How do you make data analysis possible under the new privacy legislation (GDPR)?

How do you make data analysis possible under the new privacy legislation (GDPR) - Viacryp

The new privacy legislation—the General Data Protection Regulation (GDPR)—has been in force since 25 May 2018. This law has far-reaching implications for both the public and private sectors. The need for data analysis has grown significantly in recent years, and the added value of making management decisions based on the results of data analysis has become increasingly evident. So the big question is: How do you make data analysis possible under the new privacy legislation?


The GDPR in short

The GDPR was adopted in May 2016, and included a two-year transitional period. The law has brought substantial changes to and created obligations for many organisations. For example, every time personal data is processed, it must be recorded in a processing register, and the rights of individuals have been extended so the privacy of data subjects is better safeguarded. In addition, the processing of personal data is only permitted when it is carried out on the basis of one of the legal principles (such as the consent of the data subjects) and for a predetermined purpose.

Will we now be restricted in carrying out data analyses on personal data?

Organisations are not so much restricted in carrying out data analyses as they are in the way in which this may be carried out; the regulations around this have been tightened up compared to previous privacy legislation. For example, data must be processed properly, lawfully and transparently, and organisations may not use more data than is necessary for the purpose determined and described in advance. In addition to the new rules concerning the processing and recording of personal data, organisations will be given greater responsibility for any potential negative consequences for data subjects. Organisations must subsequently be able to justify why they have used certain personal data. As a result, taking appropriate technical and organisational measures to protect the privacy of data subjects has become extremely important.

What measures can an organisation take to protect the privacy of data subjects?

Effective solutions are now available for carrying out analyses without the data being traceable to individuals, meaning the privacy of data subjects is guaranteed. For example, data can be aggregated so that only totals are visible (‘1000 customers visited the store’). There are also techniques such as anonymising and pseudonymising, which prevent data from being (directly) traced to an individual.

A recognisable, practical example

Many companies conduct research into customer behaviour (purchasing behaviour, repeat purchases, satisfaction). To this end, data from various sources is used to gain insight into the reasons why a customer does or does not return. For such studies, in which the customer gives permission to process his data for this purpose, it is often not important to know and record exactly what an individual customer thinks about the organisation. The important thing is how the customers as a group perceive the service and how they think the organisation can improve its service.
This is precisely what the GDPR says about conducting research using personal data: if it is not necessary to be able to trace research results back to individuals, make sure that measures have been taken to minimise traceability.

Pseudonymisation of personal data

A good example of a measure which can be taken to minimise traceability is pseudonymisation. By using pseudonymisation, traceable personal data (such as customer numbers or names) can be converted into pseudonyms, making it possible to conduct research using customer data that researchers cannot trace back to individuals. This gives organisations insight into customer satisfaction and how to potentially improve their services, while at the same time guaranteeing the privacy of data subjects.

In short, data analysis is definitely possible, even under the GDPR. It is important, however, that you consider in advance the measures to be taken to secure the data and prevent (in)direct traceability. Only then can you claim that you have sufficiently protected the privacy of the data subjects.

The definition ‘pseudonymisation’ in the GDPR: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Read also:

Patrick van den Bos

About us - Patrick van den Bos | Viacryp

Patrick is CIPP/E-certified and has been working as a privacy consultant since 2016, helping organisations to deal responsibly with personal data and become GDPR-compliant. He also advises organisations on technical and organisational measures and the use of privacy-enhancing technologies (PETs).