Note: This article is intended to inform our readers about the current data privacy and security challenges experienced by companies in the global marketplace. It is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.
Ah, the good old days. Back in my day, the movies and music were better. Say! Even the big data was better.
There’s nothing quite like big data circa early 2018. Of course, that was before the General Data Protection Regulation (GDPR)—perhaps the most famous data privacy regulation ever—came into effect on May 25, 2018.
For a quick refresher: GDPR rewrote the rulebook for how businesses can use EU consumer data for things like analytics. GDPR has shunted responsibility for data privacy away from individual consumers and firmly to the business, bringing global attention to how businesses handle (or mishandle) the processing of personally identifiable information (PII).
But all this comes at a cost: GDPR’s red tape and costly fines have limited organizations’ ability to use consumer data sources and big data as freely as before. GDPR is a win for data privacy, but it also limits the potential of big data analytics—and with it, data-driven business solutions that drive innovative customer services, products, and experiences.
Is the golden age of big data over?
In this article, we’ll examine the state of big data analytics in the age of GDPR. We’ll explore whether GDPR has ruined or emboldened big data and provide recommendations to navigate big-data opportunities in the future.
How big data and analytics change under GDPR
The GDPR comprises 99 articles and an additional 171 recitals (legal declarations expounding details and context) to outline its major data privacy mandates and changes. Of these, a group of remarks has to do with one of the most foundational activities of big data analytics: data profiling.
The GDPR defines profiling as the collection of personal data and subsequent use of that data to discern information about the data subject.
Profiling includes processing personal data to determine and predict details about individuals, such as socioeconomic status, demographics, region, movement (digital and physical), and more. This data is then used to inform email campaigns, as an example, or other business decisions.
- Implies automated processing
- Applies to personal identifiable information (PII)
- Assesses personal aspects of an individual (data subject)
Profiling is the fulcrum to data science. Removing profiling from data science is like taking the ball out of a football match. Any change to this fundamental element causes the whole pursuit to shift unrecognizably. GDPR has had that effect on big data and analytics.
GDPR tightens data privacy protections
When profiling is applied upon an EU citizen, major protections are asserted by the GDPR. Here are two that are most relevant to the practice of analytics:
- The right to be informed of the intended use of collected information, consequence of this use, and information about the profiling methods.
- The explicit right for the individual to object or opt out and the undeniable right to not be subject to unmanned, automated profiling.
Importantly, the requirement of providing notifications and attaining consent for data processing does not apply to “legitimate business interests,” such as a car dealership running a credit check.
However, it is the responsibility of the organization to determine if in fact their use of personal data is a legitimate business interest, or whether they will need to inform and gain consent from their data subjects.
It is also the business’s concern to ensure the profiling methods used are lawful in the intended region, devoid of bias or unlawful discriminatory practices, and that they do not infringe on other data subject rights guaranteed under GDPR. All in all, this can be a daunting order for a large corporation, let alone a small business with limited resources.
But here’s the million-dollar question: Can anyone point to what a lawful use of big data under GDPR looks like?
What does a lawful use of big data look like under GDPR?
Unfortunately, nobody knows what GDPR-friendly big data looks like.
Date protection officers, lawyers, and experts give advice to offer your business its very best shot at achieving compliance. In fact, you can dot your i’s and cross your t’s a thousand times, but until GDPR’s many tenants are tested in court, we can’t know without a shadow of a doubt exactly what compliance looks like.
In this gray and unresolved period, GDPR remains exceedingly vague; we comply in the dark. Nevertheless, something interesting has happened: This fog has been an unlikely catalyst.
The unknowns of GDPR have stirred up a great deal of anxiety in companies not sure how to properly shield themselves from regulatory ruin. Fearing bad outcomes, in some cases, big data analytics has suffered.
At the same time, panic for GDPR has given way to more vigilance and preparation and is leading big data to its best days yet.
So let’s now take a look at both sides of the discussion: Has GDPR ruined or emboldened big data?
Argument 1: GDPR has ruined big data
Regardless of size, industry, or even if your company resides outside the EU, as long as you process EU personal data you need to make necessary calibrations to comply with GDPR. Impressively, 93 percent of small businesses say they have prepared in some way to comply. But this mass rush to avoid fines has had repercussions on how companies leverage big data
Companies skip the big-data compliance headache
According to research conducted by New Vantage Partners (NVP), though 85 percent of companies are trying to be data-driven, only 37 percent of that number say they’ve been successful.
Forty-one percent of small businesses say their big data initiative didn’t happen because of business resistance or key stakeholders not understanding big data. GDPR is part of the problem, creating fear and trepidation of anything to do with big data.
No company wants to get dragged to the court and slapped with millions of dollars in fines. Without a clear view of what is permissible under GDPR, this threat is enough to turn some companies off of big data and its potential risks—real or otherwise. Or at best, companies become overly conservative when seeking out big data opportunities.
