Data analytics in the GDPR era

GDPR seems to make things tough for analytics, but it could be a blessing in disguise

For the last few years GDPR has been striking terror in the hearts of organisations around the world. While data protection legislation is nothing new, GDPR has extended and clarified both the rights of individuals and the duties of organisations that store and process their personal data. What’s more, GDPR has upped the ante in terms of what happens when organisations fail to meet their obligations – and the penalties that might result. The discussion around GDPR has resembled, at worst, a business horror story, at best a corporate cautionary tale. And though the legislation came into effect back in May 2018, many companies are still working their way through how to meet their GDPR commitments.

Here, enterprises that use data analytics can find themselves right in the GDPR crosshairs. After all, GDPR goes a long way to clarifying not just how an organisation stores data, but the uses it can put that data to. This might lead you to believe that, if your business relies on data analytics, then GDPR is all bad news. Yet there’s an alternative approach to GDPR that turns those negatives into positives, enhancing how analytics works for you. GDPR isn’t simply a set of onerous requirements to be dealt with, but a catalyst for change.

What does GDPR mean for data analytics?

Much has been written about GDPR and we’re not going to delve deep into the legislation here. However, there are some elements of the legislation that have a particular impact for companies that capture, store and process data for analytics – a data processor in GDPR terms – and companies that use the services of a data processor to gain the benefits of analytics (or data controllers).

As a data controller, companies need to make sure that they collect only the data they need and have a clear consent process, where users are aware of what’s being collected and what it will be used for. Those users also need a choice or choices that enable them to opt-in or, later, opt-out of your data storage and processing activities, not to mention the means to control the data you hold – to view the information you hold on them and request its deletion.

Data processors, including vendors of analytics services, have their own obligations, which include a need to comply with the terms of GDPR and guarantee that compliance with a Data Protection Agreement between them and any company they provide such services for. They need the means to support the rights mentioned just above, so that those whose personal data is stored can view their information and have it deleted.

Both controllers and processors have responsibilities in terms of safeguarding personal data – and in terms of notifying data authorities and any affected individuals in the event of a data breach. What’s more – and this is the scary bit – GDPR sets higher penalties for failure to meet these requirements. The maximum fine can be up to $20 million or 4% of annual global turnover, whichever is the highest.

Dig deeper and you’ll find specific requirements that are particularly relevant to analytics. Firstly, there’s a principle of minimisation, where any personal data collected has to be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. Secondly, that personal data is only to be collected ‘for specified, explicit and legitimate processes, and not further processed in a manner that is extra to those purposes. Finally, GDPR is particularly sensitive around issues of automated processing and profiling in a way that might seem contra the whole point of many real-world applications of analytics. If data is used to create a profile of an individual, and that profile could be used to analyse or predict aspects of their performance at work, economic situation, health, personal preferences, interests or behaviour, then that individual has a right to object to such profiling. Individuals can choose not to be subject to any decision based solely on automated processing – particularly where there may be financial or legal effects. In fact, where decisions are made on that basis, a mandatory impact assessment is usually called for.

In short, it might seem that GDPR prevents – or at least limits – companies in capturing data for analytics and doing anything that interesting with it. Yet there’s also a more positive way to look at the situation. In the past, many companies have had a tendency to collect every scrap of data they can, then repurpose that data or combine it with new data however they saw fit. This hasn’t always been a transparent process, and it hasn’t always led to a relationship of trust between organisations and their customers. What’s more, this hasn’t been a particularly effective way to store and process data, in some cases actually reducing its value. Perhaps most seriously, it’s made it easy for companies to lose control of that data and who has access, making it harder to safeguard.

GDPR as an opportunity

Viewed from this perspective, GDPR becomes an opportunity to clean up, focus in on high-quality data and make it work better for the business. Instead of collecting everything and hoping to use it later, enterprises can look at their incoming data streams, capture what’s useful and discard what isn’t. This isn’t just good for analytics operations, but for data security as well. GDPR forces businesses to consider what they store and process and how it’s stored and processed and ensure that appropriate security measures are in place. It’s an opportunity to bring in hardware-enabled security and authentication, using the technology built into Intel Xeon Scalable processors. Personal data encryption and key management can also help minimise both the chance of a breach and the potential effects.

In some situations, it could make sense to either anonymise or pseudonymise data you’re not using for direct business to customer interactions. Anonymisation means stripping out all information that might identify the subject, which is all you need if you’re running business intelligence programs on, say, seasonal purchasing habits or social media sentiment.

Pseudonymisation means processing the data so that it can’t be attributed to a specific subject without the use of additional information, with that information kept separately and protected by appropriate technical and organisational security measures. Both approaches relieve you from some of obligations of GDPR in regard to the rights of data subjects, while also helping protect you in the event of a breach (as anonymisation and pseudonymisation mean less personally identifiable information is affected in the breach).

By storing and processing data, not in its raw state, but in a more targeted and actionable form, you’re making the job of analytics easier, separating the insight-rich wheat from the unnecessary chaff. Combine this with the analytics processing power of the latest Intel Xeon Scalable processors, with Intel Advanced Vector Extension 512 technology speeding up analytics workloads, and Intel Optane storage, which enables low-latency processing of larger datasets, and the road from raw data to insight becomes significantly shorter.

Better still, because individuals need to opt in to storage and processing, with the purposes of that storage and processing clear, enterprises can use it as a means of building trust and a stronger relationship between the business and consumer – you’re effectively saying ‘this is the data we need from you, and these are the services we can provide as a result.’ Early results in the field of targeted email already bear this out, where both Manchester United Football Club and The North Face have lost subscribers from their email database but had improved engagement through the emails sent and fewer spam complaints.

As businesses extend their use of analytics, this will be crucial. Chatbots, recommendation engines and other automated service features all require a deep knowledge of the customer and their specific needs to make interactions both more personal and more valuable for both parties. Some users will inevitably find this strange or creepy, but many others will find the balance between privacy and benefits pays off. In fact, companies need to ensure that it pays off.
In short, GDPR isn’t a horror or a hindrance, but a chance to clean house and redefine relationships. Minimising the risks and handling the new obligations can go hand in hand with extracting more value from your data, while building trust between the enterprise and its customers. Now, that’s not nearly so scary.

Discover more about data storage innovations at Intel.co.uk

Sign up for our free newsletter