How changes to EU data protection directives could affect businesses in the EU (Part II)
From 2017, the new EU data protection directive is enforceable across EU countries. In IT and data implementation terms, a two-year execution period in reality is just around the corner. Data protection and IT security issues often involve several teams to comply with the new regulation. Therefore IT, marketing, legal and compliance management, business teams will need to join the effort and create a roadmap and framework to implement business change and new IT projects. Therefore, all companies are now preparing for the practical implementation of the forthcoming EU General Data Protection Regulation
(continued from the previous newsletter)
Companies will in the future need to confront the changes to EU data protection directives. The I directive will affect businesses in the EU with changes to EU data protection directives and could affect companies in the EU head-on. They must think rather carefully about their customer engagement and marketing strategies. Gaining customer trust with appropriate customer terms and legally compliant consents, will take on greater importance to be able to continue to use and benefit from personal data.
Profiling is broadly defined as "any form of automated processing of personal data, intended to evaluate certain personal aspects, relating to a person. Pseudonymous data, on the other hand, is frequently used for customer profiling and is another area of contention under the regulation. Both can analyse or predict in particular that natural person's performance at work, economic situation, location, health, etc.
The above definition could potentially capture any form of data analytics and, therefore, would have a significant impact on data-driven businesses.
Harder to use personal data for analytics
The regulation will require companies to have either a statutory basis for profiling (such as for crime prevention or fo detection purposes) or the individual will need to have given his or her consent to being profiled.
New standard of consent
Therefore, businesses will be required to obtaining an individual's consent, which will make it considerably harder to use personal data for analytics purposes in the future.
Under current law, consent is often not required for profiling activities. This is because profiling is often carried out using pseudonymous data. In future profiling activities, using personal data is permitted for a legitimate purpose of the data controller, provided that the activity not unduly infringe individuals' rights and interests.
Therefore, under the new data protection regime, consent will be a must for any personal data analytics. Consent must be freely given, specific and informed - the individual must have a genuine choice as to whether to give consent and be able to withdraw consent without detriment.
In practice, this means that companies engaged in personal data analytics will have to tell individuals that they are carrying out profiling. Further also inform that the profiling activity is being undertaken and the implications of such profiling. Then the company must give the individual a genuine option to agree to, or to disagree with the use of their personal data.
Given the general public concern about how companies use their personal data, it does not seem too implausible to imagine that many of the people involved will refuse their consent to profiling. On the other hand, it is obviously important to give individuals control over their personal data. The effect of this profiling provision could stifle data innovations and analytics - perhaps at the cost of improving the person life, such as performing health data analysis.