What is GDPR and why does it matter to online privacy?

GDPR, or General Data Protection Regulation, is one of the stringiest privacy and security laws in the world. This law was introduced in the European Union to provide EU residents with extensive personal data and privacy protections. Unlike many other national data protection laws, GDPR is applicable to any business dealing with EU residents, irrespective of where the business is located. Effective May 25, 2018, all relevant organizations must be in compliance.

GDPR restricts the transfer of personally identifiable information of the customers out of Europe. This gives customers the tools, and means to attain control over their digital data movement. Customers are permitted to request information on their data storage and further request that businesses delete said data from their servers.

For EU residents, it meant they finally had the power to exercise their right to privacy, but what did it mean for businesses operating in the EU or with an EU resident?

For many organizations, the compliance requirements imposed by the European Data and Privacy Protection law (GDPR) may seem overwhelming.

Initially this law caused much distress in the business community as they faced significant organisational and technical challenges in adherence, while lack of adherence meant severe reputational and financial penalties.

Compliance with GDPR is process-driven and highly complex. Consequently, there were around 65,000 data breach notifications with over 200,000 complaints in just the first year of GDPR implementation!

Data analytics is increasingly becoming crucial for data driven decision making, and strategic growth for the majority of organizations. GDPR not only regulates how businesses store data, but also how they use it. What has the impact of GDPR introduction been on Analytics Service Providers such as Google Analytics?

GDPR and Data Analytics

GDPR regulates the use of data from storage to consent. There are three important principles relevant to data analytics.

1. The principle of minimisation indicates that only adequate, relevant and necessary data related to the purpose in question is to be collected.

2. The processes and purposes for which personal data is collected must be explicit, specific and lawful.

3. The data cannot be processed for any other purpose other than the one specified. For instance, according to article 5 of GDPR, personal data should be processed lawfully and transparently. Data collected and processed is restricted to the purpose.

4. Only relevant data can be collected, and there should be a mechanism to store only the accurate and updated data while inaccurate data should be deleted.

The sensitivity of GDPR to automated processing and profiling might seem counterintuitive to the real-world applications of web analytics. For instance, if the collected data is used to create a profile of a person, and that profile is used to predict their behaviour, interest, lifestyle or performance, then the person can exercise their right to privacy by objecting to this automated profiling process.

In addition, businesses are required to adopt the principle of privacy by design. This requires a modern analytics product, which is built for compliance and puts privacy at the forefront.

For example, another GDPR directive requires that any and all data collected by companies can only be collected after the individual has given free and explicit consent to use their personal data. Companies are required to provide an option to users allowing them to withdraw their consent any time.

Data analytics providers are required to also comply with requirements related to data accuracy, data quality and data observability.

For data quality, a robust framework is required to be in place by companies, so that any data inaccuracy is identified at an early stage. An effective infrastructure for data observability will help businesses to review the "health of the data" in terms of its volume, schema, lineage, freshness, and distribution. Data quality with data observability allows organisations to have a more transparent approach.

While all these actions eliminate the grey area that earlier made the data vulnerable, this also creates additional challenges for businesses, in terms of safeguarding and making use of the data they collect.

Both data controllers and data processors are responsible for safeguarding the data. In case of a breach, the penalty is $20 mn or 4% of the annual global turnover, whichever is higher. This gives GDPR teeth that hurt. This has sent many organizations scrambling to find a data analytics service provider who will ensure adherence to the letter and spirit of the law.

Companies Providing Data Analytics While Ensuring GDPR Compliance

Back in 2017, around a year before the GDPR became effective, when companies were overwhelmed, apprehensive and frightened by the unknowns that GDPR law promised, IBM welcomed GDPR quoting that “data is the new gold and therefore you should protect it”. [1] In the past few years, many have compared the value of data with gold and oil. The significant difference is that while commodities can lose their value by being more obtainable, it is the opposite with data. [2] According to Statista (2022), the global big data market is estimated to reach 103 billion U.S. dollars by 2027, which is more than double its expected market size in 2018. [3]

Big data market size revenue forecast worldwide from 2011 to 2027(in billion U.S. dollars)

Irrespective of the size of the businesses, their future success depends on how effectively they are obtaining and using their data. But with stringent laws like GDPR, the picture is not all rosy. While it is true that data holds a significant value for businesses, they cannot ignore the fact that GDPR has made it more challenging for companies to capture users' data and use it meaningfully. [4]

For many businesses, more than an opportunity, data analytics has become a risk and a challenge. This is because they lack the actionable understanding to make use of the data they have. And with GDPR in place, they are exposed to regulatory, financial and reputational risks.

[5]

With over 661 fines in the first three years, GDPR has forced organisations to be mature and responsible when it comes to data privacy and the use of personal data. The EU has always been at the vanguard of data protection and data privacy and the GDPR legislation has become a model in the global privacy landscape, and thus, it has become crucial for businesses to build partnerships with analytics providers that both understand and comply stringently with the law.