Miminal's take on GDPR at its implications

Charlie | May 22nd 2018

When you introduce yourself as a data scientist, the topic that springs to most people’s minds is the GDPR. How are you preparing for it? What changes are you having to make? How is it affecting your customers? And unfortunately, due to recent media coverage of high profile data stories and how some organisations have reacted to the GDPR, there is a hint of a grey cloud hanging over anything data related for consumers right now. And rightly so.

For too long, organisations have exercised free reign over consumer data – either because they weren’t aware of previous regulations or the sanctions were so minor that they didn’t care if they adhere anyway. This lead to companies collecting whatever they want, using it for whatever purposes they desire and selling it to the highest (or every) bidder . This is particularly true of social media organisations, whose core business model is to offer free services in exchange for your data. The GDPR is the first set of EU data regulations since the dot com boom. Look at how far technology has developed and become an integral part of our daily lives since then.

There will always be people trying to take advantage of loopholes and a lack of regulation, and it is important that these regulation updates keep up with the pace of technological evolution. Failure to do so puts consumers at risk. We have recently seen this with Cambridge Analytica and Facebook, with 87 million users’ social media data being obtained without their permission.

This has sparked wider concerns regarding how Facebook handles user data, with the tech giant coming under huge media scrutiny surrounding how it is dealing with the GDPR. When CEO Mark Zuckerberg was asked whether his company would promise the GDPR protections to its users worldwide, Zuckerberg demurred. “We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,” he said.

It is understandable that the news of Facebook changing the terms & conditions of 1.5 billion users’ from Africa, Asia, Australia and Latin America so they are governed by Facebook inc. instead of Facebook Ireland has been met with some criticism.

In practice, the change means the 1.5 billion affected users will not be able to file complaints with Ireland’s Data Protection Commissioner or in Irish courts. Instead they will be governed by more lenient U.S. privacy laws.

What does this mean for the future of data? Will other countries follow suit and implement similar legislation? One thing is for sure, through the GDPR the EU is leading the way in protecting consumers and their personal data.

For most businesses, these regulations are no more than an administrative nightmare and a danger to current customer bases. Under the GDPR there is a much more stringent definition of “consent” and where companies rely on consent as the legal ground for processing data they now need to get positive “opt-in” consent. Companies can no longer use default consent or hide consent provisions in their terms and conditions. Companies also need to check how they previously obtained data from their customers, and if they used pre-ticked boxes or default consent of any kind then they will not be able to market to those customers without new positive “opt-in” consent from them.

It also means that companies must update their databases with procedures that allow access, transfer, and deletion of specific client details; document the company policy on collection and processing of client data and communicate this to all clients; and establish the legal grounds for processing personal data which may mean obtaining consent prior to acquiring or using any personal data.

Companies must also store and maintain their data in a way that conforms with the GDPR standards and implement security measures to protect databases from breaches.

The biggest impact the GDPR has had on our business is our clients’ concerns towards sharing their data, but our GDPR compliant team are quick to reassure them about how Miminal handles data securely.

Stage 1: Data Sharing & Handling

Even before the GDPR we were firm believers in security by design and everything we build has data security designed into it as a priority. Miminal hosts its own secure cloud-based client file sharing platform. Implementing 2 Factor Authentication and state of the art encryption to keep our client’s data private.

Stage 2: Working with Personal Data

Miminal insists that all personal data has been anonymised before working with it. The value in the data we analyse is in the trends and patterns we can recognise in it. The individual that the data relates to is of no importance to us and so before working with any form of personal data, we ensure that it is suitably anonymised in line with the GDPR regulations. This ensures our clients’ customers’ data is safe and the results will never be directly traceable back to them.

At Miminal, we believe data is a most company’s most valuable asset in today’s data driven society. The security and confidentiality of our clients’ data is of utmost importance to us. And so, when we’re asked what changes we have had to make to conform to the new regulations, the answer is very little to what we were already doing.

The GDPR has opened public eyes to what is happening to their data behind the scenes of many organisations and if Facebook’s recent $50 billion drop in market value is anything to go by - this is something not to be taken lightly. At Miminal we are glad the legislation is finally catching up with the pace of technology so that customers can start trusting companies with their data again.