Understanding the Basics of the GDPR

On May 25, 2018, enforcement of the General Data Protection Regulation (GDPR) will begin in the European Union.  The Regulation unifies data protections for all individuals within the European Union, however, in some cases, it also hinders the usage of such data.  By no means a comprehensive analysis, this post will help get you up to speed on the GDPR, how it impacts business, and what analysts can do to still get valid results from data.

Very Brief History

On January 25, 2012, The European Commission proposed a comprehensive reform of the 1995 data protection rules to “strengthen online privacy rights and boost Europe’s digital economy.”  It was estimated that implementing a single law could bypass “the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year.”  On April 14, 2016, the Regulation was officially adopted by the European Parliament and is scheduled to be put into force on May 25, 2018.  Now that we know how we got here, let’s answer some basic questions:

Why does Europe need these new rules?

In 1995, when the prior regulations were written, there were only 16 million Internet users in the world.  By June 2017, that number had increased to almost 4 billion users worldwide and more than 433 million of the EUropean Union’s 506 million inhabitants were online.  The increased use ushered in increased technology, search capabilities, data collection practices and legal complexity.  Individuals lack control over their personal data and businesses were required to develop complex compliance plans to comply with the varying implementations of the 1995 Regulations throughout Europe.  The GDPR fixes these issues by applying the same law consistently throughout the European Union and will allow companies to interact with just one data protection authority.  The rules are simpler, clearer, and provide increased protections to citizens.

What do we even mean by “personal data?”

Simply put, personal data is any information relating to an identified or identifiable natural person.  According to The Regulation’s intent, it “can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address.”

Isn’t there also something called “Sensitive personal data?”

Yes.  Sensitive personal data is “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” Under the GDPR, the processing of this is prohibited, unless it meets an exception.

What are those exceptions?

Without getting into the weeds of the rule, the excepts lay out cases where it is necessary and beneficial to take into consideration sensitive personal data.  These include legal proceedings, substantial public interests, medical purposes, protecting against cross-border threats, and scientific research.

With all this data being protected, can I still use Facebook?

Yes!  The new rules just change how data controllers collect and use your information.  Rather than users having to prove that the collection of information is unnecessary, the businesses must prove that the collections and storing of your data is necessary for the business.  Further, companies must take into account “data protections by default” meaning those pesky default settings that you have to set on Facebook to keep people from seeing your pictures will already be set to the most restrictive setting.  Further, the GDPR includes a right to be forgotten, so you can make organizations remove your personal data if there is no legitimate reason for its continued possession.

How can data scientists continue to provide personalized results under these new rules?

This is a tricky question, but some other really smart people have been working on this problem and the results are promising!  By aggregating and undergoing pseudonymization processes, data gurus have continued to achieve great results!  For a good jumping off point on this topic, head over here!

Leave a Reply