Skip to Main Content
Main Menu

Is it Legal to Use Analytics Under GDPR?

Annie Greenley-Giudici

Let’s face it – data analytics is an extremely handy (some might say vital) tool for processing consumer data.

But processing analytics or using historical databases under European Union’s General Data Protection Regulation (GDPR) could get your organization in trouble if you don’t know what you’re doing.

What is the GDPR?

The GDPR claims to be the “toughest privacy and security law in the world,” and you don’t have to be based in Europe to be impacted by it.

As long as your organization targets or collects data related to the people in the EU, you must abide by GDPR regulations. If you don’t, you can expect penalties reaching into the tens of millions of euros.

The GDPR is large, far-reaching, and fairly light on specifics, making compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).

GDPR Analytics Consent

Prior to the GDPR, risks associated with not fully comprehending broad grants of consent were borne by consumers.

Under the GDPR, broad consent no longer provides sufficient legal basis for data analytics or the use of historical databases involving personal data.

Consent is an important aspect of the GDPR. There is a requirement that consent must be specific and clear, to serve as a valid legal basis.

In order for consent to serve as lawful basis for processing personal data, it must be “freely given, specific, informed and an unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her”.

“Freely given” implies a real choice by the consumer (data subject). The GDPR states that it won’t tolerate any pressure or influence from an organization that could affect the outcome of that choice.

These GDPR requirements for specific and unambiguous consent are impossible to satisfy in the case of iterative data analytics.

This is because successive analysis, correlations and computations are not capable of being described with specificity and clarity at the time of consent.

In addition, the GDPR has no grandfather provision. That is, it doesn’t allow for the continued use of data collected using non-compliant consent, prior to the effective date of the GDPR (May 2018).

How to Lawfully Process Data Analytics Under GDPR

Your company is non-compliant with GDPR requirements if it relies on consent for analytics, AI and use of historical databases involving EU personal data.

If you are non-compliant, your organization is at risk of incurring a hefty fine. This amounts to up to 4% of global turnover or 20 million euros: whichever is greater.

To lawfully process data analytics, and to legally use historical databases containing EU personal data, new technical measures that support alternate (non-consent) GDPR-compliant legal bases are needed.

Two technical requirements under the GDPR help to satisfy alternate (non-consent) legal bases for data analytics and use of historical databases involving EU personal data.

These are data protection by design (pseudonymization) and data protection by default.

Data Protection by Design

The GDPR embraces a risk-based approach to data protection. This means shifting the main burden of risk for inadequate data protection from the consumer (data subject) to the organization (corporate data controllers and processors).

Before the GDPR, the burden of risk was born principally by consumers because of limited recourse against data controllers and lack of direct liability for data processors.

The GDPR recognizes that static (persistent) and apparently anonymous identifiers used to tokenize or replace real identifiers are ineffective in protecting consumer privacy.

There are two main reasons why:

  • Increases in the volume, variety and velocity of data
  • Advances in technology.

Combined, this means that static identifiers can be relinked to real identifiers (or are readily linkable), leading to unauthorized re-identification of data subjects.

This is known as the correlative effect or mosaic effect, because the same party that has the data can link the data to individuals.

Continued use of static identifiers by data controllers and data processors wrongly places the risk of unauthorized re-identification on data subjects.

However, the GDPR encourages data controllers and processors to continue using personal data by implementing new technical measures. The GDPR calls this pseudonymizing data.

What is GDPR-compliant pseudonymization?

The theory behind GDPR-compliant pseudonymization is simple in theory but potentially complicated in practice. It requires organizations to separate the information value of data from the means of linking data to individuals.

Put simply, it’s the processing of personal data in a way that the data can no longer be assigned to a specific person without the addition of further information.

How does your organization do this?

By replacing all personal identifiers with a form of pseudonym.

In contrast to static identifiers, which are subject to unauthorized relinking via the mosaic effect, dynamically changing pseudonymous identifiers can separate the information value of personal data from the means of attributing the data back to individual data subjects.

In so doing, you satisfy GDPR requirements.

Data Protection by Default

The GDPR imposes a mandate to provide data protection by default. This goes further than providing perimeter-only protection.

It’s also much more than privacy by design; it is, in fact, the most stringent implementation of privacy by design.

Data protection by default requires that data protection be applied at the earliest opportunity (by dynamically pseudonymizing data). It also requires organizations to collect, process and store the smallest amount of personal data necessary for a specific purpose.

This is in stark contrast to common practices prior to the GDPR. Before May 2018, the default was that data was available for use and affirmative steps had to be taken to protect the data.

Data protection by default requires granular, context-sensitive control over data when it is in use. This is so that only the slice of data necessary at any given time, and only as required to support each authorized use, is made available.

Should I Comply with GDPR, Even if I Don’t do Business in the EU?

Even in situations where a company is not required to comply with EU regulations, compliance with GDPR requirements for pseudonymization and data protection is a good idea.

It shows your organization employs state-of-the-art initiatives to serve as a good steward of data, engendering maximum trust with customers (make sure they know).

And in today’s business world, trust, brand reputation and loyalty are everything. 

Key Topics

Get the latest resources sent to your inbox

Back to Top