aware of the nomenclature or history of GDPR. If you’re well-versed with GDPR, we suggest you skip to the next section.
User Rights Mandated Under GDPR – Starting May 2018
What’s the Damage?
Since its rollout in May 2018, GDPR has raked up millions in fines. One of the first significant offenders that the ICO (Information Commissioner’s Office) made an example of was British Airwarys, whose users were redirected to a malicious website when they clicked on the official BA site, resulting in the personal information of 500,000 customers being stolen. The regulatory body slapped a whopping £ 183,000,000 fine on the airline, that translated to 1.5 percent of its revenue in 2017. In early 2019, Google came under the scanner of the data protection authority in France, for lack of transparency and use of passive opt-ins for user consent to personalize ads, attracting a fine of € 50,000,000. The round-up from major GDPR fines (excluding those in the order of €1000) stands at € 359,205,300 as of October 2019.
The thought of withdrawing business operations in the EU given the tall asks and hefty penalties from GDPR have surely crossed many a business owners’ minds; for other businesses, this is hardly an option. But the point of GDPR is not to dissuade businesses from operating in the EU, rather to hand users more control over their personal data and businesses more accountability in how they handle user data. To that end, businesses who stand by the code of conduct mentioned by GDPR stand a lesser chance of being penalized and sport a stronger due diligence defence.
GDPR in the Context of Analytics
There’s a noticeable shift in the accountability for user data privacy from end users to businesses, since GDPR. Fines and penalizations apply to parties that collect, store, process and/or control data – addressing each point in the data lifecycle to protect user interest and privacy.
Data Processors & Analytics Stacks
Today, it’s become the business’s proactive responsibility to ensure that end users understand “how and why their personal data is used”, which means businesses can no longer slink under the shroud of complex privacy policies to tap into valuable personal data. This certainly spells an uphill battle for businesses that collect and/or process data i.e the data controller and data processor respectively – each with its own share of responsibilities; albeit the primary responsibility of ensuring GDPR compliance and setting the necessary technical and organizational processes in place belongs to data controllers, alongside drawing out contractual agreements that outline the privacy responsibilities and mandates of third party processors and sub-processors.
It’s natural to wonder what happens to historical data and existing analytics stacks that have been in play prior to GDPR implementation – and may have been subjected to specific, broad or no user consent. Companies are expected to have a written record of why data is being collected and inform users of the same, before collecting data, thereby deeming historical data non-compliant unless the user has formally consented to the same.
User Consent & Customer Profiling
GDPR has brought in greater transparency and given users near-complete control over their personal data, as they can choose to approve or disapprove collection of their personal data by businesses, alongside exercise consent on how the data is used by the latter. For businesses, this means that the clauses on data collection and usage have to be explicitly and clearly laid out so users can easily opt-in/out, a stark different approach from the complex legalese that websites previously housed. GDPR emphasizes consent as “freely given, specific, informed and an unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.” The very nature of analytics renders the explanation of data collection and processing needs as a difficult task, especially in the context of iterative analytics and artificial intelligence operations, posing a big challenge for businesses specializing in or utilizing analytics. Some wonder if this means dwindling data sets. But there is some consolation. Data science and engineering techniques that use anonymisation can ease restrictions and evade liabilities that could surface due to the likelihood of profiling or processing tasks rendering individual user data identifiable. Pseudonymisation is a healthy data management technique recommended by GDPR authorities to protect user privacy. Through pseudonymisation, businesses that process personal data have access to specific data elements required for the job, and not the entire data set that is tied to the user. By restricting information access to data touchpoints than subject level, user privacy remains uncompromised, as individual data elements cannot be used to trace back to the actual user.
Customer profiling, used to automate decisions, direct marketing etc. by processing personal data to identify individual interests, behaviour and preferences, is only allowed under lawful bases. Article 22 states, “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” Aside from the apparent user consent, lawful bases to process user data include legal or contractual obligations, the vital interest to protect a person’s life, legitimate business interest (provided it does not override user rights, freedom or interest) and official duties or public interest motives. Furthermore, data scientists will need to ensure predictive models are devoid of indirect bias, hidden bias or discriminatory training data as the GDPR warns against the use of race, ethnicity, etc., and discriminatory outcomes in automated decision-making.
