General Data Protection Law (GDPR) gives personal data a broader definition

Published June 21, 2017   |   

One of the trending tools modern businesses use for optimizing workflows, finding new markets and efficiently advertising products is big data analytics: a process that involves large information sets and the use of artificial intelligence and machine learning in order to obtain desired patterns and trends. For those who followed the hype of big data analytics, changes in systems and procedures will follow this year in order to comply with the General Data Protection Law (GDPL) which will come into effect in May 2018.

GDPR is a complex regulation that changes the entire process of collecting, processing and storing personal data, voluntarily provided or accumulated by automated systems.

The reform will offer a singular legal framework for all 28 Eu members regarding data storage and manipulation. However, non-European companies that interact with data of EU citizens will also need to abide by the new regulation. The main function of GDPR is to create a safer digital environment for consumers and for companies.

What Is Personal Data?

To begin with, Personally Identifiable Information (PII) will include a larger palette of data, like IP addresses, health status and social, economic or cultural information of persons. Nowadays, people interact using apps, but also register for different activities, pay bills and shop using apps, so they gradually expose more and more information through the use of apps.

GDPR applies the principle of data minimisation, which means just absolutely necessary information can be requested.

Also, pseudonymization should be applied to personal data, which implies new processes that separate information about subjects from their identity. This way, the additional information of people involved will be kept separately and securely. One game-changer for the big data industry is the rule of consent: organizations will need to provide valid evidence of authorization from subjects.

Power to the Data Subjects

Starting from 2018, companies will have to make terms and conditions more explicit when collecting personal data, in order to be able to prove consent from their subjects. Individuals have the right to know what amount of their personal data is used and what is the purpose of processing. Additionally, they are entitled to ask for a copy of the gathered personal information or even for a complete erase of their data. Also, the common practice of sharing collected data with third parties is not acceptable anymore, unless subjects acknowledge and approve this operation.

Trace the Back-ups

The new sets of rights concerning data subjects will rock the cloud computing business. Cloud providers have to transform their storage systems in order to make personal data back-ups traceable and easily accessible, as subjects can ask anytime for removal. The law also applies retroactively, so older back-ups need to be evaluated. Furthermore, personal information can be kept for a definite amount of time, which means tracing sources and resting spots at all times will become mandatory.

Security Comes First

Companies and public or private organizations that work with personal data will need enhanced security systems. A Data Protection Officer( DPO) is obligatory for all businesses and institutions that touch personal data. The role of this new specialist is to constantly evaluate the conformity with the Data Protection Law. Both controllers and processors have to perform privacy impact assessments on a regular basis to identify risks of breaches. However, if a data violation happens it has to be notified within 72 hours after detection in order to avoid sanction. All private data beneficiaries will need to design their workflows including data protection procedures, which will impact their budgets in the following years.

Companies have now more data available than ever and the use of analytics changed traditional functions like management, marketing, and sales, making them better targeted and more efficient. Big data is also used to improve security and law enforcement and to optimize public systems in countries and cities. Its uses multiply every year, however, both companies and individuals are not yet trustful when it comes to exposing data through cloud systems. The General Data Protection Law will improve personal data security and monitoring, but the rules come with a cost for processors and controllers. Some organizations already started the GDPR compliance strategy, but full conformity will come a long way.