So in many cases, the alternative is chosen: Existing big data tools sit idle gathering dust, expansions are postponed, and only the most hum-drum analytics strategies are greenlit. What becomes more important than using big data to its full potential is continuing down the path of what doesn’t get the company sued.
Goodbye EU customers
To avoid a GDPR compliance dilemma, a growing number of multinational companies have taken a radical approach: They have blocked EU IP addresses from their domains and services; no EU citizens, no need to comply, right?
The New York Daily News website continues to lock its doors to EU readers (Source)
But for companies that use this tactic, they need to know that this is a huge blow to the relevance of big data analytics as a meaningful force of competitive advantage in their business. Big data that is purposefully void of an entire region is not commensurate with quality data.
Without a full view of all your relevant data inputs, insight-based decision-making degrades. Entire regions and demographics of people go neglected from data-driven improvements, stuck in their “quarantined” regions. And competitively motivated companies that take the steps to comply and incorporate EU data will have an advantage.
Citizen IT becomes a liability
Now more than ever, data scientists and individuals working with big data will wear the hat of data protection officer. They must always be compliance-minded. This calls for more extensive skill sets in a career track that is already showing major shortages to meet recruitment needs.
A costly supplement to full-fledged data scientist would be the citizen IT professional: users who lack an analytics background but who work with big data using self-service tools. However, in consideration of the regulatory minefield set after GDPR, citizen IT is more likely to be discouraged in fear of regulatory infractions and maligned as shadow IT.
At first glance, it will be difficult for senior leaders to trust a sensitive activity like big data analytics—fraught with legal peril—to non-expert practitioners.
As citizen IT looks to be an increasingly important force transforming the technology landscape, to see this potential neglected is a a disappointment.
Argument 2: GDPR has emboldened big data
It’s not all doom and gloom. GDPR has caused a positive impact on big data. For example, GDPR has illuminated the importance of data governance for all organizations.
A number of organizations have embedded this priority right into the bedrock of the business: 59 percent of small businesses, for instance, now revisit data collection policies at least once a year. Senior leaders are waking up to the importance of managing the collection and use of their data and to proper data governance—which benefits analytics.
GDPR has led to a more methodical use of big data
Ruben Ugarte, founder of Practico Analytics, explains the shift in tone many organizations have experienced on their journeys to comply with GDPR.
“The initial reaction to GDPR was negative since it creates more work for organizations,” Ugarte says.
Indeed, for many organizations, GDPR has been the Everest of data privacy regulations. The task set before them looks extremely challenging and has not led to the most rational decisions, especially when it comes to big data, as evidenced above. Ugarte further explains that this feeling has changed and has given way to a more thoughtful approach to big data.
“As time goes on, organizations are starting to realize that GDPR does have certain benefits. Specifically, it forces companies to be intentional about what data they collect and how they will use it. Instead of randomly collecting everything they can, they are now thinking as to how they will use this data to make better decisions,” Ugarte says.
Data ethics becomes a competitive advantage
The world is dangerous, especially for your personal data. From Cambridge Analytica to the Equifax security breach, there exist a billion hazards that can strip you of your sensitive data. Now, hardware vulnerabilities are on the rise too, as a result of the proliferation of the internet of things. How long before consumers are fed up with companies stampeding over their data privacy rights? The writing is already on the wall.
According to the 2018 Edelman Trust Barometer, only 48 percent of the U.S. population say they trust businesses, down from 58 percent from just one year ago. Consumers are becoming increasingly agitated by companies failing to serve the interests of their data—its privacy, protection, and respect. It’s starting to show.
Trustworthy companies get business. Trust is a vital resource to overcome the competition—easily lost, not easily regained. Within the formula for trust in today’s digital economy, data ethics is an important factor. Make data ethics your competitive advantage to win customers.
GDPR-compliant companies are well poised for a regulation-rich future
Great! You overcame the GDPR, a major compliance hurdle. Wait, what’s that on the horizon? Another regulation brewing like a tropical storm.
The reality is that the issue of data privacy is not quieting down anytime soon. We are at the juncture when generational data privacy laws will be etched into stone. Companies that have taken on the challenge of GDPR and have learned these important lessons will be well positioned to succeed in a future thick with expected regulatory changes.
So which is it? And recommendations for 2019
Has GDPR ruined or emboldened big data? It depends who you ask, but the best answer is that it has done both. What’s not in dispute is that big data matters more than ever, and it’s critical that your business finds a way to be successful with analytics in the age of GDPR.
Here are some big data recommendations to reflect on in 2019:
- GDPR compliance is not something to be evaded; it’s to be mastered. The future is data—privacy concerns are inextricably linked. Make regulatory compliance your competitive advantage.
- Like Rome, a GDPR compliance strategy was not a built in a day. You need consistent effort and revision to maintain control and ensure the quality of your data assets.
- Most small businesses view their data privacy compliance efforts as ordinary or average. Your organization is in pole position to overtake competitors and become a leader in compliant data governance, analytics, and best practices to leverage big data ethically. Good luck!