GDPR year 1: What we learned so far

Over a year has passed since the world was stirred up by strict new laws on consumer protection — the General Data Protection Regulation (GDPR). GDPR affects any organization that processes personal data of EU residents, by demanding the implementation of new routines that protect the consumers.

Why you should care about GDPR

Despite the wide-spread coverage of GDPR, we found that many company leaders and even data officers still have a poor level of understanding of how GDPR affects their business and what measures they must take to ensure compliance. This is a big problem since unprepared organizations that are not compliant can suffer severe circumstances. The penalties for non-compliance include:

• Written warning in cases of first and non-intentional non-compliance
• Regular data-protection audits by a third authority
• Data access restriction, including definitive and permanent bans
• Ban from operating within the EEA and EU area
• A fine of up to €20 million or up to 4% of the annual worldwide revenue, whichever is greater

Privacy by design

Companies are now forced to introduce new methods of data processing. Any solutions must have privacy by design — and it’s not always easy to know where to start.

Don’t worry — we have the answers

Gathering insights from clients and our expert team alike, Statice has prepared answers to some common misconceptions and questions your company might have about data privacy, data anonymization, synthetic data, and more.

1. Can my company freely use personal data internally?

The answer is yes — your company can use and share data for internal use, provided that the data is anonymized.

But even if your company only shares and uses data internally — for example for software development, the GDPR limits the possibilities and renders it difficult to store sensitive data longterm. The GDPR states that companies must implement data minimization even for internal use:

“1. Personal data shall be:

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”

2. Is general consent enough?

Probably the biggest misconception around the GDPR is that giving consent is enough for companies to use data freely. The thing about consent is that it needs to be clearly defined. Asking for consent means giving people a real choice and control over how you use their data. If a person has no choice, the consent is invalid. People must also have the choice to refuse consent without consequences and be able to withdraw consent at any time. Finally — the consent given must only be used for the clearly defined purposes and cannot be conditional to other terms.

Article 7(4) states:

“When assessing whether consent is freely given, utmost account shall be taken of whether… the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

3. Should small companies worry about GDPR?

Bigger companies are required to be GDPR-compliant and designate a data protection officer, an expert of data protection law and procedures. Smaller companies are required to comply with the GDPR if they process personal or sensitive data on a regular basis. This means that collecting databases of contacts scraped from social networks or other Internet sources is illegal. Small companies can have big datasets, too!

4. What is personal data

The GDPR aims to protect personal data — but what exactly is personal data?

Article 4 of the GDPR states:

“Personal data means any information relating to an identified or identifiable natural person (‘data subject’); […] in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

This means that anything that relates to a specific person is personal data, including:

• Online identifiers, e.g. IP address or usernames
• Physical factors, e.g. hair color
• Economical factors, e.g. salary
• Genetic factors, e.g. blood type
• Location data, e.g. home address
• Identification numbers, e.g. social security number

5. Is masking data enough protection?

Data masking is the removal of personal data such as names and telephone numbers. Masked data sets carry a high risk of individuals being re-identified through linking masked data to additional data sources.

One such example of a massive violation is the health record of the Governor of Massachusetts in the 1990s, which was linked to the public electoral register. Even though the names, addresses, Social Security numbers, and other information were removed from the health records, the Governor was identified by matching the information in the health records with his ZIP code, gender, and date of birth, which was obtained through other public records.

We write more about anonymization vs pseudonymization in a separate blog post.

Stay GDPR compliant

Overall, the GDPR makes it very difficult to collect, store and freely use sensitive data. This raises the question of how companies are still able to use personal data in a legal framework for innovative product development. One possibility is the use of anonymous data, as truly anonymized data is exempt from the GDPR. Another option is to use statutorily pseudonymized data, which while still covered by the GDPR, provides benefits and incentives when used that reduce your GDPR compliance obligations.

Regardless of what size your company is, anonymizing your company’s sensitive data helps a lot to stay compliant. If you don’t have a data protection officer in-house to advise you here, feel free to reach out to us, as Statice provides a state of the art anonymization solution.

Get a free demo

To learn more about how we can anonymize your company’s data — get a free demo via our website: https://www.statice.ai/