End users can recall consent at any given point of time under GDPR, which means businesses need analytics stacks that dynamically clarify user consent before each run to avoid a breach. Data collected for one purpose cannot be re-used for a different purpose, without user consent. For example, a retailer that collects user address for shipping purpose, cannot use it to profile users for re-targeting or marketing purposes. It helps for businesses to setup a system that can easily track user consent and also readily give users access to their personal data on requests, after validating that it is the user in question of course – lest it leads to a data breach situation.
Encryption, it seems, has grown as one of the lowest hanging fruits that businesses are harnessing to strengthen security, given the ease and cost-efficiency in implementation, and has been strongly recommended by data regulation bodies time and again. Pseudonymisation’s fine-grain data access is contributing towards preserving user privacy. Conducting periodic DPAs (data protection audits), and assigning a DPO (data protection officer) who oversees compliance should be a part of the data security strategy as per Article 37 of GDPR, especially for large companies. Security can no longer be regarded as an afterthought, that can be plugged in retrospectively after collecting data. Especially in cases where sensitive data such as health records, biometric data, political stance, religion, race etc., is in question, and call for higher security. GDPR enforcers rightly advise businesses to take a data protection by design and default approach. Business will still need to set in place a system to monitor and notify customers, in the event of a breach, within 72 hours of its occurrence.
What Does the Future Hold?
A study by McDermott-Ponemon in Europe and the US, reveals that businesses are spending $13 million on an average on GDPR compliance each year, to deflect heftier potential fines from non-compliance. Tech giants like Amazon.com Inc. have grown cognizant of recent regulatory developments and privacy concerns, much to the solace of end users who can now not just ask Alexa for food recommendations but also ask previously fed data commands to be wiped out, need be, without meandering into the depths of user privacy options on the website to accomplish the same. Social media giant Facebook, who earned a whopping $16.6 billion from targeted ad sales in the post-GDPR era i.e. Q4 2018, released a lengthy dissertation on its vision to practice privacy-first social networking with hopes of calming its data scandal notoriety.
It’s a different story amongst mid and small-sized businesses, who may not have adequate resources or the knowhow to observe compliance. Many of these businesses are outsourcing technical compliance aspects to third party providers who have the right tools and skillset. Business insurance is walking away with a good chunk of the pie made with corporate dough, seasoned with the imminent fear of flouting GDPR and the accompanying fines. They say, regulation is the mother of invention. What else will GDPR give rise to in the future, is the question.
 – “Almost a third of European firms still not compliant with GDPR” – ComputerWeekly, July 2019
 – “LinkedIn Settles Data Breach Lawsuits” – BankInfoSecurity, Aug 2014
 – “Big Data: 20 Mind-Boggling Facts Everyone Must Read” – Forbes, Sep 2015
 – “British Airways faces record £183m fine for data breach” – BBC.com, July 2019
 – “Google fined €50m by French data regulator” – TechRadar, Jan 2019
 – “Major GDPR Fine Tracker – An Ongoing, Always-Up-To-Date List of Enforcement Actions” – Alpin
 – “Lawful basis for processing” – ICO.org.uk
 – “Art. 37 GDPRDesignation of the data protection officer” – GDPR-info.eu
 – “Data protection by design and default” – ICO.org.uk
 – “Survey reveals that many companies are behind schedule to achieve global data protection regulation compliance” – mwe.com, Apr 2018
 – “Now you can order Alexa to forget what you just said” – Edition CNN, May 2019
 – “Facebook ad revenue tops $16.6 billion, driven by Instagram, Stories” – MartechToday, Jan 2019
 – “A Privacy-Focused Vision for Social Networking” – Facebook, Mar 2019