Over a year has passed since the world was stirred up by strict new laws on consumer protection — the General Data Protection Regulation (GDPR). GDPR affects any organization that processes personal data of EU residents, by demanding the implementation of new routines that protect the consumers.
Despite the wide-spread coverage of GDPR, we found that many company leaders and even data officers still have a poor level of understanding of how GDPR affects their business and what measures they must take to ensure compliance. This is a big problem since unprepared organizations that are not compliant can suffer severe circumstances. The penalties for non-compliance include:
Companies are now forced to introduce new methods of data processing. Any solutions must have privacy by design — and it’s not always easy to know where to start.
Gathering insights from clients and our expert team alike, Statice has prepared answers to some common misconceptions and questions your company might have about data privacy, data anonymization, synthetic data, and more.
The answer is yes — your company can use and share data for internal use, provided that the data is anonymized.
But even if your company only shares and uses data internally — for example for software development, the GDPR limits the possibilities and renders it difficult to store sensitive data longterm. The GDPR states that companies must implement data minimization even for internal use:
“1. Personal data shall be:
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”
Probably the biggest misconception around the GDPR is that giving consent is enough for companies to use data freely. The thing about consent is that it needs to be clearly defined. Asking for consent means giving people a real choice and control over how you use their data. If a person has no choice, the consent is invalid. People must also have the choice to refuse consent without consequences and be able to withdraw consent at any time. Finally — the consent given must only be used for the clearly defined purposes and cannot be conditional to other terms.
Article 7(4) states:
“When assessing whether consent is freely given, utmost account shall be taken of whether… the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
Bigger companies are required to be GDPR-compliant and designate a data protection officer, an expert of data protection law and procedures. Smaller companies are required to comply with the GDPR if they process personal or sensitive data on a regular basis. This means that collecting databases of contacts scraped from social networks or other Internet sources is illegal. Small companies can have big datasets, too!
The GDPR aims to protect personal data — but what exactly is personal data?
Article 4 of the GDPR states:
“Personal data means any information relating to an identified or identifiable natural person (‘data subject’); […] in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
This means that anything that relates to a specific person is personal data, including:
Pseudonymization is the removal of personal data such as names and telephone numbers. Pseudonymized data sets carry a high risk of being re-identified through linking to additional data sources. People can be re-identified from other data records.
One such example of a massive violation is the health record of the Governor of Massachusetts in the 1990s, which was linked to the public electoral register. Even though the names, addresses, Social Security numbers, and other information were removed from the health records, the Governor was identified by matching the information in the health records with his ZIP code, gender, date of birth, which was obtained through other public records.
We write more about anonymization vs pseudonymization in a separate blog post.
Overall, the GDPR makes it very difficult to collect, store and freely use sensitive data. This raises the question of how companies are still able to use personal data in a legal framework for innovative product development. One possibility is the use of completely anonymous data, as truly anonymized data is exempt from the GDPR.
Regardless of what size your company is, anonymizing your company’s sensitive data helps a lot to stay compliant. If you don’t have a data protection officer in-house to advise you here, feel free to reach out to us, as Statice provides a state of the art anonymization solution.
To learn more about how we can anonymize your company’s data — get a free demo via our website: https://www.statice.ai/
Contact us and get feedback instantly.