Last week we heard from data privacy expert Aurélie Pols on the GDPR’s context and scope, and the definition of personal data. Read on for part 2 of our interview, where Aurélie discusses the GDPR and what it means for digital analytics, transborder data flows, profiling, business strategy and consumer behavior.
What should companies be concerned about regarding the vendors they work with? For example, what should they ensure from their digital analytics provider?
GDPR compliance is about risk of data uses. While data can undoubtedly benefit your business, it can also become toxic if privacy obligations are not respected. Two factors come into play when calculating the risk that data manipulations could represent for your business: a figure of 20 million euros, or an estimation of 4% of your company’s global turn-over, as the GDPR’s fines relate directly to one of those numbers.
In order to hedge against such risk, undergoing a Data Privacy Impact Assessment (DPIA), and making sure the right questions are asked and answered before choosing your preferred partner are part of the best practices to adopt, on top of hopefully existing security measures.
Additionally, data protection and privacy obligations, certainly in this day and age of data sharing and commoditization, are about aligning responsibilities between your company and the partners chosen in your data endeavors, as data processors. The GDPR expects an accountability chain, as your business sits at the forefront of compliance obligations put forward by the legislation. Your data partners should therefore “have your back”, both in terms of contract obligations, and in terms of privacy-enhancing features in order to ensure your company can step up to the increased obligations brought about by this increasingly global privacy standard.
Vocabulary used by your partners and their support teams should already give some indication as to the depth of training they have received to ideally cater to your needs and obligations as a controller. While slip-ups in the use of terms such as “PII” should possibly be permitted, it should also raise some flags on your side when discussing the obligations brought about by the Regulation.
Data subjects’ rights such as the Right to Access – which is also finding its way into US states such as Illinois, known under the Right to Know – are processes and practices that will have to be defined together with the chosen service provider. How will Rights to Access, once received, be passed along? Who is the contact person or department in charge? What is the expected deadline for a response? Are there any (hidden) costs to be foreseen in case back-ups must be retrieved for rectification or deletion of records?
Note that this also means that internally, on your own side, those processes are in place to decide how individuals should be identified in order to have their rights respected. Additionally, decision-making processes should be clear internally to determine whether rectification and/or deletion would apply. After all, your data partners act on your behalf following instructions, so it should be clear what is expected from them, but also what remains an internal responsibility and how the decision-making chain is set up.
While contracts can partially handle such responsibility challenges, making sure they are balanced between the parties involved, and having access to additional documents related to security best practices, certifications, or adherence to industry standards shows further signs of alignment with the GDPR. The appointment of a DPO is a sure sign of your preferred vendor’s adherence to the GDPR’s underlying commitment to making your data endeavors a success, orchestrating alignment between contractual obligations and internal, human resources-driven processes and best practices. Additional support related to data governance frameworks, classification of required security measures, as well as proven pseudonymization techniques would further contribute to ensuring the risk surrounding data uses is managed and under the best control possible.
Since 1995, the Data Protection Directive has forced European companies to understand what type of data they have been processing for their businesses, with some countries even holding obligations related to the registration of exact files with Data Protection Authorities. While these administrative burdens have been cleared under the new regime, European companies are ready to apply some of these techniques within the digital sphere.
What should companies look for in a digital analytics provider to be sure they are GDPR compliant?
While certifications (which are still evolving) as well as strong security practices remain the easy superficial readiness signs, which can be showcased while making a “Competing on Privacy” case, more elaborate and long-term efforts, such as helping define standards and building bridges with local (soon-to-be) Supervisory Authorities, show stronger commitment to the underlying philosophy of the GDPR.
After all, this is about user rights, and what’s at stake here is defining how these rights will be expressed exactly, with one foot firmly grounded within the legal text and the other looking for better ways to structure data so that all parties benefit from seamless data sharing.
The discussion is often not even about whether the traceability of data exists, but how and when this would need to be shared with either citizens or other parties. And that work is not done in a vacuum, it’s a collaborative effort between the analytics vendor, its different departments, and your company.
What will the GDPR mean for trans-border transfers of data?
As mentioned earlier, the GDPR talks of adequacy: the fact that EU citizens’ rights need to be respected, and that those rights “move with the data” in a sense.
