This article is more than 1 year old
Rolling in personally identifiable data? It's a bit of a minefield if you don't keep your feet
But if it's genuinely anonymised, heck, go crazy
The world – well, Europe at least – is going potty about the impending new General Data Protection Regulation. If I signed up to every data protection seminar invitation in my inbox I'd have no hours left in the day to work... or drink or sleep, for that matter. So it's easy to forget that data protection legislation has existed for donkeys' years already – as hinted at by the existence of legislation such as the UK's Data Protection Act 1984. Yes, GDPR has some interesting new stuff in it, but the core principles of giving legal protection to people's Personally Identifiable Information (PII) have existed for some considerable time already.
Alongside the trend to hype up GDPR there's another prominent data related trend: the data driven enterprise. This is all about replacing the instinct in one's business with hard science based on logical and often complex analytic algorithms. But how does this tie up with the worries of misusing personal data – both now and under the new legislation – and getting a beating from the Information Commissioner?
First of all, if you're processing PII you need the subject's consent to do so (the "subject" in this case is the person whom the data is about). Want to process data that identifies me? That's fine as long as I agree you can do so. Which brings us to the second part of the consent angle. I'm not going to give you carte blanche to do what you like with my data: you need to tell me what you intend to do with the data and I need to agree to let you do so. And if you decide later that there's something new and funky you want to do with it... well, you have to come back to me and ask permission for the new types of processing.
This said, though, explicit consent isn't always required. According to Article 6 of GDPR processing, PII is legitimate (albeit with a couple of caveats) if: "processing is necessary for the purposes of the legitimate interests pursued by the controller". If you want to buy something from my online store it would be daft if I was obliged to ask you explicitly for permission to use your card number to take payment and your address to post you the goods.
As in many cases in law there's a test of reasonableness – there's a fuzzy line where the company's "legitimate" interests stop and explicit consent becomes necessary. Additionally the bulk mail crowd have also clearly irked the authors of the data protection legislation: direct marketers get a specific mention in Article 21, "Right to object": "Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing." And one can’t forget the “right to be forgotten” covered by Article 17. Hence if you’re looking to use PII for direct marketing purposes in particular, you have to be cautious.
All this said, though, you're not prevented from processing data for marketing purposes: you're simply obliged to take each data subject's wishes into account when you do so. Want to send targeted offers with brochures to customers who have signed up to your mailing list? Knock yourself out. Oh, and while we're on the point of people signing up: one of the clauses of GDPR that at first seems restrictive is the clear need for people to opt in to their data being processed – no more opt-outs or pre-ticked opt-ins. But I actually see that as a good thing: if you've done it by the rules and a person has ticked the opt-in box, it's a cast-iron guarantee that they've done what GDPR calls a "clear affirmative act" in giving their consent.
But don't forget...
There's a key fact about data protection legislation that's often forgotten: it has PII at its core. If you can't identify it, you can do pretty much what you wish. As the text of GDPR puts it, the legislation doesn't apply to "information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable".
This doesn't help you a lot if you're looking to do direct marketing to people, because you need to identify the people. But if, say, you want to analyse the success of your various marketing campaigns you don't need the individuals' identifiable data to do so. Want to do Big Data analysis on the footfall in your chain of supermarkets? No problem, the data from your footfall counters probably didn't have any PII in it to start with.
The data-driven enterprise and the data
And this last point is the important one: data protection legislation is about personal data. While you may want to do some analytics on personal data, the chances are that the majority of what you want to do relates either to non-personal data (it could be anything from road/rail traffic data to traces of sub-atomic particles in a collider) or to personal data that you can process even if you anonymise it (browsing information from an online store, say, or airline ticket sales).
The data-driven enterprise doesn't clash with data protection legislation, then – even if the GDPR snake-oil-vending consultants will try to tell you it does. You have to be mindful of the legislation around the data you're working with, of course, but that’s no different from, say, being careful how you record financial transaction in your ledger and report it to the tax man. A few simple policies and mechanisms for ensuring data is anonymous should be sufficient to keep things legit. After all, even GDPR doesn't concern itself with "the processing of such anonymous information, including for statistical or research purposes". ®