How can the GDPR influence your data processing activities?

By May 2018, the General Data Protection Regulation (GDPR) will have to be implemented by all companies collecting and processing personal data. This new legislation reinforces the data subject’s rights and privacy when it comes to the processing of his/her personal data. This will change how we innovate with data. 

The GDPR has introduced new principles (some of them were already applicable under previous legislations at national and European levels, but they have been more clearly defined in the GDPR) such as for example the right to be forgotten, the data minimisation principle, the necessity of asking for an explicit consent to process personal data, the right to withdraw such a consent, the right to ask for the erasure of data, the right to data portability, ..., which all can challenge how your company processes data today. 

For example, the GDPR states that the data collected should be "adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed". This principle is called “data minimisation”. For a company looking for new business opportunities based on the exploration and analysis of customers' data (for whom the company has collected their explicit consent), this would imply that the objectives targeted by the new business opportunities would have to be clearly defined and explained to the data subject in the explicit consent. Furthermore, this would also imply that from the beginning the company should identify which data is needed for the realisation of this task. 

Principle versus practice

The principle of data minimisation will be very challenging for companies. Indeed, data science is an iterative and exploratory process. You often only find out what data you need while trying to realise your innovation. Especially if you would like to do predictions, detect patterns or identify some trends in your customers' data, you will need to have data from many different users for longer periods of time, so that you can take into account aspects such as seasonality, stabilities, etc. Therefore, it is not always possible to determine in advance which type and volume of data is necessary for a given data processing purpose. 

On 26 June, at an event organised together with Agoria on the GDPR and the effect on algorithms and security, the Sirris Data Innovation team presented how the GDPR can influence a company’s data processing activities from a business and technological point of view. Did you miss this event and are you interested in getting further insights on how the GDPR could influence your data processing activities? Then get in touch with us!