Now, from a legal standpoint, if we just talk of international data exchange treaties such as PrivacyShield, I’m not sure the current US administration, with its recent decisions related to the FCC (and many others!) is looking at it from the right perspective.
I would therefore expect more hosting on EU soil and we’re seeing cloud infrastructure being increasingly announced in Germany, France, Ireland, etc.
One could also imagine more anonymization/de-identification techniques being used if data still had to be hosted on US soil, but then again, this depends upon the risk equations of companies and how they treat the data in the first place.
Note that this initial reference to rights moving along with the data also hints of another obligation under the GDPR: ensuring that consent and purpose travel with the data. A respectable vendor that talks about those conundrums would certainly have my attention!
How do you see the GDPR affecting companies’ strategies and habits over time?
As I mentioned to the Center for Digital Democracy over a year ago: I’m teaching my kids how to lie, specifically on the Internet. As a mother, it’s not great to be forced to teach that!
I think we are at the very early stages of Privacy, and just like I’ve witnessed Tom Davenport’s “Competing on Analytics” unfold over a decade, we’ll see the same with Competing on Privacy.
Companies are struggling from a downward spiral related to their customers’ trust. This phenomenon sits within an increasingly globalized world where efficiency, and sometimes cutting corners, prevails. It’s a monetary-driven kind of optimization, feeding certain corporate profits.
Depending upon the sector and also reliance on data (as the raw material) for profit maximization, attitudes towards the GDPR vary. Readiness ranges from total denial – and certain court battles down the road! – to full acceptance and preparation, certainly in more regulated environments, such as Telco, Banking, Insurance, Health, …
There are also interesting forces at play that are signaling a failure of the legislation, possibly hoping to water down enforcements and curb increased collaboration between Data Protection Authorities.
One shouldn’t however forget that the economic tissue of our societies is made up of more than 95% of SMEs. And while digital transformation is on a growing path within all levels of society – companies and citizens alike – now is the time to get things right in terms of measurement but also accountability. Because IoT is around the corner and the systems are not currently optimized towards ensuring maximization of our society’s well-being. The recent range of elections have shown us the power of digital “nudging”.
So companies can choose to aim for compliance, going through compliance risk reflections (and hopefully developments) about article 30, for example, on Records of processing activities.
Or they can focus on holding inclusive internal reflections on certain recitals such as recital 2 of the current 95/46/ EC Data Protection Directive:
“Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals;”
Or even recital 4 of the GDPR:
“The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.”
Each company is free to choose where they sit on this scale of GDPR realization. The choice is their own.
How do you see the GDPR affecting consumer expectations and behaviors over time?
Consumers will become less loyal, more distrustful, and lie more whenever possible. Isn’t that what ad blocking, or a more interesting one, ad obfuscation, is about? My condolences to data quality.
They can also boycott brands, shame organizations, or go as far as exercise their rights to transparency, which are already present in the current European Data Protection Directive.
What’s interesting is that the evolution from web analytics to the digital advertising ecosystems we know today is fueled on scale. Imagine such scale in the hands of consumers. This legislation is about reintroducing citizens, the data subjects, into the data ecosystem.
In order to reach scale, citizens need to be involved. This is done by allowing them to see, access the data that is being used about them. Initiatives such as Paul-Olivier Dehaye’s Personal Data.IO are founding pillars for the balance to be re-equilibrated, through legal instruments such as the GDPR, amongst others.
The GDPR introduces the notion of profiling. What kind of online services specifically fall under this umbrella? What are the potential consequences and impacts on the digital analytics sector?
Profiling is defined under article 4.4 as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
The question here probably relates to article 22 about automated individual decision-making, including profiling, on top of all the references to profiling within the different rights listed between articles 15 and 22.
Recitals 24, 60, 63, 70, 71, 72, 73, 91 give more indication on profiling; specifically highlighting recital 72: “Profiling is subject to the rules of this Regulation governing the processing of personal data, such as the legal grounds for processing or data protection principles. The European Data Protection Board established by this Regulation (the ‘Board’) should be able to issue guidance in that context.”
I’m sure we all look forward to reading the EDPB’s contribution on the subject.
A big thank you to @AureliePols for sharing her expert insight with us in preparation for May 2018!
Learn more about the key principles of data privacy in this white paper: