By and large, the introduction of GDPR offers data subjects more control over the information shared online, on the one hand. On the other hand, for businesses, it means the necessity to implement practices that would focus on strengthening data protection. When it comes to corporate setting, who are the key stakeholders to embrace GDPR standards on the forefront?
Clearly, data scientists are the second in the queue after an actual business owner to consider the recent changes in regulation in order to enhance organizational compliance. Taking into account the complexity of GDPR and the amount of information to process to adjust the existing internal processes to the requirements, the shift toward greater compliance is likely to take considerable efforts and time.
GDPR: key takeaways for data scientists
Decoding this complicated document, we’ve summed up essentials to bear in mind for associates that deal with data on an everyday basis:
- To begin with, according to GDPR, for any business dealing with personal data – collecting it, storing or processing - a client’s consent must be obtained for any data transaction to be legal. For a data scientist, it means that in addition to an actual record kept in company’s database, there will be another piece of info – the consent itself that allows the business to manage the data in accordance with the purpose it declared and a user signed off on. Remember, if the reason for processing this data changes, a different consent should be obtained, too.
- As briefly mentioned before, GDPR empowers subjects (either resident of EU or even those who ended up there just for a holiday) to have a totally new degree of control and access to personal information. For instance, anyone can ask a business that collects his data to delete the records in case there are no legal grounds for storing or processing such information.
Beyond that, anyone can choose to opt out of ‘profiling’ systems, according to Article 22 of GDPR. You might be wondering what those are. Simply put, profiling is the automated processing of personal information with the purpose to assess particular things about a person.
For instance, a person had bad debt before and was falling behind paying his loan. After some time, he wants to take another loan from a bank to finance his startup. Taking into account his credit history, a bank will know the profile of this borrower. Such details can positively or negatively affect the loan application.
Any data subject has rights that are clearly defined in GDPR. Among others, there is the right to rectification when a data subject can request a data controller or processor to alter his records.
Additionally, there is the right to object when, under particular circumstances, a data subject can withdraw from any automated decision making.
For data scientists, both the rights would bring extra work: they’d either need to modify the records or forget about those at all since they won’t be able to use the data when building machine learning models.
And remember: if your company gets a request with objection (a verbal or written notice) from someone, in general, businesses don’t have more than 30 days to address such a query.
Then it’s worth mentioning the broader impact of GDPR. For a data scientist, the concern lies within every record or database on a larger scale that might include someone’s name, address, or any other kind of personal data that can be useful to define that person and narrow down the search within a category. What’s more important: this applies to any data about EU citizen or a person located there at a certain moment with no regard to where his actual information is kept or processed from.
Lastly, according to GDPR, every organization must inform data subjects in case of any data infringement within 72 hours. So if any data leaks or hacker attacks occur, a data scientist needs to stay on top of the alert system. After all, GDPR abuse can result in significant penalties and heavy losses reaching up to 4% of global annual sales for a business.
Are you ready?
Till date, the lion’s share of businesses has difficulties interpreting GDPR and tailoring their operations to meet the compliance requirements. By now, you might be wondering about action steps and scenarios available.
Option a) might be to reconsider the existing practices and tweak them in accordance with GDPR. Option b), for those who lag behind significantly, might be a comprehensive A to Z audit to conduct a gap analysis and build up the system able to meet GDPR requirements and safeguard personal data accordingly.
The strangest thing of all is that according to multiple surveys, about half of the operating institutions have no clue that the regulation might affect their businesses. Therefore, they do not plan on any action to move towards GDPR compliance.
They say, that mostly SMBs, as well as pioneering startups, are the business categories that have very little awareness and understanding of GDPR: busy with daily operations, this type of companies might be tight on budget to conduct onboarding sessions among their employees.
Considering the demand for a more transparent and clear approach for handling user data, scientists might require additional controls to safeguard the data subjects’ information. GDPR, as complicated as it may sound now, might serve as a kick for global policymakers beyond EU to reconsider their regulation regarding personal data and move towards greater transparency with a user in mind.
If you would like to dive deeper into GDPR essentials and find out how you can stay compliant without losing any kind of efficiency then welcome to our WeControl GDPR Academy.