Now that GDPR has arrived, businesses are either feeling secure or nervous about what they have done to protect their customers’ and prospects’ personal data.
According to the regulation, ‘personal data’ is defined as:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The definition is lengthy but it is also vague. Experts agree that this approach is quite deliberate: it has been left open so that the coming months and years will see court cases that debate the nature of personal data and create legal precedents that narrow the definition more precisely.
As we’ve mentioned before, GDPR isn’t a deadline but a low-water mark for what the future holds when it comes to trust and privacy. The same is quite possibly true for how we define personal data.
With the growth of artificial intelligence and data mining, more data will emerge on individuals that could be defined as personal data. A dynamic IP address might not currently qualify, given that multiple individuals may share it, but perhaps it will if a company holds personally identifying data tied to that address.
And that is only going to be the beginning. Analytics is currently used to pick out behaviours and habits so that advertisers can use that data to personalise their online targeting. If you order a lot of fast food, you won’t be surprised to see ads for fast food appearing when you visit websites.
But is data on your eating habits considered personal data? Or how about data on your voting habits? The recent Cambridge Analytica-Facebook scandal highlighted that the latter can be both immensely powerful and used in ways that the individuals involved might not approve of or desire.
And of course, under GDPR, that means even more data that individuals will have the right to access, or the right to have deleted. Simply meeting the basic regulatory requirements to ensure these rights in a secure and timely manner already presents significant challenges for businesses. Just imagine what it will be like if the definition of personal data expands.
As the definitions shift, it will become even more vital for companies to understand and manage their personal data ecosystem. An effective solution must be capable of processing and analysing huge volumes of data and metadata, and granular enough to be able to switch, dynamically, between the atomic, or individual, data level and various levels of summary above this.
Only then can the often complex interrelationships between the different systems, processes, jurisdictions and so on be mapped out, visualised and interrogated.
What’s increasingly evident is that GDPR is more than compliance – it is a real opportunity to drive ROI, but only when managed correctly. To find out more, please contact us at +44 (0)20 3582 5055 or get a demo here.