In December last year, the EU finally agreed to go ahead with the new General Data Protection Regulation (GDPR) as a replacement for the existing Data Protection Act (DPA). So, now that we all know it’s definitely going to happen and we’ve seen details about the finer points of the legislation, it’s time to start preparing.
One of the primary changes which has been highlighted in the early reports of the GDPR is the prevention of database profiling…
Under the new regulation, data subjects have the right not to be subject to automated processing of personal data intended to evaluate, analyse or predict any feature of their behaviour, preferences or identity.
Profiling can take the form of customer tracking and advertisement conversions which offer discounts to repeat customers. So, the simple questions is how can you best prepare and adapt to this future legislation?
Do you need to profile your database?
Firstly, it is important to ask yourself a simple question… do you actually need to profile your database? If so, then the next step is to start gathering consent from individuals in order to ensure their participation in the activity. Alternatively, if your organisation carries out only minimal profiling, perhaps it would be easier to simply stop this activity and therefore avoid the new GDPR requirements.
A slightly different approach
The other option is to rely on anonymisation and pseudonymisation. This is the process by which a business can use information about people, without needing to identify data subjects directly from the information (e.g. in statistical analysis).
Although it’s not explicitly mentioned in the current DPA, 'anonymous data' is not personal data and is therefore not subject to the requirements of EU data protection law. Additionally, pseudonymous data is likely to be subject to less stringent protections than full individuals’ details. So, if you need information about your customers’ behaviour without their individual details, then this approach could help you avoid a lot of the requirements expected by the new GDPR regulations.
Now’s the best time to prepare
Although the new GDPR is not due to be enforced until 2018, now is the best time to review all your existing processes and ensure that any future changes will be minimal.
To find out more about the GDPR and how the new law could affect your organisation…